Confidence in the UK’s electoral authority has been cast into doubt following the revelation of a malicious cyber-attack that infiltrated the records of 40 million voters, remaining undetected for a year. Shockingly, this breach was not disclosed to the public until a full 10 months later.
Although the attack was detected in October of the subsequent year, and promptly reported to both the Information Commissioner’s Office (ICO) and the National Crime Agency within a 72-hour timeframe, the general public has only recently been made aware that the electoral records containing the sensitive data of millions of voters might have been accessible during this extended period.
Acknowledging its inability to definitively ascertain the extent of the compromised information, the Electoral Commission has disclosed that much of the accessed data was already publicly available. While maintaining that influencing the outcomes of the UK’s primarily paper-based electoral process would be challenging, the commission has acknowledged the valid concerns of voters.
Former GCHQ director David Omand identified Russia as a primary suspect, while Sir Richard Dearlove, former head of MI6, echoed this sentiment, placing the Kremlin squarely at the top of the list of potential culprits.
The attackers managed to obtain comprehensive copies of the electoral registers, which the commission retains for research and the verification of political donations. These registers encompass the names and addresses of all UK voters registered between 2014 and 2022. Additionally, the commission’s email system was susceptible during this cyber-attack.
Although the complete register held by the Electoral Commission is open to public inspection, it can only be accessed locally through electoral registration officers, and handwritten notes are the only permissible form of documentation. The data contained therein is strictly prohibited from being utilized for commercial or marketing purposes.
It’s worth noting that the private details of anonymous voters and the addresses of overseas voters were not within the intruders’ reach in the compromised IT system.
The repercussions of this attack have already raised concerns regarding the integrity of the UK’s electoral mechanisms. While the National Crime Agency has asserted its commitment to safeguarding the nation’s democratic processes and prioritising the reinforcement of electoral system cyber-resilience, questions about the adequacy of these efforts linger.
The Guru reached out to several cyber experts to get their take on the breach.
Paige Mullen, Criminologist and Cybercrime Advisor at Advanced Cyber Defence Systems (ACDS):
“This is an example of how data breaches can reduce public confidence in entities that they would usually trust. With 40 million registered voters having data compromised, it is not a small breach. It also seems that those whose data has been compromised are not happy that they are only finding out about it 10 months later, as their sensitive information has been accessed by cybercriminals for such a long time before they can do anything about it. It has since been learnt that the reason for this was due to needing to ensure that the threat actors were removed from the system.
“Without more information, it is hard to know the motivation behind the attack, but many suspect that Russia could have something to do with it, and financial gain was not the primary motive. The Electoral Commission will now have to work on rebuilding trust and any reputational damage caused by the breach and inform voters that they are implementing measures to provide assurance that an attack like this does not happen again. Any organisations involved in elections need to be aware of the potential targets on their backs and ensure that they have a strong enough cybersecurity posture to remove any potential chance of threat actors being able to penetrate their systems the way they did in this incident.”
Andrew Bolster, senior manager, research and development at the Synopsys Software Integrity Group:
“Like many electoral registers globally, the UK electoral register can be viewed by almost anyone via local registry offices. However, this intrusion into the internal electoral register— particularly the exposure of registrants’ records who had opted out of the public register—could pose a significant risk to citizens if correlated with other datasets such as credit records and company registration data.
“While seemingly benign on its own, this kind of bulk-data exposure can be leveraged to gain trust and confidence in spear-phishing attacks, or to “triangulate” individuals under personal threat by combining multiple disparate data sources.
“The nature of this attack, which has been noted to stem from an email-based compromise, demonstrates that ‘defending the perimeter’ is not always sufficient. When it comes to data privacy, the owners of these data sets must establish and enforce defence-in-depth and layers of access control to protect them.”
Nadir Izrael, CTO and co-founder of Armis:
“This particular attack may not have resulted in a major operational failure, but it underpins what could happen. In fact, previously unreleased data from the Armis State of Cyberwarfare Report earlier this year demonstrated these concerns – with 68% of IT and security professionals in the UK agreeing that cyberwarfare could affect the cybersecurity of the electoral process. Whether this attack was related to geopolitical tensions is unknown, yet regardless of the attacker’s aim, it is imperative for security teams to remain highly vigilant as threat groups continue to work toward disrupting the daily lives of citizens by targeting their most critical systems.
“This unsettling reality should be a call to action for providers of critical services, who must review the adequacy of their risk assessments from cyber threats to proactively build a resilient strategy that shields them from the extended attack surface, while protecting the well-being of individuals and society as a whole. The importance of cyber resilience cannot be overstated, particularly when it comes to the ancillary IT systems that have become increasingly interconnected, posing potential risks to critical democratic procedures like the electoral process. The European Union has taken proactive steps, with legislation like NIS, which mandates that critical infrastructure providers, including those responsible for electoral systems, attain a certain level of operational resilience. However, more is needed from private companies and governments to ensure a resilient infrastructure.”
Darren James, Senior Product Manager at Specops Software, an Outpost24 company:
“Usually attacks on government agencies and systems such as this are most likely to be from nation state sponsored threat actors – Russia is very much at the top of the list. The purpose is to probe the target, move laterally to other connected systems, undermine public faith in the target government and to cause reputational scandal rather than financial damage. Potentially names, addresses and email addresses of up to 43 million UK voters may have been exposed.
“According to the Electoral systems website file sharing and email systems were accessible. They also mentioned that they have strengthen their network login requirements – hopefully this means they have adopted a better password/passphrase policy and are now blocking known breached passwords, as recommended by the National Cyber Security Centre who have been assisting them with their remediation and recovery.
“It is interesting, although not uncommon, that they managed to stay undetected in the system for over a year and also concerning that this attack was not publicly disclosed sooner.”
Brad Freeman, Director of Technology at SenseOn:
“For a democracy, the integrity of the electoral system is critical. Luckily in the UK we use a paper-based system to collect and verify votes. Whilst a paper-based system causes delays for counting and a small margin of error due to human mistakes the process is very resilient to wide scale tampering. The electoral roll itself is highly unlikely to be used directly in an attack on our democracy. However large databases are valuable for information collection by nation states especially when they are used against other datasets to build more complete pictures of our nation and its citizens. Government IT systems are fragmented with each department creating and managing their own systems. This is great when it allows innovation such as allowing services to be accessed online instead of via the phone or from dreaded paper-based forms. However, this fragmentation can mean that systems are not built to the same security standards increasing the risk. Enabling innovation and managing risk is a difficult balancing act.”