A committee of MPs has expressed concerns that foreign hackers might have had a hand in crashing the UK's voter registration website last year shortly before the Brexit referendum.
The Public Administration Committee concluded that a foreign cyber attack remains a potential reason that the "register to vote" site crashed on 7 June last year, shortly after a televised debate and hours before a (subsequently extended) registration deadline. The Lessons learned from the EU Referendum report [PDF] also lists more humdrum explanations for the site's failure, such as inadequate provision of resources to cope with last minute registration requests. The MPs faulted the government for a lack of contingency planning in their reports:
The Register to Vote website crashed on the evening of 7 June 2016. The Government has stated that this was due to an exceptional surge in demand, partly due to confusion as to whether individuals needed to register to vote. The Government should develop an online service to enable people to check whether they are already correctly registered. However, the Government clearly failed to undertake the necessary level of testing and precautions required to mitigate against any such surge in applications. The Association of Electoral Administrators criticised the government and the Electoral Commission for a clear lack of contingency planning.
We do not rule out the possibility that there was foreign interference in the EU referendum caused by a DDOS (distributed denial of service attack) using botnets, though we do not believe that any such interference had any material effect on the outcome of the EU referendum. Lessons in respect of the protection and resilience against possible foreign interference in IT systems that are critical for the functioning of the democratic process must extend beyond the technical.
The Cabinet Office, which also investigated the website crash, has ruled out actions of a hostile power. "We have been very clear about the cause of the website outage in June 2016. It was due to a spike in users just before the registration deadline," the government department told the BBC.
"There is no evidence to suggest malign intervention. We conducted a full review into the outage and have applied the lessons learned. We will ensure these are applied for all future polls and online services."
Ilia Kolochenko, chief exec of web security firm High-Tech Bridge, stressed the need for a thorough investigation while expressing scepticism that a foreign cyberpower such as Russia or China might have "taken out" the website.
"I doubt that a serious actor, such as a nation state for example, can be behind this particular DDoS attack. Governments have enough technical and financial resources to create smart botnets, simulating human behavior that would be hardly distinguishable from legitimate website visitors. Running a classic DDoS attack is too coarse, and would rather attract unnecessary attention to the external interference, trigger investigations and all other outcomes that smart attackers would [want to] avoid."
Cyberattacks by foreign powers against UK government websites in general are becoming an everyday threat.
Joep Gommers, chief exec of EclecticIQ, commented: "The UK government recently announced that the National Cyber Security Centre (NCSC) had blocked 34,550 'potential attacks' on government departments in the past six months – a rate of 200 a day. Many of them were believed to be state-sponsored or instigated by global crime outfits, all seeking information on what's being discussed, what's going to happen, and what it means for them.
"Persistent intelligence efforts and effective sharing with appropriate parties is required to stay free from external interference. The more governments can share information on attacks, the more intelligence can be gleaned and the greater the chance of finding and stopping the perpetrators."
It would be wrong to overstate the impact of the Brexit voter registration website's problems but that doesn't mean that wider concerns about the security of electronic voting, for example, are misplaced. A few successful vote-tampering successes in just a few strategically planned areas can cause panic, suspicion and loss of faith in the integrity of the process, according to code security firm Veracode.
Paul Farrington, EMEA solution architects manager at Veracode, added: "Hacking an entire election is near impossible, but should digital elections be successfully implemented, any cybercriminal hoping to create suspicion and disrupt the result of an election could achieve this simply by affecting just a small number of votes." ®