You may think that the UK’s old-fashioned pencil and paper-based electoral system is mercifully immune to cyber disruption, but GCHQ’s National Cyber Security Centre (NCSC) has warned that some areas of the British electoral system could still be vulnerable to cyber operations, ahead of local elections scheduled for May 3, 2018.
In recent years there have been widespread incidents of cyber attacks, using a variety of techniques, timed to coincide with elections around the world, the NCSC noted; the majority distributed denial of service (DDoS) attacks against government and media websites, but others designed to steal data, or to alter or disrupt the publication of election results.
DDoS attacks, particularly against electoral, government or media websites making them unavailable at key moments during an electoral campaign (for example shortly before the deadline for voter registration, or on election day itself); spear phishing to access internet connected voter databases and attempts to alter or remove information published online, or publish falsified information or information obtained through hacking are all risks, it said.
“In periods of heightened pressure, attackers can exploit your staff’s willingness to help citizens and those involved in running the election,” the report warns, saying that “individuals involved in electoral processes in the UK are required to show integrity and discretion, but a small number of people may intend to exploit their access for their own, unauthorised purposes (known as insider activity). An insider may seek to manipulate or compromise electoral information or processes for financial gain [or] ideological reasons.”
The warning comes as the Information Commisioner’s Office (ICO) was today belatedly anticipated to raid the offices of Cambridge Analytica, which is accused of illegally harvesting Facebook user data to help influence elections.
Information Commissioner Elizabeth Denham said: “On 7 March, my office issued a Demand for Access to records and data in the hands of Cambridge Analytica. Cambridge Analytica has not responded by the deadline provided; therefore, we are seeking a warrant to obtain information and access to systems and evidence related to our investigation.” The raid has been delayed by a High Court judge adjourning the ICO’s application for a warrant.”
Concerns about interference in UK elections has been rising, with a report by Parliament’s Public Administration and Constitutional Affairs Committee (PACAC), entitled Lessons from the EU referendum saying: “Lessons in respect of the protection and resilience against possible foreign interference in IT systems that are critical for the functioning of the democratic process must extend beyond the technical.”
The committee added: “The US and UK understanding of ‘cyber’ is predominantly technical and computer-network based. For example, Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals.”
The NCSC urged regular back-ups of EMS data stores (in particular the electoral roll itself) and that officers hold these offline in a separate secure location and for infrastructure used by local authorities (and other electoral organisations) to be well maintained, using modern software and hardware, and kept patched, with end user devices, such as those used by staff to manage the electoral roll, to be corporately managed.