With the UK General Election now officially underway in the UK, after Parliament was dissolved on Wednesday, the campaigning starts in earnest. With allegations and investigations into possible foreign state interference in the recent US Presidential election among others, SC Media UK has been pondering how easy it might be to hack the UK General Election?
Last month a parliamentary committee recommended the creation of a monitoring unit to help ensure the integrity of British democracy.
Let's start with the obvious question then. If a foreign actor (or indeed a domestic one for that matter) wanted to influence the outcome of the UK general election, how doable would that be and what methods might be applied?
As Wieland Alge, general manager EMEA at Barracuda Networks explains, there are three typical flavours of digital election manipulation: "Defacing websites or attacking email systems, stealing and publishing data, and direct anti-campaigning. The latter usually achieved through the clever use of social network capabilities and the creation of fake news."
"The more sophisticated attacks will probably involve mass usage of hacked social media accounts to post fakes from influential accounts," says Ilia Kolochenko, CEO of High-Tech Bridge, "or hacking of well-known media and governmental websites to spread dubious gossip."
"It's worth looking at online polling tools that don't have anti-bot protection," Stephen Singam, managing director of research at Distil Networks says. "If these tools can be easily gamed using bots, then they can support a fake news agenda more easily."
Oz Alashe, CEO at CybSafe, looks to simple approaches such as "muck raking using the social media of friends and family to uncover embarrassing information" as well as degrading operational capability with DDoS attacks.
And talking of simple approaches to election hacking... "Penetrating an election could be as easy as volunteering at a location and placing a USB device on the office network," according to Stephen Coty, chief cybersecurity evangelist at AlertLogic, or "dropping a USB device at a local pub that the staff like to frequent." As Coty says, there are several scenarios where this can then go.
Simplest of all though, might be to do nothing at all until after the election closes. "If a hacking group uses dis-information to claim they have hacked the result," Matthias Maier, security evangelist at Splunk explains, "the authorities need to prove they haven't." If they cannot, then the legitimacy of the result may be questioned.
Techniques apart, how likely is any of this over the course of the next few weeks? Unlikely, according to Brian Lord, and he knows a bit about all of this, what with being the former deputy director for GCHQ in its Intelligence and Cyber Operations division. Now he's the managing director of PGI Cyber and told SC Media that "any meaningful state actor wishing to influence the political landscape in the UK is likely to have been caught totally off guard by Theresa May's decision and will have had little time to plan a meaningful effective influence campaign in such a short timeframe."
But what about the voting process itself, is this something that could be hacked in the UK?
St John Harold, CTO at Cyberlytic, admits that the biggest concern is indeed probably voter fraud "but given this cannot be easily done on a national scale, this would probably only affect localised voter patches."
John Bambenek, manager of threat systems at Fidelis Cybersecurity, agrees that “electoral register tampering could be done, but it's not terribly likely that it could be done in such a way to influence votes." Even if ‘ghost voters' were successfully registered, "they would then need physical people in the UK to vote for them and there are only so many places a person can be to cast ballots."
And finally, if a foreign power were to try and hack the election, which country might be the most likely candidate?
Dr Ben Silverstone, the course leader for computing and quantitative business at Arden University, thinks that the pro/anti Brexit issue is unlikely to have any value beyond the EU and no European government would risk sponsoring such an activity. "I think anything will likely be small scale,” Dr Silverstone insists, "UK-based and probably target candidates to discredit them at a constituency level."
Chris Pogue, a member of the US Secret Service Electronic Crimes Task Force and CISO at Nuix, agrees that "if the UK election is going to be hacked, it'll most likely come from within. Pointing the blame towards external actors from foreign states plays so neatly into political narratives because, frankly, not enough people understand the nature of cyber-crime."
Of course, in the UK we have the National Cyber Security Centre (NCSC) which is there to protect us against just this kind of threat. "The UK has consistently been one of the few countries that has tracked foreign hacker groups with some success," says Thomas Fischer, threat researcher and security advocate at Digital Guardian.
And anyway, as Ian Trump, global security lead at SolarWinds MSP says, “The level of effort required to influence an election voting process is extraordinary – and in the final analysis, it's nearly impossible." How near-impossible? Right up there with "a gigantic kinetic event, zombie apocalypse, alien invasion or space time rift,” according to Trump who concludes, "we might just as well expect Dr Who to arrive and sort the whole thing out, while we enjoy a nice cup of tea."