The confidence in the UK’s electoral authority has been shaken after a malicious cyber-attack that targeted the records of 40 million voters went undetected for a year. Shockingly, the public was not informed of this breach until 10 months later. While the attack was discovered in October of the following year and promptly reported to the Information Commissioner’s Office (ICO) and the National Crime Agency, the general public has only recently become aware that their sensitive data may have been accessible during this extended period.
The Electoral Commission, acknowledging its inability to accurately determine the extent of the compromised information, has revealed that much of the accessed data was already publicly available. However, the commission has recognized the valid concerns of voters and has emphasized that influencing the outcomes of the UK’s primarily paper-based electoral process would be challenging but not impossible.
Experts in the field of cybersecurity have identified Russia as the primary suspect in this attack. Former GCHQ director David Omand and former head of MI6 Sir Richard Dearlove both implicated the Kremlin as the likely culprit. The attackers were able to obtain comprehensive copies of the electoral registers, which are used for research and the verification of political donations. These registers contain the names and addresses of all UK voters registered between 2014 and 2022. Furthermore, the commission’s email system was vulnerable during the cyber-attack.
It is worth noting that the private details of anonymous voters and the addresses of overseas voters were not compromised in this breach. However, the repercussions of this attack have already raised concerns about the integrity of the UK’s electoral mechanisms. While the National Crime Agency has pledged to protect the nation’s democratic processes and strengthen the resilience of the electoral system, doubts remain about the adequacy of these efforts.
Paige Mullen, a Criminologist and Cybercrime Advisor, commented on the breach, stating that it diminishes public confidence in trusted entities. With 40 million registered voters affected, the breach is significant and the delayed notification has only exacerbated the concerns of those whose data was compromised. Mullen also highlighted the need for the Electoral Commission to rebuild trust and assure voters that measures are being implemented to prevent future attacks.
Andrew Bolster, a senior manager at the Synopsys Software Integrity Group, emphasized the risks associated with this intrusion into the internal electoral register. The exposure of registrants’ records, particularly those who had opted out of the public register, could pose significant threats if correlated with other datasets such as credit records and company registration data. Bolster stressed the importance of establishing and enforcing defense-in-depth and layers of access control to protect such data.
Nadir Izrael, CTO and co-founder of Armis, highlighted the unsettling reality of cyberwarfare and its potential impact on critical systems like the electoral process. He called for providers of critical services to review their risk assessments and adopt proactive strategies to ensure operational resilience. Izrael also noted the importance of private companies and governments working together to build a resilient infrastructure.
Darren James, Senior Product Manager at Specops Software, noted that attacks on government agencies are often carried out by nation-state-sponsored actors. The purpose is usually to undermine public faith in the target government and cause reputational scandal rather than financial damage. He expressed concerns that the attack remained undetected for over a year and that the public was not informed sooner.
Brad Freeman, Director of Technology at SenseOn, reassured the public that the UK’s paper-based electoral system is resilient to wide-scale tampering. However, he acknowledged that large databases like the electoral roll are valuable for information collection by nation-states. Freeman also pointed out the challenge of balancing innovation and risk management in government IT systems, which are often fragmented and may not adhere to the same security standards.
Nathan Dove, Team Leader at Pentest People, raised concerns about the vulnerability of critical infrastructure to cyber-attacks. He emphasized the need for robust security measures to ensure the protection of sensitive data and the resilience of critical systems.
Overall, the cyber-attack on the UK Electoral Commission has raised significant concerns about the integrity of the country’s electoral mechanisms. The revelation of this breach, coupled with the delayed public notification, has eroded confidence in the electoral authority. It is crucial for the commission to take immediate action to rebuild trust and implement measures to prevent future attacks. Additionally, a collaborative effort between private companies and governments is necessary to establish a resilient infrastructure that can withstand cyber threats and protect the democratic processes of the nation.