IT Essentials: The day democracy didn't die

Democracies run on trust. Bad actors want to erode it.

IT Essentials: The day democracy didn't die

A cyberattack on the Electoral Commission exposed tens of millions of people's personal data, but the real victim is trust in the system.

At the start of this week, I thought I'd be writing an(other) editorial about AI, when a story broke about Zoom training LLMs on user data.

"Brilliant," I thought - journalists being one of the few people in the world to greet bad news with a smile - "I can use this to talk all about trust."

And then the Electoral Commission got hacked. Then, the same day, there was a massive data breach at the Police Service of Northern Ireland

Bad news really does come in threes.

Handily enough, these also relate back to trust: not in private corporations like Zoom, but our own public institutions.

That's dangerous - very dangerous - because trust is the foundation of a liberal democracy. We trust that the government of the day has our best interests at heart. We trust that our institutions will operate appropriately, without fear or favour. And we trust that they will protect us.

Put aside from the PSNI breach for now; as bad as it was, it was an accident with simple human error to blame. Focus on the attack against the Electoral Commission, which lasted for more than a year and may have been the work of a nation state attacker.

Why do I say that, when the EC and its partners have avoided attribution? A couple of reasons. First, this wasn't a smash-and-grab approach with a ransom note hanging from a broken window; it was a low and slow attack focusing on personal data. Whoever the culprits were, they were able to access (and probably exfiltrate) information on millions of voters, and stay undetected while doing so, for months. They were patient, skilled and sophisticated, and we can be pretty sure they got what they wanted.

Which brings me to my second reason: trust. Or, rather, lack of it. Sowing doubt is often a secondary goal of nation state attacks - in effect, undermining the faith we should have in governments.

Take a look at just a few of the comments I was sent soon after the story broke:

"If you did register to vote between 2014 and 2022, I would be particularly wary of unexpected emails, especially those pressuring you into taking action quickly, including those purporting to be from the Government."

"Anyone/everyone should be very suspicious of any email or physical mail they receive from the government for a while."

"People should remain as cautious as ever with unsolicited communications, even though the majority of the data may have been stolen well over a year ago."

"This incident is more than a breach of critical national infrastructure (CNI) or personal information, it's a breach of the instruments of democracy itself."

There's a clear thread: your data has been stolen, and official communications can't be trusted.

When we can't trust the government, humans revert to tribalism: small social circles that are easier to manipulate. It's a classic divide and conquer tactic.

That's why it was absolutely right for the Electoral Commission to quickly and clearly state that the attack had no effect on the electoral process.

But its procedure was sorely lacking elsewhere. Why did it take more than a year to discover the attack? Why did it take 10 months after discovery to inform the public? And why, when it admits that the accessible data could be combined with other information to profile individuals, does it insist that the breach was low risk?

All these questions remain unanswered, and we'll be following the story as it develops.

Weekend reading

If you're not yet sick of hearing about the Electoral Commission, we've put together a list of the five key things you need to know about the hack; and, fortuitously, one of our IT Leaders Summit speakers, Chloe Colliver, has been talking to Penny Horwood about regulating online safety.

John Leonard looked into the crash and burn of the Babylon Health app, once touted as the future of the NHS; and our own Analytics and Insight team has published an independent study into the mindshare of the big three public cloud providers.

Have a great weekend.