The UK general election is upon us and amongst the bombardment of polarised political news, cybercriminals cast a menacing shadow. These are politically unprecedented times and the UK’s National Cyber Security Centre knows it. David Warburton, Senior Threat Evangelist, F5 Labs talks us through the different forms of cyberattack and how they might manifest themselves during the election, and why there is a growing need for vigilance as voting processes move from manual to digital.
The UK general election is almost upon us and it is already turning into one of the most divisive and analysed political events in the country’s history.
Discourse and debate are reaching fever pitch, from parliamentary benches and constituency doorsteps to every conceivable media platform in play.
It is no surprise then that an air of online volatility persists more than usual. At this moment in time, every new election is likely the most tech-enabled and at risk addled yet.
Labour was most recently under the cybersecurity cosh, enduring what it termed as ‘sophisticated and large-scale’ attempt to knock out its digital systems earlier in the month (it turned out to be a set of distributed denial-of-service (DDoS) attacks). Just the other day, Labour candidate Ben Bradshaw also claimed to be a victim of a suspected cyberattack when he received an email with sophisticated malware attachments.
These are politically unprecedented times and the UK’s National Cyber Security Centre knows it. Last year, the government-backed organisation issued a direct warning ahead of local elections, citing potential ‘insider activity’ attempting to ‘manipulate or compromise electoral information’. Similar warnings are in place for 2019.
There are many ways to knock an election off course. Below are some of the main existing and emerging cyberthreats to bear in mind as we head to the polls this week.
It is, however, worth noting that variations of these methods are possible throughout the year as hackers opportunistically hijack political developments in real-time.
Tried and trusted attacks
Although significant aspects of the UK’s electoral process are still conducted offline, it is not invulnerable to well-worn cybercriminal tactics such as DDoS attacks (electoral, government or media websites during key campaign instances, in particular). Today, even a teenager can create botnets in 45 minutes by watching a YouTube tutorial and there is a glut of DDoS-for-hire sites available on a shoestring.
Phishing is another perennial threat. In fact, F5 Labs’ latest Phishing and Fraud report currently sees it as the most prominent attack method used to breach data.
Elections are natural hunting grounds for seasoned phishers, with emotions running high and enormous volumes of proselytising communications flying around.
Hearts and minds are there to be won, and canny cybercriminals are ready to pounce. Attackers can eschew hacking through a firewall, finding a zero-day exploit or deciphering encryption. They just need a convincing email pitch and a fake site for victims to land on.
Recent examples of phishing-related political skulduggery include the focused targeting of government officials during the 2019 Ukrainian presidential election and North Korea’s attack against the Indian space agency’s moon mission.
Safeguarding against all of this calls for rich and constant behavioural training, combined with technical security controls such as multi-factor authentication and encrypted malware inspection. DDoS prevention solutions that align to business and IT architecture needs are also essential.
Tipping the scales
Worryingly, cybercriminals backed by nation states are now increasingly adept at directly misleading voters.
Most will recall how the US was conspicuously under fire in 2016, with Russian-instigated automated bot activity disseminating a slew of ‘fake news’ articles that may have swayed voter opinion.
The US House of Representatives Permanent Select Committee on Intelligence recently provided an eye-catching snapshot of the scale and reach of this type of activity, reporting that the Internet Research Agency (one of the Russian false front companies) purchased 3,393 Facebook advertisements that were shown to over 11.4 million Americans. They also created 470 Facebook pages with 80,000 pieces of organic content. These were shown to more than 126 million Americans. Only 120 million votes were cast in the entire 2016 presidential election.
In addition to Russia, the FBI also lists China and Iran as the top threat actors when it comes to election security.
One of the most effective, continually evolving tactics, is to muddy the public discourse and orchestrate a demoralising miasma of discontent. The threat actor doesn’t even need to promote a specific cause, candidate, or agenda. They just need to prompt chaos, uncertainty and division.
While there are tools available to help citizens spot news bias and disinformation (e.g. Snopes and AllSides), they often require additional skills that many older and less connected voters lack.
Naturally, the onus is on social media businesses to adapt. All should have the ability to identify, scrape and deny bots on their platforms. It can be a tricky, grey area, however, with discussions about the nature of free speech frequently adding complex nuances to the mix.
Sign of the times
Although it really won’t apply to the UK this year, there are growing concerns about how votes themselves can be falsified or tampered with.
Once again, the US is in attackers’ crosshairs more than most. Last year, F5 Labs’ Application Protection report flagged how public sector organisations were the most concerned of all industry sectors when it came to application tampering. One of the reasons is the fact that 37% of US states allow online registration.
Then there are the US’ electronic voting machines themselves. In August, more than 35,000 attendees of the Def Con hacker conference were invited to test for vulnerabilities. Every single one of 100+ machines were vulnerable to at least some kind of attack.
The UK, like most countries around the world, needs to sit up and take note. Elections will only become more digitalised and connected – whether we like it or not.
Taking back control
Awareness is key. For example, it has never been more important to spot media bias, which often mixes drama and opinion with real facts. Even though most major social media platforms are working hard on fixes, we simply cannot afford to be unquestioning, passive content consumers anymore.
Digital election interference – whether it influences a single vote or creates a confused political climate favourable to a specific nation-state – is a clear, present and insidious danger. Voters, politicians, or indeed anyone even tangentially involved in the democratic process, need be ready and able to navigate and interrogate this new reality.