The risks to local authorities involved in the general election
Over recent years, there have been reports of cyber attacks, using a variety of techniques, timed to coincide with elections around the world. Most of these attacks were distributed denial of service (DDoS) attacks against government and media websites, which overwhelmed the websites with traffic. Some seem to have been designed to steal data, or to alter or disrupt the publication of election results.
There are also reports of activity apparently designed to influence voters or to undermine public confidence in election results or the electoral process. Sometimes this is facilitated by cyber activity. Reports from the US Government of malicious cyber activity during last year’s presidential election, as well as recent claims that fake news stories may have influenced public opinion, have drawn attention to this.
It can be difficult to know who is behind a cyber attack, but some of the attacks seen on other countries are likely to have been state-sponsored. Others probably involve hackers (some of whom may be working for hire), hacktivists or cybercriminals.
The UK system does not lend itself to electronic manipulation - voting and counting of ballots are manual processes - but there are some areas that could be vulnerable to cyber operations. These sorts of operations include:
- DDoS attacks, particularly against electoral, government or media websites making them unavailable at key moments during an electoral campaign (e.g. shortly before the deadline for voter registration, or on election day itself).
- Attempts to obtain user names and passwords and other personal information. Commonly used tactics include spear-phishing (emails that encourage the recipient to click on malicious links or attachments) and social engineering (content tailored for the recipient, making it more likely they will click on the malicious link). Internet-connected databases may also be of interest to attackers.
- Attempts to forge or send fake emails and other communications: It is also relatively easy to compose reasonably convincing fake emails. Compromised email accounts may also be used by attackers for this purpose.
- Attempts to alter or remove information published online, or publish falsified information or information obtained through hacking.
- Infection with ransomware or other malicious software. Ransomware can be used to encrypt information and a ransom is then demanded from the victim
The experiences of other countries over recent years suggests that organisations involved in UK elections should prepare for the possibility of disruption.
Case study examples
- In late 2015, coinciding with the start of local elections and a referendum on e-voting, the websites of an EU country’s Electoral Commission, government, and civic registration service all experienced denial of service attacks.
- Hackers disrupted the online voter registration process for an African parliamentary and presidential election in 2014, according to their electoral commission, although voters were still able to register in person at registration offices.
- Two websites set up to help an EU state’s voters decide which party to vote for in their national election in March 2017 were rendered inaccessible on polling day, apparently the victim of a DDoS attack.
- Authorities in South America are reported to be investigating claims that a team of hackers sought to influence elections on behalf of clients in nine Latin American countries from 2005 to 2013. The team hacked computers, email accounts, websites and phones, stole information and manipulated social media.
Protecting your systems
Basic cyber security measures will prevent the majority of attacks from succeeding. When coupled with routine analysis and audit of the electoral processes, the ability for a cyber attacker to cause widespread harm is reduced. We don't recommend you make sudden changes to your existing infrastructure, software, or choice of service providers which will be relied upon to support the general election (as this could introduce potential operational risk). However, we encourage all organisations to ensure the following points are addressed:
- Electoral systems, in particular Electoral Management Systems (EMS), hold bulk personal data sets. We have recently published guidance on protecting bulk personal data. We recommend you take regular back-ups of EMS data stores (in particular the electoral roll itself) and hold these offline in a separate secure location. Backup and restore procedures should be well-tested. In the event of problems, ensure the contact details for key suppliers (such as any EMS software and service providers) are readily available. Remember that during an incident, the usual mechanisms for finding contact information may not be available.
- Infrastructure used by local authorities (and other electoral organisations) should be well maintained, using modern software and hardware, and be kept patched. End user devices, such as those used by staff to manage the electoral roll, should be corporately managed. We recommend use of the NCSC End User Device security guidance to help protect these against attack.
- Depending on the level of access that your operational staff have to electoral systems (and the level of access control within the EMS), they may be able to perform significant privileged actions on EMS data. If so, it may be necessary to consider such staff 'system administrators'. You should constrain potential routes by which their account could become compromised. Regularly review the level of access individuals have, and ensure it is appropriate for their roles.
- Your organisation's web presence may come under heavy load (through legitimate or other use) in the run-up to the election. Our guidance on mitigating denial of service attacks can help you prepare in advance of such problems.
- Local authorities should be aware of the 'Ten Steps to Cyber Security'. This contains the NCSC's guidance on how organisations can best protect themselves in cyberspace.
Protecting your people
In periods of heightened pressure, attackers can exploit your staff's willingness to help citizens and those involved in running the election. Email addresses of key officials are often easily discovered, and thus may be targeted by attackers for social engineering and phishing attacks. Your processes should help those involved in running the election from falling prey to such attacks. For example, an urgent email seemingly from an EMS software vendor advising of an urgent software update may sound extremely plausible. However, is this confirmed by other sources (such as a notification on their support website)? Do they operate a moratorium on changes during the election period? Ensure that your staff know how to get support for anything that looks suspicious or out of the ordinary.
Individuals involved in the UK electoral process are required to show integrity and discretion, but a small number of people may intend to exploit their access for their own, unauthorised purposes (known as insider activity). An insider may seek to manipulate or compromise electoral information or processes for financial gain, ideological reasons or due to a desire for recognition. There is also a risk that individuals may unintentionally give away information useful to those who aspire to manipulate or compromise the UK Electoral process. Those seeking to cause such damage might attempt to identify people with pivotal roles in the election process from information available online. Therefore, electoral officials should be cautious about the detail they provide to others regarding their electoral duty.
All individuals involved (whether local government employees or those in temporary roles at polling stations, managing postal votes or at the count) have a vital part to play in ensuring confidence in the election process. They should:
- Be vigilant to those around them, reporting any unusual or unexpected behaviours such as not following standard procedures or attempting to gain access to parts of the electoral process where they do not have an obvious and legitimate requirement to do so. Local authorities should ensure that staff know how to report concerns.
- Avoid sharing detail relating to their electoral duty online, including on social media sites such as Facebook and Twitter.
Where to get extra help
• If you believe your election systems are, or have been, the victim of cyber attack we suggest you contact the NCSC.
• During the election period, if you experience a cyber incident or outage that appears out of the normal, causes any degree of service impact, is unexplained, or you feel should be reported to the NCSC for information only, then please contact the NCSC’s Incident Management team. The team can be contacted 24x7 at firstname.lastname@example.org. Please provide any technical details (for example, applicable logging and as much detail as possible) to enable our teams to work effectively.
• In addition to the resources available from the NCSC website, CISP provides a space to exchange cyber threat information in real time. If you're not already a member, you can register for CISP online.