China Crisis: Government blames China for Electoral Commission cyberattack

Also accuses Chinese state-affiliated actors of trying to hack MPs emails

China Crisis: Government blames China for Electoral Commission cyberattack

The question of whether we have really seen and understood the full extent of Chinese attempts to disrupt elections in the UK and the US remains open to debate.

Yesterday, in a statement, Deputy PM Oliver Dowden blamed the breach of the Electoral Commission, which exposed the data of millions of voters throughout much of 2021, on hackers working for the Chinese government. The breach wasn't disclosed until last year.

Mr Dowden said:

"Chinese state affiliated actors were responsible for two malicious cyber-campaigns: first, the compromise of the Electoral Commission between 2021 and 2022. Second, attempted reconnaissance activity against UK parliamentary accounts in 2021."

Those parliamentary accounts belonged to MPs such as Iain Duncan-Smith and Tim Loughton – both of whom have expressed strong views on the threat to British security interests that they believe China poses. According to Mr Dowden, parliamentary authorities detected and blocked these attempted breaches before any email accounts were compromised.

In what appeared as a coordinated statement on the Electoral Commission hack, the UK National Cyber Security Centre (NCSC) said it is "highly likely" that the Chinese hackers accessed and exfiltrated emails and data from the electoral register during the hack.

When the attack became known last year, the Electoral Commission emphasised that the attack wasn't a real worry because the vast majority of compromised data came from the open electoral register. It was already data that was publicly available. This begged the question both then and now of, ‘why bother?' Computing asked the Electoral Commission this question at the time but the organisation declined to comment.

The NCSC said Chinese intelligence could use the data for "large-scale espionage and transnational repression of perceived dissidents and critics in the U.K."

Toby Lewis, Global Head of Threat Analysis at global cybersecurity firm Darktrace said:

"Motivation for this breach is hard to assess and we can't rule out that the act of espionage was a way to access bulk personal data sets, much like the breach of OPM in 2015, rather than being politically motivated."

The NCSC attributed the separate attacks on parliamentary email accounts to the Chinese group APT31, which is known for targeting the online accounts of foreign government officials.

Security researchers have suggested that APT 31 used spear phishing techniques to target very specific MPs.

Further evidence of a highly coordinated message is the fact that the US Department of Justice yesterday announced the charging of seven Chinese nationals with being part of APT31's efforts to target U.S.-based companies, government officials, politicians and political campaigns, including those of President Biden and Trump in 2020.

China has rejected the UK and US allegations.

China's Foreign Ministry spokesperson Lin Jian told reporters earlier today:

"We urge the US and UK to stop politicising cyber security issues. Stop smearing China and stop imposing unilateral sanctions on China. Stop their cyber-attack against China. The Chinese side has already made technical clarifications and response to the APT 31-related Information submitted by the UK side, which made clear that the evidence provided by the UK was inadequate," he said, adding: "Unfortunately, we haven't heard from the UK side."

What are we doing about it?

Mr Dowden said: "The cyber threat posed by China affiliated actors is real and it is serious, but it is more than equalled by our determination and resolve to resist it.

"That is how we defend ourselves and our precious democracy."

Is it though?

There is an observable disconnect between what is clearly an internationally coordinated campaign of announcements to call out malign cyber activity conducted by Chinese state-affiliated groups, and the assessment of the damage already incurred, as well as measures being put in place to prevent further compromise.

Have we really seen and understood the full extent of Chinese attempts to disrupt elections in the UK and indeed the US later this year? Certainly, the measures that Dowden announced yesterday (amounting to a ban on TiKTok on the parliamentary estate which was announced a year ago, and sanctions on two individuals and a company employing fewer than 50 people) seem pretty feeble if the threat is big enough to merit a series of coordinated statements briefed to the press days in advance.

Toby Lewis of Darktrace emphasises:

"It's important to bear in mind that while data was accessed, there's no indication that it was tampered with or will have any direct impact on an election."

The risk is, and always was, that the attack on the Electoral Commission sowed a seed of distrust in the freedom and fairness of the electoral process in the UK, causing voters to question the integrity of the result. There is no evidence – yet – that this has happened, but you only have to look at the aftermath of the 2020 US election for a vivid illustration of the dangers of complacency.

Toby Lewis continues:

"Worries that future cyber-attacks may infiltrate the electoral process are not misjudged. Cyber has and will be used to twist political narratives and manipulate elections and we've already seen evidence in the Taiwanese election. These cyber threats are not new, but the adoption of AI has the potential to increase levels of disruption and allow for more sophisticated techniques to sow misinformation, access sensitive information and influence voters. Today's warnings from the UK government on the risk of cyber-attacks are timely and governments across the globe should ensure that they are well-equipped to battle cybercriminals.

"This latest incident highlights how nation-state hackers are skilled at blending into normal network activity. The only initial indicator was a series of suspicious log-in events - there were no other overt signs of a cyber intrusion using traditional detection methods. This is a valuable reminder that we can no longer solely rely on hunting for known indicators from past attacks."

One of the most worrying pieces of information which came to light after the Electoral Commission attack became public knowledge, was the fact that the organisation had failed the most basic cybersecurity audit just before it occurred. This is indicative of worrying complacency – one that has been on display in multiple institutions in the public sphere.

Al Lakhani, CEO of IDEE said:

"To avoid these awkward situations, the Government needs to find better ways of protecting its systems and data. When it comes to something as important as national security, relying on outdated cybersecurity solutions that detect attacks, but stop short of preventing them, is nothing short of dangerous.

"I hope that lessons have been learnt from past breaches, that this marks a turning point in the UK's cyber security preparedness, and that we move towards a digitally secure future rooted in identity proofing and transitive trust."