Electoral Commission Failed Basic Security Test Before Cyberattack

The Electoral Commission has admitted to security failings before it was hacked back in 2021 – a cyberattack that has only recently come to light.

Last month the Electoral Commission had warned that “hostile actors” have breached its systems, and obtained data on all registered voters in the United Kingdom.

The hackers obtained the “name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.”

Security failings

And UK officials pointed the finger of blame at Russia with Sir David Omand, a former director of GCHQ, reportedly stating that Moscow was the prime suspect.

The Electoral Commission had said the incident was identified in October 2022 after suspicious activity was detected on its systems.

“It became clear that hostile actors had first accessed the systems in August 2021,” the Commission said last month. “During the cyber-attack, the perpetrators had access to the Commission’s servers which held our email, our control systems, and copies of the electoral registers.”

Now the Guardian newspaper reported that the Electoral Commission has admitted that it failed the Cyber Essentials assessment just before it was hacked.

The Cyber Essentials test is a voluntary government-backed scheme that assesses an organisation’s readiness against cyber-attacks.

The commission said it had failed the test in 2021, before it was hacked that same year.

The commission was quoted by the Guardian as saying it did not pass the test due to two issues unrelated to the hack: an earlier version of Windows software on some laptops and a dated version of staff mobiles.

However it reportedly said those problems were not linked to the attack, which affected the organisation’s email servers.

“We are always working to improve our cybersecurity and systems,” a Commission spokesperson was quoted as saying.

“We draw on the expertise of the National Cyber Security Centre, as many public bodies do, to continue to develop and progress protections against cyber-threats. We regularly seek guidance and feedback on our systems to deal with the continued risk of cyber-threats as they evolve and take different forms. We welcome these learnings and act on them.”

Critical infrastructure

Meanwhile Andrew Rose, resident CISO at cybersecurity and compliance specialist Proofpoint said past elections have shown us that cybercriminals are aggressively targeting government’s critical infrastructure to gain access to sensitive information and cause widespread damage.

“It’s evident the cybercriminals were taking full advantage of the electoral system’s vulnerable, decentralised structure in order to gain access to as much information as possible,” said Rose.

“In addition, with access to this mass of voter information, attackers have the potential to subtly spread disinformation to the 40 million citizens in the database that reinforces their world view and amplifies disharmony,” Rose added. “They can also manipulate the information within these systems in order to create distrust by calling to question the authenticity and accuracy of voter data or even, in a worst case, votes themselves.”

“While we cannot be certain of their motive, what they learned, or what the attacker was truly seeking, in this instance, the attackers had access to the electoral systems for a number of months indicating they were in search of something other than quick financial gain, which is the most common motive of attacks,” Rose stated.

“The longer an attacker stays undetected in a network – the more damage they can do,” Rose concluded. “This breach serves a stark reminder to all public and private organisations to take swift action to reinforce their cyber defenses, making it harder for criminals to get into their systems in the first place and thus preventing this from happening again.”

Election meddling

Meanwhile Ryan McConechy, CTO of cyber protection, detection and response specialist Barrier Networks noted this attack could potentially allow for outside meddling with future UK elections.

“This is a concerning discovery about a cyberattack that could give adversarial powers greater advantage in meddling with the future UK electoral process,” said McConechy.

“Cyber Essentials is a certification that sets out best security practices for businesses of all sizes to help them improve their resilience against attacks,” said McConechy. “It is non-intrusive and cost-effective and something all businesses should aim to achieve especially when they process high volumes of data.”

“The certification is more than another compliance check box to be ticked; It is a solid baseline to make sure that, as an organisation, many obvious pitfalls have been avoided, helping remove the easy wins so attackers give up or move on,” said McConechy.

“The fact that the Electoral Commission recently failed the assessment is very worrying,” said McConechy. “Especially given that an organisation of such prominence would normally be expected to be Cyber Essentials Plus certified.

“No organisation that handles the data of the UK population should ever gamble with security, the requirements of Cyber Essentials should be met as a standard practice and achieving certification should be a guarantee,” McConechy concluded.