Comelec to create own cybersecurity unit

THE Commission on Elections (Comelec) will form its own cybersecurity department to protect voters and vital election-related information from cyberattacks.

Comelec spokesman John Rex Laudiangco said over the weekend that the cybersecurity division, which will be under the poll body’s Information Technology department, is part of ongoing structural reforms to enable the Comelec to keep pace with fast-changing technology.

“We continuously strengthen our technological capability. It includes ‘hardening of hardware’ and ‘escalation of encryption in all programs and software’ of all our systems in the Comelec directly related to elections and related daily operations,” Laudiangco said.

The Comelec and its election-technology provider Smartmatic Inc. have recently been cleared by the National Privacy Commission (NPC) of allegations that their servers had been breached, which affected vital information that could be used in identity fraud.

The case stemmed from published reports that the Comelec and Smartmatic’s system was hacked months before the 2022 elections.

In a decision dated Sept. 22, 2022, the NPC said the breach did not involve sensitive personal information or information that could be used for identity fraud.

Laudiangco said that long before the decision, the Comelec, in compliance with the Data Privacy Act of 2021 (Republic Act 10173), had already implemented its own Data Privacy Management Policies which was also approved by the NPC.

“All public data in our possession are secured and safe, especially information related to elections,” Laudiangco assured.

Before and during last year’s elections, the Department of Information and Communications Technology (DICT) reported more than 20,000 attempts to infiltrate the Comelec website, he said.

The last attempts were made on May 8 and 9.

“There were lots of attempts to attack the Comelec website but all of these were denied by the DICT,” Laudiangco said.

Through constant monitoring, the DICT was able to identify certain internal protocols (IPs) used by the hackers, he said.

The IP address is a unique string of characters that identifies each computer using the IP to communicate over a network.

The DICT has yet to confirm if the attempted attacks were made from within or outside the country, or both.

The Comelec website had been hacked twice in the past, the last of which was two days before the 2022 elections.

The hackers were able to deface the Comelec website but were not able to get into sensitive Comelec records.

The hackers were later arrested by the National Bureau of Investigation.