View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 21, 2022updated 31 Oct 2022 12:01pm

Security concerns over online voting system that could be used to pick new UK prime minister

Pushing through an online voting system with such little time to test security could be risky, experts say.

By Claudia Glover

As the Conservative Party prepares to elect a new leader, the online voting system that could be used to determine Britain’s next prime minister may not be secure, analysts have warned. With the contest to replace Liz Truss already underway and set to last just a week, deploying a virtual voting system at such short notice could prove “dangerous”, one expert told Tech Monitor, particularly as cybercriminals may be seeking to take advantage of the political chaos in the UK.

Implementing an online vote so quickly could have serious consequences. (Photo by Nigel J. Harris/Shutterstock)

Following Truss’s resignation yesterday, the Conservatives announced that a week-long leadership contest will take place culminating next Friday. It has been widely reported that MPs will seek to narrow the field down to one candidate to avoid a vote by party members.

However, if two candidates reach the nomination threshold of 100 MPs and cannot be separated, a three-day online vote of the 172,000 Conservative members will take place to determine the winner. Former chancellor Rishi Sunak, leader of the House of Commons Penny Mordaunt, and ex-prime minister Boris Johnson are all in the running for the job.

Is the Conservative online voting system safe?

During this summer’s leadership election, which saw Truss beat Sunak, there was some alarm raised that the online voting system being used by the Tories could be hijacked by those wishing to influence the election. The National Cyber Security Centre (NCSC) caused the election to be delayed by three days after voicing its concerns about the process.

Tory Party Chairman Jake Berry said he believes the system is safe. “Without going into the security measures we will take, for reasoning I’m sure we will understand. We are satisfied that the online voting system is secure,” he told The Telegraph.

The NCSC said it would lend its support to ensuring any online vote goes off without a hitch: “Defending UK democratic and electoral processes is a priority for the NCSC and we work closely with all parliamentary political parties, local authorities and MPs to provide cybersecurity and guidance and support,” an agency statement said.

Other MPs seem less confident. Labour MP Chris Bryant stated his misgivings on Twitter yesterday, saying, “I cannot understand why anyone would run an online ballot with three days of preparation and expect it to go well and unhacked.”

Security analysts are also nervous about different elements of the online voting system. “The system seemingly was secure from what we saw a few weeks ago, but [then] they had ten weeks to play with,” explains Jake Moore, global cybersecurity adviser at security company ESET. “Giving themselves less than a week is extremely dangerous, it increases the risk.”

Nation state-backed cybercriminals could see the contest as an opportunity to launch a high-profile attack, he says, adding that Truss’s chaotic 44 days in office will have increased the UK’s profile in the cybercrime world. “It raises a flag, putting a target on the UK,” he says. That’s the embarrassment and the potential worry.” 

“Nation-state [hackers] are good at seeing opportunities like this. And that opportunity may not have been assessed correctly by our security process because there’s so much going on.”

An attack on the voting system could be damaging to public trust in the process, Moore argues. “It’s possible it would undermine confidence we have with government systems. As soon as that goes, it can take years to repair,” he says. “The next time it’s used, even if it’s watertight, you’ll still have people and potentially other parties questioning how the processes were adhered to.”

The size of the vote makes it even easier to manipulate, adds Dan McLoughlin, field CTO of cybersecurity company One Span. “These votes will not be national, this is a very small subset of the electorate,” he says. “As such this means that a strategically important vote with potential interest from bad actors is being held with what we could speculate to be average corporate security levels.”

Elections a common target for hackers

The NCSC’s concern in August stemmed from the fact members could go back into the system and change their vote if they changed their mind on their favoured candidate. This was viewed as a security risk, and has now been remedied.

But there may be other flaws that have not been dealt with. “A state-sponsored attack may find any number of holes in the system,” McLoughlin says.

Russia, China and Iran have all been accused of attempting to hack into and manipulate elections around the world. The FBI and the US Cybersecurity and Infrastructure Security Agency released a joint advisory earlier this month detailing that cybercriminals are “likely to use misinformation tactics” during the 2022 midterm elections in the US.

The advisory warns of the risks of “malicious cyber activity targeting election infrastructure,” adding that it is on high alert for potential threats during election time. 

Read more: ITU election could shape future of the internet

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU