Almost anyone could have cyber-hacked the Labour Party

Jamal Ahmed, The Independent

Today the Labour Party was the victim of a “large and sophisticated cyber attack”. It shouldn’t come as a surprise, however. After the hack of the US Democratic National Committee in 2016, security experts warned it was only a matter time before a UK political party was targeted.

Hacker politics is nothing new to parties though. In fact, they often use it to their advantage, leveraging dark data and social media manipulation techniques. Yet our entire system of political regulation is still stuck in the 20th Century and unprepared for the current threat from foreign state or private criminal hacking.

The Electoral Commission devotes almost all of its resources to the problems faced by electoral systems in an analogue world. Today’s breach has exposed how urgently the independent body needs to develop its e-regulations to control how political parties remain digitally secure, and how they can use data responsibly and fairly.

Today the Labour Party was the victim of a “large and sophisticated cyber attack”. It shouldn’t come as a surprise, however. After the hack of the US Democratic National Committee in 2016, security experts warned it was only a matter time before a UK political party was targeted.

Hacker politics is nothing new to parties though. In fact, they often use it to their advantage, leveraging dark data and social media manipulation techniques. Yet our entire system of political regulation is still stuck in the 20th century and unprepared for the current threat from foreign state or private criminal hacking.

The Electoral Commission devotes almost all of its resources to the problems faced by electoral systems in an analogue world. Today’s breach has exposed how urgently the independent body needs to develop its e-regulations to control how political parties remain digitally secure, and how they can use data responsibly and fairly.

Worryingly, the Labour Party website’s privacy policy, under “How we protect your information”, makes no mention of any technical cybersecurity measures. It does not even specify whether the party uses a certified data centre.

It appears that this Labour breach (a DDoS or Distributed Denial of Service) was not a highly sophisticated form of cyber attack. These weapons — which, if ever successful, could seriously disrupt or even swing an election — can be easily sourced by anyone on the dark web. There is a de facto right to bear digital arms and no one is taking it seriously. There is every chance, however, that a foreign government was directly or indirectly behind this attack. Russia is best-known for having a high level hacking capability that is directed from within the Kremlin, but China, Iran, and even North Korea are known to have “hacker special forces” within their military and intelligence apparatus.

A state actor could have outsourced this to attempt to cover their tracks, or perhaps even deliberately used a relatively low-tech method to make it look like it was a small hacktivist group rather than a foreign government.

The only thing we can say with certainty is that our democracy is vulnerable. This is not a particular criticism of the Labour Party, or even all political parties. Recent successful cyberattacks have targeted large companies, and the fact that this hack is believed to have been successfully defended against suggests that Labour had at least some measures in place.

Political parties must be held to a higher standard than other organisations, however. I know small businesses with more robust security measures than the political parties who make up our parliament, with all the consequences for national security that come with that.

More broadly, the threat is even bigger. Political parties have access to a huge amount of personal data. The Labour Party, for example, has detailed data on half a million members. But like any major party, they will also have a data operation that seeks to profile every British voter.