Today the Labour Party was the victim of a “large and sophisticated cyber attack”. It shouldn’t come as a surprise, however. After the hack of the US Democratic National Committee in 2016, security experts warned it was only a matter time before a UK political party was targeted.
Hacker politics is nothing new to parties though. In fact, they often use it to their advantage, leveraging dark data and social media manipulation techniques. Yet our entire system of political regulation is still stuck in the 20th Century and unprepared for the current threat from foreign state or private criminal hacking.
The Electoral Commission devotes almost all of its resources to the problems faced by electoral systems in an analogue world. Today’s breach has exposed how urgently the independent body needs to develop its e-regulations to control how political parties remain digitally secure, and how they can use data responsibly and fairly.*
In the absence of any specific requirements for data security within political parties, organisations are left to muddle through. The situation is murky enough that just last week the Information Commissioner wrote to all major political parties reminding them they are not above data protection law (the assumption being that perhaps they believed they were).
It appears that this Labour breach (a DDoS or Distributed Denial of Service) was not a highly sophisticated form of cyber attack. These weapons – which, if ever successful, could seriously disrupt or even swing an election – can be easily sourced by anyone on the dark web. There is a de facto right to bear digital arms and no one is taking it seriously.
There is every chance, however, that a foreign government was directly or indirectly behind this attack. Russia is best-known for having a high level hacking capability that is directed from within the Kremlin, but China, Iran, and even North Korea are known to have “hacker special forces” within their military and intelligence apparatus.
A state actor could have outsourced this to attempt to cover their tracks, or perhaps even deliberately used a relatively low-tech method to make it look like it was a small hacktivist group rather than a foreign government.
The only thing we can say with certainty is that our democracy is vulnerable. This is not a particular criticism of the Labour Party, or even all political parties. Recent successful cyberattacks have targeted large companies, and the fact that this hack is believed to have been successfully defended against suggests that Labour had at least some measures in place.
Political parties must be held to a higher standard than other organisations, however. I know small businesses with more robust security measures than the political parties who make up our parliament, with all the consequences for national security that come with that.
More broadly, the threat is even bigger. Political parties have access to a huge amount of personal data. The Labour Party, for example, has detailed data on half a million members. But like any major party, they will also have a data operation that seeks to profile every British voter.
This big data makes political parties more effective, but also makes them more attractive targets for cyber attackers. Any hacker looking for a huge data haul in an organisation that is perhaps bureaucratic or out-dated in its security measures would quickly find him or herself setting their sights on British political parties.
No-one knows how exactly this data has been collected, because there are almost no rules about this: laws like GDPR are, as Edward Snowden recently claimed, a “paper tiger”, focussing on data protection, not data collection. This means that there is likely a much larger data haul within political parties than many of us realise.
It is time for the Electoral Commission to take this seriously. Fraudulent postal ballots might corrupt a single constituency, but a successful hack can destroy our entire democracy. Some may say it is just a matter of time.
UPDATE (19.11.19): Following publication of this article, the Electoral Commission has asked us to make clear its position, which is that it is not possible for it to extend its e-regulations to control how political parties remain digitally secure, and how they can use data responsibly and fairly. The Commission says that the remit of its powers are determined by Parliament, by virtue of the Political Parties, Elections and Referendums Act 2000 and that these areas fall into the remit of other organisations. We are happy to put the Commission’s position on record.
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies