DOI: https://doi.org/10.58248/RR17
The changing threat
Cyber threats to elections can involve the creation and spread of false information and cyber attacks. Attacks typically involve unauthorised users attempting to gain access to electronic networks or devices to:
- make files inaccessible by encryption and demand a ransom to restore them, usually referred to as ransomware (PN 684)
- obtain and leak sensitive data (PN 684)
- manipulate computer data and systems, such as voter registration systems
Threats come from a range of individuals and groups with differing motivations and levels of sophistication. These include state and state-sponsored groups, criminal organisations and individual hackers. Potential motivations for cyber attacks can include financial gain, to gather information, or to influence elections.
The UK Government has stated that China and Russia pose the greatest state-backed cyber threats to the UK and that Iran and North Korea also have notable cyber capabilities (PN 684).
In 2024, it is estimated that an unprecedented number of countries (more than 40), representing more than 40% of the world’s population and over 50% of global GDP, are due to hold national elections. In the UK, a general election is set to take place on 4 July 2024. Local government elections in England and mayoral elections took place on 2 May 2024.
Threats to elections have changed. A 2023 annual review by the National Cyber Security Centre (NCSC), a government body that provides the public and organisations with cyber advice, highlighted how the cyber threat landscape for elections has evolved significantly since the 2019 general election due to:
Cyber attack risks
Technologies that attackers can target include systems, such as of government institutions, personal devices and social media accounts, such as of MPs or journalists, and election technologies. In the UK election technologies include:
- the online voter registration system on the UK Government website that is maintained by the Government Digital Service
- electoral registers that are maintained locally by electoral registration officers. There are two versions of the electoral register: the full register and the open register that people can opt out of (about 60% of those registered to vote have). Some organisations are given or can request copies of the full register, such as the Electoral Commission, political parties and the Office of National Statistics
- political party finance databases
- In the UK, voting and vote counting by local electoral officers is done manually. Internationally, election technologies can also include electronic or remote voting and results collation software.
Various stakeholders, including the NCSC, the Intelligence and Security Committee of Parliament, and some academics, have assessed that the highly dispersed paper-based voting and counting system in the UK makes any significant interference in election results difficult.
Ransomware
The NCSC has identified ransomware as the biggest cyber threat facing the UK. It warned that ransomware is a threat to elections in 2024, particularly due to its recent international rise.
A report by cyber security firm SonicWall assessed that the number of reported ransomware attacks against UK victims in 2022 had increased by 112% since 2021 to over 7.1 million. The report stated in 2022 the UK was the second most ransomware attacked country globally after the US. Most ransomware attacks against the UK are from Russian-speaking perpetrators.
Ransomware attacks, used alongside threats to sell or leak the data obtained, is now a multi-billion pound business. There has been a growth of ransomware operators selling it as a service, often known as ransomware-as-a-service (RaaS).
A 2023 inquiry report into ransomware by the Joint Committee on the National Security Strategy stated that “there is a high risk that the Government will face a catastrophic ransomware attack at any moment” and recommended that the Government plan for such a scenario.
There has been little reported evidence of ransomware attacks directly affecting UK elections or democratic processes.
There are various examples of ransomware attacks on local authorities, such as on Hackney Council in October 2020 and Gloucester City Council in December 2021. These have affected public services, including voter registration services.
Obtaining and leaking sensitive data
There are various examples of sensitive data being obtained and leaked around elections:
- In December 2023 the UK Government published a press release that attributed several attempts by Russian Intelligence Services to interfere in UK political processes through cyber operations, often conducted through the group Star Blizzard. This included the hack of UK-US trade documents leaked ahead of the 2019 General Election.
- A declassified assessment by the US intelligence community reported that in the run up to the 2020 US elections, Russian intelligence services gained access to networks of US political organisations and large volumes of data, which was released to platforms, such as WikiLeaks.
- The Intelligence and Security Committee of Parliaments report on Russia said:“It has been widely reported that the Russians were behind the cyber-enabled ‘hack and leak’ operation to compromise the accounts of members of the French political party En Marche! in the run-up to the 2017 French elections.”
Operations against high profile individuals
Cyber experts have raised concerns around the cyber security of political parties and candidates for elections. They have called for direct support to political parties, candidates and civil society to address these risks.
In the past year, there has been a rise in individual personal accounts being targeted. The security of personal accounts is less likely to be managed in depth by a dedicated team. For example:
In 2023, the NCSC launched an opt-in service to alert and provide advice to high-risk individuals if there is evidence of cyber operations on their personal devices or accounts.
Impacts of cyber attacks
Cyber attacks have caused disruptions to essential services, economic losses for organisations, harm to privacy and security, and reputational damage.
Some academics postulate that cyber attacks could in future undermine trust in the integrity of electoral processes and outcomes, and cause reputational damage for related organisations, regardless of whether they are successful or not.
Electoral Commission cyber attack and impacts
In August 2023, the Electoral Commission revealed that it had been the subject of a complex cyber-attack. In March 2024, the UK Government announced that this was highly likely to have been perpetrated by a Chinese state-affiliated entity.
The cyber attackers had access to the system from August 2021 until October 2022 and were able to access copies of the electoral registers. This information included the name and address of anyone in Great Britain registered to vote between 2014 and 2022. It is difficult to predict exactly how many people could have been affected, but it is estimated that the register for each year contains the details of around 40 million people.
