At our recent Innovation & IT Community Virtual Event – Stewart Kerr, Director of Architecture and Modernisation, Australian Electoral Commission (AEC), strategies for preparing APIs for a national critical event
The nature of technology and elections
There are many technologies that have been designed to improve our lives and enhance the way we interact and communicate, from laptops and mobile phones to smart devices and virtual assistants. Many of them are underpinned by Application Programming Interfaces, or APIs, which work behind the scenes but ensure that the devices operate the way they are supposed to. In fact, APIs are so prevalent and versatile that they are used even in fields or workplaces that might at first seem unlikely.
Generally, APIs are the back-end software processes that allow devices to run, and they are regular and consistent. They are so prevalent and versatile in the fact that they are used even in fields or workplaces that might at first seem unlikely. As Stewart Kerr, the Director of Architecture and Modernisation at the Australian Electoral Commission (AEC) says, they are used at the AEC as well but on an irregular basis. After all, federal elections in particular are the ultimate example of being “on-demand. The Prime Minister can announce the election on any date of their choosing and then the AEC has 33 days to deliver one of Australia’s largest logistics exercises.” By their nature, therefore, federal elections are irregular, but when they happen, “they are incredibly complex operating environments. They are high stakes and high profile events with basically a zero tolerance for failure.” On top of that, there is “very strict legislation that controls the way elections operate,” and that includes the fact that they have to be “paper-based.” So much so that “it can often be hard for technology to break through” because unlike a normal working environment, “we have systems that we get to use for just a few days every three years. Essentially every election is about elasticity and massive scale.”
Federal elections are in fact so massive that “we go from 780 staff to over 100,000 staff in just a few days. As an organisation, we also go from about 90 business locations around the country to over 8,000.” This extends to other areas too. For instance, people are always encouraged to “get on the electoral roll,” but during a normal year, the AEC “might process about 3 million enrolments a year.” However, after an election is announced, “we process over a million enrolments in the first seven days.” Much of that is done through the website. Whereas normally there might only be a few visits a month, “we get over a billion hits during the election period and can have 80 to 100 million hits in just a couple of hours on election night.” On top of all that, “we print and distribute 50 million ballot papers and answer around 500,000 phone calls from the public during each election cycle.”
Despite the elasticity and the complexity, “the core of everything the AEC does is electoral integrity. Our job is really to ensure that the elections are fair, open, and transparent.” Part of that integrity is about “providing the public with a real-time view of election results.” Yet despite the significant number of visitors to the AEC website, most people actually get their election news from TV or the websites of the TV networks or newspapers. However, it is the AEC that provides most of the information that those media companies rely on. “This is of course where APIs come to the rescue.”
APIs to the rescue
To provide the real-time view that is demanded, the AEC “develops a suite of APIs that let us deliver that stream of election results” both for the public and for the media. Like everything at the AEC though, the APIs also need to be “useful on-demand. They must handle huge amounts of traffic in a very short period of time, and the results they provide must be accurate and correct.”
APIs are obviously complex pieces of software, but “they’re not – or shouldn’t be – just about code.” At the AEC, “we need to consider legislation, and how people are going to use the APIs.” In other words, “you need to take a holistic view.”
“Even with the best API code ever written, if you’re not providing the information that people want in the way want it, and if you’re not supporting them through the process, then the value of your service is going to be significantly diminished.”
says Stewart Kerr, Director of Architecture and Modernisation, Australian Electoral Commission (AEC)
To take that holistic view, and to be successful in the deployment of APIs, there are a number of lessons that the AEC has learned. For instance, “we always go out and initially co-design the API with our end consumers.” The truth is “we actually don’t get to see our customers that often.” They interact with the AEC when they first enrol or when they re-enrol if they move house, and on election day, but most people just fill in their ballots and leave. So the requirements are very different for regular citizens, TV networks, internet companies, and news providers. “But it’s important that we bring them altogether and produce an API that has both broad reach and also useful application to those end consumers. That means we always design for scale and availability from the outset.” The AEC has come to learn “that you can never completely understand or predict how third parties might utilise your API.”
On top of that, testing is critical. For the AEC, where failure is not an option, “quality assurance is taken very seriously.” It is taken so seriously that “we even test during an election.” Based on the last federal election, there were three main testing periods: “a live disaster recovery test of our election results system prior to them being used, a full dress rehearsal with our media partners and all of our staff, and then on election night itself.” In each case, the “system is under a substantial amount of load and we want to know if there’s going to be a problem, what a failure might look like, and how we might need to respond to it.” But more than that, it is about “having fit-for-purpose support arrangements for your API.” For instance, the amount of risk goes up every day of the election cycle and by election day “we might have 24/7 support in place.” On top of that, on the day itself “all of our key technology partners sit in the room with us so if there’s an issue, they are there to help us solve it.”
Aside from all of these plans and preparations, “the threat environment is constantly changing and evolving, with cyberattacks on government entities becoming more common. The threats are just a mouse click away from anyone who’s got hostile intentions and access to the internet.” So the key is to “bake security in at all stages,” from ideation to implementation and beyond. “We do a lot of work immediately after the election to capture learnings from all of our stakeholders,” including on methods to best combat future security threats. Although security is often seen as a threat or a blocker, “the AEC mantra is that security is actually an enabler. It’s an absolutely essential aspect for successful implementation.” In fact, in order to “manage our risks, we intentionally over engineer our solutions” and use mitigation strategies of a higher classification. “That means we are as protected as we can be.”
