This guidance has been produced by the NCSC and the CPNI for local authorities ahead of the forthcoming local elections on the 3rd of May, 2018. It contains reminders around good cyber security practices for the systems that support the delivery of UK elections; it does not replace tailored advice and guidance specific to local circumstances.
Over recent years, there have been reports of cyber attacks, using a variety of techniques, timed to coincide with elections around the world. Most of these attacks were distributed denial of service (DDoS) attacks against government and media websites, which overwhelmed the websites with traffic. Some attacks seem to have been designed to steal data, or to alter or disrupt the publication of election results.
There are also reports of activity designed to influence voters, or to undermine public confidence in election results/the electoral process, sometimes facilitated by cyber activity. Reports from the US government of malicious cyber activity during the 2016 presidential election, as well as recent claims of fake news stories influencing public opinion, have drawn attention to this.
It can be difficult to know who is behind a cyber attack, but some of the attacks on other countries are likely to have been state-sponsored. Others probably involve hackers (some of whom may be working for hire), hacktivists or cyber criminals.
The UK system does not lend itself to electronic manipulation; voting and counting of ballots English local elections are manual processes. However, there are some areas that could be vulnerable to cyber operations. These sorts of operations include:
- DDoS attacks, particularly against electoral, government or media websites making them unavailable at key moments during an electoral campaign (for example shortly before the deadline for voter registration, or on election day itself).
- Attempts to obtain user names and passwords and other personal information. Commonly used social engineering tactics include phishing (emails that encourage the recipient to click on malicious links or attachments) and spear-phishing (content tailored for the recipient, making it more likely they will click on the malicious link). Internet-connected databases may also be of interest to attackers.
- Attempts to forge or send fake emails and other communications. It is relatively easy to compose convincing fake emails, and compromised email accounts may be used by attackers for this purpose.
- Attempts to alter or remove information published online, or publish falsified information or information obtained through hacking.
- Infection with ransomware or other malicious software. Ransomware can be used to encrypt information and a ransom is then demanded from the victim.
The experiences of other countries over recent years, some of which are summarised below, suggest that organisations involved in UK elections should prepare for the possibility of disruption.
- In late 2015, coinciding with the start of local elections and a referendum on e-voting, the websites of an EU country’s electoral commission, government, and civic registration service all experienced denial of service attacks.
- In one African country, the 2017 presidential election had to be re-run, after being annulled by the supreme court. One of the issues was a claim of unauthorised access to a key electronic election management system, together with concern over possible manipulation of the transmission of results.
- Two websites set up to help an EU state’s voters decide which party to vote for in their national election in March 2017 were rendered inaccessible on polling day, apparently the victim of a DDoS attack.
- Authorities in South America are reported to be investigating claims that a team of hackers sought to influence elections on behalf of clients in nine Latin American countries from 2005 to 2013. The team hacked computers, email accounts, websites and phones, stole information and manipulated social media.
Protecting your systems
Basic cyber security measures will prevent most attacks from succeeding. When coupled with routine analysis and audit of the electoral processes, the ability for a cyber attacker to cause widespread harm is reduced. We recommend you do not make sudden changes to your existing infrastructure, software, or choice of service providers which will be relied upon to support elections (as this could introduce potential operational risk). However, we encourage all organisations to ensure the following points are addressed:
- Electoral systems, in particular electoral management systems (EMS), hold bulk personal datasets. We have published guidance on protecting bulk personal data. We recommend you take regular back-ups of EMS data stores (in particular the electoral roll itself) and hold these offline in a separate secure location. Backup and restore procedures should be well-tested. In the event of problems, ensure the contact details for key suppliers (such as any EMS software and service providers) are readily available. Remember that during an incident, the usual mechanisms for finding contact information may not be available.
- Infrastructure used by local authorities (and other electoral organisations) should be well maintained, using modern software and hardware, and be kept patched. End user devices, such as those used by staff to manage the electoral roll, should be corporately managed. We recommend using the NCSC End User Device security guidance to help protect these against attack.
- Depending on the level of access that your operational staff have to electoral systems (and the level of access control within the EMS), they may be able to perform significant privileged actions on EMS data. If so, it may be necessary to consider such staff 'system administrators'. You should constrain potential routes by which their account could become compromised. Regularly review the level of access individuals have, and ensure it is appropriate for their roles.
- Your organisation's web presence may come under heavy load (through legitimate or other use) in the run-up to elections. Our guidance on mitigating denial of service attacks can help you prepare in advance of such problems.
- Local authorities should be aware of the 'Ten Steps to Cyber Security'. This contains the NCSC's guidance on how organisations can best protect themselves in cyberspace.
Protecting your people
In periods of heightened pressure, attackers can exploit your staff's willingness to help citizens and those involved in running the elections. Email addresses of key officials are often easily discovered, and thus may be targeted by attackers for social engineering and phishing attacks. Your processes should help those involved in running the election from falling prey to such attacks. For example, an urgent email seemingly from an EMS software vendor advising of an urgent software update may sound extremely plausible. However, is this confirmed by other sources (such as a notification on their support website)? Do they operate a moratorium on changes during the election period? Ensure that your staff know how to get support for anything that looks suspicious or out of the ordinary.
Individuals involved in electoral processes in the UK are required to show integrity and discretion, but a small number of people may intend to exploit their access for their own, unauthorised purposes (known as insider activity). An insider may seek to manipulate or compromise electoral information or processes for financial gain, ideological reasons or due to a desire for recognition.
There is also a risk that individuals may unintentionally give away information useful to those who aspire to manipulate or compromise electoral processes in the UK. Those seeking to cause such damage might attempt to identify people with pivotal roles in the election process using information that’s available online. Therefore, election officials should be cautious about the detail they provide to others regarding their election duties.
All individuals involved (whether local government employees or those in temporary roles at polling stations, managing postal votes or at the count) have a vital part to play in ensuring confidence in the election process. They should:
- Avoid sharing details relating to their role in elections online, including on social media sites such as Facebook and Twitter.
- Be vigilant to those around them, reporting any unusual or unexpected behaviours such as not following standard procedures or attempting to gain access to parts of the electoral process where they do not have an obvious and legitimate requirement to do so. Local authorities should ensure that staff know how to report concerns.
Where to get extra help
- If you believe your election systems are, or have been, the victim of cyber attack we suggest you contact the NCSC.
- During the election period, if you experience a cyber incident or outage that appears out of the normal, causes any degree of service impact, is unexplained, or you feel should be reported to the NCSC for information only, then please contact the NCSC’s Incident Management team. The team can be emailed 24x7 at firstname.lastname@example.org. Please provide any technical details (for example, relevant logging and as much detail as possible) to enable our teams to work effectively.
- In addition to the resources available from the NCSC website, CISP provides a space to exchange cyber threat information in real time. If you're not already a member, you can register for CISP online.