Reports differ about the impact and seriousness of the breach. The Commission has reported that it would be difficult for the cyber breach to affect elections and the breach did not impact people’s registration status. Some academics have postulated that the attack “reflects the serious and ongoing threats to democracies posed by cyber-interference from foreign nations and criminal organisations”.
Some news articles say a potential leak of voters’ data could leave them exposed to fraud attempts. Cyber experts have said that the data combined with other leaked datasets could be used by the Chinese intelligence services for a range of purposes, including:
Due to the attack, the UK Government summoned the Chinese Ambassador to the UK and sanctioned related individuals and companies. Some MPs have urged the Government to take tougher actions against the Chinese Government.
The Electoral Commission failed some security tests before the hack. Although some articles have raised questions about if and how that contributed to the breach, evidence is sparse.
Risks of mis- and disinformation
Although intent is difficult to measure, the UK Government defines disinformation as “deliberate creation and spreading of false and/or manipulated information that is intended to deceive and mislead people, either for the purposes of causing harm, or for political, personal or financial gain”.
It defines misinformation as “the inadvertent spread of false information”. AI-generated images, audios and videos for malicious purposes are commonly referred to as ‘deepfakes.’
Many academic, industry and public-sector experts are concerned about an increased spread of deepfakes and AI generated mis- or disinformation around elections and their potential to impact election outcomes by:
Some experts think this is a potential national security issue. Others warn of exaggerated risks as concerns about manipulated images and news have been around for years.
Impacts of AI-generated fake information
In the past year, many examples have emerged of AI-generated fake information spreading around elections. The number of AI-enhanced images of politicians is increasing, including:
There is limited evidence directly linking expose to disinformation and a change in voting intentions (PN 719). Some researchers say that the spread of AI-generated fake information alone may not affect election outcomes and that measuring the impact of AI-generated content to election outcomes “is a notoriously difficult task”.
Policies related to cyber security
Cyber security often refers to protecting electronic networks or devices and the data they hold from unauthorised access, interference and use. In the specific context of elections, it can also be applied to the protection of the integrity of electoral processes from disinformation and influence operations.
The 2022 National Cyber Strategy sets out the UK Government’s vision to 2030 to be a “leading and responsible democratic cyber power.” The 2023 House of Commons Library briefing on cyber security in the UK gives further details on the Government’s approach to improving cyber security.
PN 719 on Disinformation: sources, spread and impact gives further details on various Government policies relevant to tackling disinformation, such as the Online Safety Act 2023.
The National Security Act 2023 defines cyber attacks, electoral interference and state-sponsored disinformation to manipulate political debates or weaken the integrity of democratic institutions as a national security threat.
As part of the National Security Act 2023, the Foreign Influence Scheme requires UK and overseas businesses to register arrangements under which foreign states direct them to undertake “political influence” activities in the UK and seeks to facilitate “transparency of foreign influence in UK politics”.
The Department for Science, Innovation and Technology’s Counter Disinformation Unit has a remit to respond to election disinformation that can pose a risk to national security. It does this by “identifying harmful false narratives and working closely with the major social media platforms to encourage them to swiftly remove disinformation”.
In November 2022 the Government established a Defending Democracy Taskforce that reports to the National Security Council, the main forum for collective discussion of the Government’s objectives for national security. The Defending Democracy Taskforce focuses on protecting the “democratic integrity of the UK from threats of foreign interference” such as to elections and electoral processes, disinformation and cyber threats to democratic institutions.
The taskforce aims to include security practice for all elected officials and ensure that core electoral infrastructure is secure by working closely with devolved executives and local government authorities.
The Joint Committee on National Security Strategy launched an inquiry into Defending Democracy in February 2024.
Challenges to addressing cyber risks
It can be time-consuming attributing attacks to specific groups or states, and difficult to hold them to legal proceedings, particularly if they are operating with the backing of governments.
The European Union Agency for Cybersecurity 2022 report stated that the growth of cyber attacks “as a service” could expand attacker capabilities, are likely to make the attribution of attacks to specific states more difficult and are likely to be used by nation states.
Many organisations use technology through a complex network of third-party suppliers. This can create risks of cyber breaches or interference. The Government issued a call for views on supply chain security in May 2021. In its response it highlighted how organisations, particularly smaller ones, can have limited visibility of their supply chains and a lack of expertise to understand risks.
It might also be challenging to address risks arising from the fact that attackers do not need to be successful to cast doubt on the integrity of electoral processes and support for results.
Preventing cyber attacks and tackling disinformation
Stakeholders highlight various measures to prevent cyber attacks, including:
The National Cyber Strategy aims to reduce UK reliance on non-allied states for digital technologies to avoid security risks in supply chains.
There are also various measures to limit the spread of disinformation and prevent people from engaging with disinformation (see PN 719), including:
Acknowledgements
POST would like to thank the following peer reviewers for kindly giving up their time during the preparation of this article:
- Professor Joe Burton, Lancaster University
- Joyce Hakmeh, Chatham House
- National Cyber Security Centre (NCSC)
- Dr Tim Stevens, King’s College London
Image credits: By roibu on Adobe Stock