Why hasn’t Russia hacked UK political parties? Or has it already?

What are the chances of a high-profile hacking of a UK political party between now and the General Election on 8 June? How helpful is it to try to quantify this probability? These are questions we asked ourselves recently at the International Centre for Security Analysis (ICSA).

On one hand, no previous UK general election has seen anything like the public release of hacked data that marred the November 2016 US presidential election. We have, after all, only just emerged from a major national referendum campaign with significant strategic implications, and a General Election the year before that, and neither of these campaigns were publicly blighted by hacking.

On the other hand, high-profile hacking episodes appear to be an emerging fact – the new normal? – in efforts to subvert the electoral processes of western democracies. And it’s worth pointing out that ‘fake news,’ deception and information operations have a long pedigree in British politics – the October 1924 General Election and the Daily Mail’s publication of the ‘Zinoviev letter,’ for example.

So, from one perspective, the question ought to be: ‘Why haven’t we already seen a similar dump of hacked emails in Britain?’ We identified at least five hypotheses consistent with the (to date) absence of hacked data online:

  1. UK political parties’ cyber security is too strong;
  2. UK political parties are too boring, so there isn’t anything sufficiently useful or interesting to release;
  3. State actors (like Russia) are less interested in the UK General Election than they were in the US or French presidential elections;
  4. State actors are interested, but the snap election announcement left little time for a sustained operation to yield useful data;
  5. A hacking operation is indeed underway, but these things take time and luck, maybe data has already been stolen, but the high-profile release is being held back until closer to election day.

In our view, points (1) – that UK party politics is unprecedentedly difficult as a target of cyber-attack – and (2) – that UK politicians are either too boring or too virtuous to leave behind embarrassing digital traces – can be discounted for several reasons.  First, although we note that the National Cyber Security Centre has recently offered to assist political parties with cyber security issues, there have been several reports in recent years of UK politicians and their advisers using private webmail to discuss policy issues, suggesting that lax information security practices are not unknown in British politics, and regarding the ‘boring virtue’ of politicians, we simply point, as a counter example, to the continued existence of the tabloid press. To this we could obviously add several other rebuttals, such as that the absence of a real scandal is not a barrier to the creation of ‘fake news’ scandals (as is alleged to have been at least partly the case in France with the Macron leaks).

In our list of competing hypotheses, this leaves (3), (4) and (5): either the UK general election just isn’t as important a target as the US or French presidential elections, or perhaps Theresa May’s snap election announcement has made an effective cyber operation much more difficult to execute in the limited time, or on-going cyber-attacks are encountering the kind of difficulties that routinely beset them (e.g. reliance on waiting for a lucky break, like targeted users clicking on links in phishing emails), or, finally, the operation is on course, merely waiting for the moment of maximum impact to release a damaging cache of data.

These hypotheses are less easy to dismiss, especially with no access to the internal deliberations of hostile foreign intelligence services or the governments that direct their activities (for short-hand, we’ll just say ‘Russia’ from now on, but there are clearly other threats too). It is certainly possible that, with finite capacity, Russia prioritised resources to the known quantities of the US and French elections, meaning that – whatever the desirability of an attack on UK political parties – any operational activities are at an earlier phase, not well placed to intervene in a June General Election.  (We read today, for example, that at least some apparently unsuccessful efforts were made earlier this year by an unknown hostile party to hack the private communications of a small number of MPs.)  If we don’t see a similar episode to the release of hacked emails in the US or France, one possible explanation would indeed be that the UK had a lower priority in the Russian operational pecking order during this time-period.

But there are several competing explanations that would also be consistent with this series of events.

For example, one competing scenario is that a concerted effort is indeed underway to hack political parties – presumably the Conservatives, as we don’t really see what Russia would gain from damaging Jeremy Corbyn’s electoral prospects.  (But maybe Russian intelligence agencies are just very thorough, so who knows?)  These operations are difficult, they take time, and they rely on a significant dose of good fortune, in the form of poor security practices by individuals or systemic shortcomings in the targeted organisations.

