An influential UK Parliamentary committee has called on social media companies to remove covert hostile state material and said the government must "name and shame" those that fail to act. It also said that there was a "complicated wiring diagram of responsibilities amongst ministers" who might have to act in the event of a major state cyber attack.
The recommendations are part of the Intelligence and Security Committee of Parliament report published this morning into the potential Russian interference with UK democracy.
We are concerned that there is no clear coordination of the numerous organisations across the UK intelligence community working on [national cyber security], this is reinforced by an unnecessarily complicated wiring diagram of responsibilities amongst ministers...
The focus of political attention because of its relevance to the EU referendum and subject to delay at the hands of Prime Minister and his office, the report also details use of technology and social media for nefarious Russian activity.
"The government must now seek to establish a protocol with the social media companies to ensure that they take covert hostile state use of their platforms seriously, and have clear timescales within which they commit to removing such material," it said.
"Government should 'name and shame' those which fail to act. Such a protocol could, usefully, be expanded to encompass the other areas in which action is required from the social media companies, since this issue is not unique to Hostile State Activity. This matter is, in our view, urgent and we expect the Government to report on progress in this area as soon as possible."
Bot the Nine O'Clock News
The committee also addressed the use of social media bots and troll accounts to disseminate misinformation.
"Open source studies have pointed to the preponderance of pro-Brexit or anti-EU stories on RT and Sputnik, and the use of 'bots' and 'trolls', as evidence of Russian attempts to influence the process," the report said.
However, when the committee asked the intel agencies about its evidence of these activities, MI5 initially gave it a "six-line" response, namely (ahem), "stat[ing] that ███, before referring to academic studies." Clarifying.
"This was noteworthy in terms of the way it was couched," the report said. "The brevity was also, to us, again, indicative of the extreme caution amongst the intelligence and security agencies at the thought that they might have any role in relation to the UK's democratic processes, and particularly one as contentious as the EU referendum.
This report reveals that no one in government knew if Russia interfered in or sought influence that referendum, because they did not want to know
"This attitude is illogical; this is about the protection of the process and mechanism from hostile state interference, which should fall to our intelligence and security agencies."
So long and thanks for all the phish
In terms of other Russian activity in the UK, the report said: "GCHQ has also said that Russian [intelligence service] GRU6 actors have orchestrated phishing attempts against government departments – to take one example, there were attempts against [redacted], the Foreign and Commonwealth Office (FCO) and the Defence Science and Technology Laboratory (DSTL) during the early stages of the investigation into the Salisbury attacks."
The attacks on Sergei and Yulia Skripal in Salisbury, UK, by Russian agents using nerve gas resulted in the death of Dawn Sturgess, who came into contact with the poison.
The report also drew attention to Russian state hacking efforts, or "cyber pre-positioning activity", as it called it, on the UK's critical national infrastructure, according to evidence from the National Cyber Security Centre, but the details are redacted.
Russia is a highly capable cyber actor, employing organised crime groups to supplement its cyber skills. Russia carries out malicious cyber activity in order to assert itself aggressively – for example, attempting to interfere in other countries' elections. It has also undertaken cyber pre-positioning on other countries' critical national infrastructure.
An accompanying press statement added: "Given the immediate threat this poses to our national security, we are concerned that there is no clear coordination of the numerous organisations across the UK intelligence community working on this issue, this is reinforced by an unnecessarily complicated wiring diagram of responsibilities amongst ministers."
The report emphasised that the UK has a problem with detailing who is responsible for national cybersecurity. For example, the Foreign Secretary has responsibility for the National Cyber Security Centre, which is responsible for incident response, while the Home Secretary leads on the response to major cyber incidents. To add to the confusion, the Defence Secretary has overall responsibility for cyber techniques as "warfighting tools" and for the National Offensive Cyber Programme, while the Secretary of State for the Department for Digital, Culture, Media and Sport (DCMS) leads on digital matters, with the Chancellor of the Duchy of Lancaster being responsible for the National Cyber Security Strategy and the National Cyber Security Programme.
"It makes for an unnecessarily complicated wiring diagram of responsibilities; this should be kept under review by the National Security Council (NSC)," the report said.
The report has become the centre of political debate in the UK after its release was delayed by Prime Minister Boris Johnson's office. First, it held up the confirmation of its context, part of the publication process, until after December 2019's general election and secondly it delayed the formation of the committee until seven months after the election, meaning the report could not be published. Both were record times for such undertaking, committee member Stewart Hosie told the press.
The report added that evidence from the Scottish independence referendum in 2014 and Russia's "hack and leak" operation against the Democratic National Committee in the US showed the potential for Russian interference in the democratic process of foreign powers, including the 2016 referendum on the UK's membership of the EU.
Departing MI5 chief: Break chat app crypto for us, kthxbaiREAD MORE
"In speculation that this report was going to reveal either that Russia had interfered in or sought to influence the referendum, in the committee's view it's worse than that," committee member Kevan Jones said during a press briefing. "This report reveals that no one in government knew if Russia interfered in or sought to influence that referendum, because they did not want to know. UK government has actively avoided looking for evidence that Russia interfered."
The report called on the UK intelligence and security community to "produce an analogous assessment of potential Russian interference in the EU referendum and that an unclassified summary of it be published".
In its response, the government said it had "seen no evidence of successful interference in the EU Referendum" and that "a retrospective assessment of the EU Referendum is not necessary". ®