As the Conservative Party prepares to elect a new leader, the online voting system that could be used to determine Britain’s next prime minister may not be secure, analysts have warned. With the contest to replace Liz Truss already underway and set to last just a week, deploying a virtual voting system at such short notice could prove “dangerous”, one expert told Tech Monitor, particularly as cybercriminals may be seeking to take advantage of the political chaos in the UK.
Following Truss’s resignation yesterday, the Conservatives announced that a week-long leadership contest will take place culminating next Friday. It has been widely reported that MPs will seek to narrow the field down to one candidate to avoid a vote by party members.
However, if two candidates reach the nomination threshold of 100 MPs and cannot be separated, a three-day online vote of the 172,000 Conservative members will take place to determine the winner. Former chancellor Rishi Sunak, leader of the House of Commons Penny Mordaunt, and ex-prime minister Boris Johnson are all in the running for the job.
Is the Conservative online voting system safe?
During this summer’s leadership election, which saw Truss beat Sunak, there was some alarm raised that the online voting system being used by the Tories could be hijacked by those wishing to influence the election. The National Cyber Security Centre (NCSC) caused the election to be delayed by three days after voicing its concerns about the process.
Tory Party Chairman Jake Berry said he believes the system is safe. “Without going into the security measures we will take, for reasoning I’m sure we will understand. We are satisfied that the online voting system is secure,” he told The Telegraph.
The NCSC said it would lend its support to ensuring any online vote goes off without a hitch: “Defending UK democratic and electoral processes is a priority for the NCSC and we work closely with all parliamentary political parties, local authorities and MPs to provide cybersecurity and guidance and support,” an agency statement said.
Other MPs seem less confident. Labour MP Chris Bryant stated his misgivings on Twitter yesterday, saying, “I cannot understand why anyone would run an online ballot with three days of preparation and expect it to go well and unhacked.”
Security analysts are also nervous about different elements of the online voting system. “The system seemingly was secure from what we saw a few weeks ago, but [then] they had ten weeks to play with,” explains Jake Moore, global cybersecurity adviser at security company ESET. “Giving themselves less than a week is extremely dangerous, it increases the risk.”
Nation state-backed cybercriminals could see the contest as an opportunity to launch a high-profile attack, he says, adding that Truss’s chaotic 44 days in office will have increased the UK’s profile in the cybercrime world. “It raises a flag, putting a target on the UK,” he says. That’s the embarrassment and the potential worry.”
“Nation-state [hackers] are good at seeing opportunities like this. And that opportunity may not have been assessed correctly by our security process because there’s so much going on.”
An attack on the voting system could be damaging to public trust in the process, Moore argues. “It’s possible it would undermine confidence we have with government systems. As soon as that goes, it can take years to repair,” he says. “The next time it’s used, even if it’s watertight, you’ll still have people and potentially other parties questioning how the processes were adhered to.”
The size of the vote makes it even easier to manipulate, adds Dan McLoughlin, field CTO of cybersecurity company One Span. “These votes will not be national, this is a very small subset of the electorate,” he says. “As such this means that a strategically important vote with potential interest from bad actors is being held with what we could speculate to be average corporate security levels.”
Elections a common target for hackers
The NCSC’s concern in August stemmed from the fact members could go back into the system and change their vote if they changed their mind on their favoured candidate. This was viewed as a security risk, and has now been remedied.
But there may be other flaws that have not been dealt with. “A state-sponsored attack may find any number of holes in the system,” McLoughlin says.
Russia, China and Iran have all been accused of attempting to hack into and manipulate elections around the world. The FBI and the US Cybersecurity and Infrastructure Security Agency released a joint advisory earlier this month detailing that cybercriminals are “likely to use misinformation tactics” during the 2022 midterm elections in the US.
The advisory warns of the risks of “malicious cyber activity targeting election infrastructure,” adding that it is on high alert for potential threats during election time.