Just because we might not see a public release of hacked data during the election campaign, this wouldn’t be conclusive evidence that an operation wasn’t underway to hack British political parties. In fact, it wouldn’t even mean that such an operation had been unsuccessful: Russia has the capability to intervene directly in elections by leaking covertly acquired information, but that doesn’t mean that it always will do so. Traditionally, intelligence agencies collect information to inform the political masters’ decision making: British political parties could indeed have been hacked, but the data might have been used secretly to inform officials in the Ministry of Foreign Affairs or the Presidential Administration, rather than to execute an overt intervention during the General Election campaign.

So, it’s clear from this brief round-up that there are few hypotheses that could be completely dismissed should a leak fail to occur, excepting the hypothesis that Russia both has the information and intends to leak it.  If they haven’t done so by 8 June, we should at least be able to assume that they had reconsidered, but we couldn’t take it as confirmation that no information was stolen, because such information could be used differently, to inform Russian decision-makers, or perhaps it could be stock-piled for a future, more overt use.

In analysing these competing hypotheses, we find it most plausible to believe that a combination of scenarios (4) and (5) is true: hacking is difficult, time-consuming and relies on luck, so whilst Russia might be keen to stage this kind of operation, the surprise of an early general election has made it even more difficult than usual to execute. This explanation could be amplified by elements of scenario (3), in the sense that resource- and other structural-constraints could mean that operations against the US and French presidential elections had had the effect of pushing the UK to a lower-tier targeting status over this time-period.

On this basis, especially in the apparent absence of similar operations during the 2015 General Election and 2016 referendum campaigns, we have reached the tentative conclusion that it is unlikely that a similar hack will occur before 8 June. How unlikely? Let’s say we’re as sure as we were that Donald Trump would lose the November 2016 presidential election. We certainly wouldn’t recommend betting on our forecast.  But in forecasting political events you’ve got to start somewhere, and then continuously revise those forecasts in the light of subsequent evidence.

CIA CREST database and Geolocation

TitleRecently, to the delight of the OSINT community, the CIA updated its CREST digital library with the addition of upwards of 800,000 new files. While much of the credit for the agency’s initiative is due to the perseverance of journalist Mike Best (perhaps we should also spare a thought for the CIA employees who were likely on ‘scan and document’ duty
in the basement for their first few years of service), granting digital access to the 13 million pages is a welcomed act of compliance and transparency to researchers and citizens alike. Many of the documents made available date from the 50s through to the 80s and some contain guides on opening sealed letters and invisible writing, as well as reports stating the ‘total lack of evidence’ of UFOs.

Admittedly, it is quite fun to rummage through papers with titles worthy of an X-files episode; however, we endeavoured to find how such newly available information might be relevant to non-proliferation research today. This post will serve both to illustrate the type of valuable information the CREST database can offer, and to demonstrate some useful geolocation techniques.

Continue reading

Paris Terrorist Attack: Black Swan or Perfect Storm?

On Friday, 13 November 2015, France suffered the worst terrorist attack in its modern history as Islamic State (IS) gunmen and suicide bombers simultaneously attacked the Bataclan concert hall, Stade de France football stadium, and restaurants and bars in Paris’s popular nightlife spots, leaving some 130 people dead and hundreds seriously injured.

As France, and indeed the rest of the world, seeks to make sense of this terrible event, two questions dominate the discussion, and indeed the headlines: could the attack have been prevented and what can we do to protect ourselves against future occurrences?

The answers, it seems to me, depends on whether or not one regards such events as Black Swans or Perfect Storms.

Continue reading

Intelligence Post-Mortems: Predictions for Charlie Hebdo

The attacks on the offices of the satirical newspaper Charlie Hebdo in Paris, and related incidents in the Ȋle de France region, have produced the same reactions that usually occur in the aftermath of major terrorist attacks. Powerful historical analogies (‘France’s September 11’) were evoked, national leaders made defiant statements and levels of security were heightened, counter-terrorism reforms discussed and the international community stood together in a remarkable show of solidarity. This was captured most vividly by the hashtag #JeSuisCharlie and a Unity March composed of huge crowds and attended by many world leaders. Continue reading