Unless you’ve been living in a news and social media vacuum, you’ll know that Theresa May has called for a snap general election in June and now all the political parties are clamoring for our vote. But – amid the rumors that the Brexit vote site may have been hacked – what would happen if someone were to hack the UK elections? Could a state, hacktivist group or criminal gang influence the outcome of the election?
The last couple of years have been marred by reports of election-related hacking; the Democratic National Committee (DNC) incident, the leak of Hillary Clinton’s emails and, more recently, the French President has been targeted.
The election power struggle has taken on a new dimension with the increasing dependence on technology for communication. Political parties use many digital tools and hold masses of sensitive data; communication strategies, membership information, donor details, financial data, for example.
In addition, top-level staff are exchanging emails and storing data across multiple devices. The question now is not so much what happens if a hacker strikes, but when. All it takes is a simple phishing email targeted at an unsuspecting or busy individual, or an unassuming USB stick connected to any campaign-related device, and a hacker has access to everything on the system, particularly if the system has ‘open access’ settings in place. It’s not only external hackers we need to worry about? What about the insider threat?
The usual suspects
Recent news reports have been littered with stories of attempts by other countries seeking to influence an election – this is nothing new. Countries have been meddling in each other’s political affairs for years. For example, according to US officials, Russian hackers made repeated attempts to infiltrate major US institutions. Their tactics were simple; mass sending of phishing emails in the hope someone would click. Similarly, Russia has also been identified as the most likely hacker of Emmanuel Macron’s presidential campaign.
The true purpose of these attacks is not yet known, but we can assume that hackers sought to tarnish the reputation of the opposing party and influence voters. The opportunities for this are endless: attackers could deface or take down the party website, leak confidential or compromising information, block all party communication, or they could simply make any and all data unusable by encrypting it and holding it to ransom.
For many organizations – political parties included – the focus of their security strategy is built on chasing down the threats or focusing on perimeter defenses. However, attackers are still getting through and if the security measures around data are not adequate, the door is open for anyone to inflict damage. Data is the target of these attacks, so more focus needs to be placed on protecting their most valuable digital assets.
The UK political parties seem to have been spared – for now – but there are measures which can be put in place should they fall victim to attack:
- Least privilege permissions. Enforcing a model of ‘least privilege’ ensures that employees only have access to the data they need to do the job. Limiting access on this ‘need-to-know’ basis means that sensitive data is less vulnerable if hackers compromise an employee account.
- Data location. It’s imperative that an organization knows exactly where all its data is stored before permissions can be allocated. There are solutions available which can automate the classification and identification of potentially sensitive information on a network.
- Data access monitoring. Sensitive data access needs to be monitored. If it’s not, how can you identify whether the correct people are accessing it or whether access is being abused?
- Training. Employees/users need to understand the value of the assets they are working with. Anyone coming into contact with sensitive data should be trained to use the systems and controls designed to protect that data.
- Data retention. Whilst it is necessary to retain data, make sure there are policies in place for when that data is no longer required or valid.
With the election creeping ever closer, the likelihood of political parties being hacked continues to increase. However, with the correct security measures and data policies in place, the parties involved can be safe in the knowledge they have done everything they can to protect their data.