Written by staff writer.
Questions have been raised about the effectiveness of cyber security and its governance after the UK Electoral Commission went public this week about an infiltration of their servers which went undetected for over one year.
The Electoral Commission is the UK government’s agency that oversees elections and regulates political finance. On August 8, it said “hostile actors” had accessed its servers in August 2021, obtaining data on up to 40 million UK voters. However, the breach was not uncovered until October 2022.
“During the cyber-attack, the perpetrators had access to the Commission’s servers which held our email, our control systems, and copies of the electoral registers,” reads an Electoral Commission statement.
The British GCHQ security agency has reportedly uncovered links to Russian hackers and malicious software designed to lock users out of files. The stolen data included the names and addresses of anyone in the UK who registered to vote between 2014 and 2022, plus the names of those registered as overseas voters.
Neither the Electoral Commission nor security services have explained how the attack went undetected for 14 months. They said the delay in publicizing the matter was due to the secrecy of the investigation and countermeasures.
The Electoral Commission said this week that they needed to remove the threat actors, assess the damage, and work with the National Cyber Security Centre and other agencies before they could make the incident public.
David Bicknell, Principal Analyst, Thematic Intelligence at GlobalData said the breach was alarming and raises questions about the cyber governance of the UK’s independent and public bodies and the technical advice they get given.
“This suggests cybersecurity was either not regarded as a high-enough priority at the Commission or that mistakes were made. Which organization advised the Commission on its cybersecurity protection measures?” he asked.
“Given the sensitive nature of its work, overseeing elections and regulating political finance, the Commission should have had the highest cybersecurity measures in place. Did the National Cyber Security Centre scrutinize them? And if not, why not?”
Electoral Commission CEO Shaun McNally has expressed his regret that better safeguards were not in place to prevent the cyber attack. He said that organizations involved in elections remain a target, especially from hostile nation-states, and must stay vigilant. However, he added that the UK election process is very dispersed and key aspects remain paper-based and rely on manual counting. “This means it would be very hard to use a cyber attack to influence the process,” he said.
But in the wake of the attack, multiple cybersecurity analysts say that it raises serious concerns about the often fragmented state of government IT security, with agencies often responsible for developing, implementing, and maintaining their own systems.
Bicknell goes further, saying that the attack suggests cyber security was not a high priority at the Electoral Commission or that serious mistakes were made managing and monitoring it. “Are other public bodies similarly insufficiently cyber-protected? One would have to assume so.”