Why hasn’t Russia hacked UK political parties? Or has it already?

What are the chances of a high-profile hacking of a UK political party between now and the General Election on 8 June? How helpful is it to try to quantify this probability? These are questions we asked ourselves recently at the International Centre for Security Analysis (ICSA).

On one hand, no previous UK general election has seen anything like the public release of hacked data that marred the November 2016 US presidential election. We have, after all, only just emerged from a major national referendum campaign with significant strategic implications, and a General Election the year before that, and neither of these campaigns were publicly blighted by hacking.

On the other hand, high-profile hacking episodes appear to be an emerging fact – the new normal? – in efforts to subvert the electoral processes of western democracies. And it’s worth pointing out that ‘fake news,’ deception and information operations have a long pedigree in British politics – the October 1924 General Election and the Daily Mail’s publication of the ‘Zinoviev letter,’ for example.

So, from one perspective, the question ought to be: ‘Why haven’t we already seen a similar dump of hacked emails in Britain?’ We identified at least five hypotheses consistent with the (to date) absence of hacked data online:

  1. UK political parties’ cyber security is too strong;
  2. UK political parties are too boring, so there isn’t anything sufficiently useful or interesting to release;
  3. State actors (like Russia) are less interested in the UK General Election than they were in the US or French presidential elections;
  4. State actors are interested, but the snap election announcement left little time for a sustained operation to yield useful data;
  5. A hacking operation is indeed underway, but these things take time and luck, maybe data has already been stolen, but the high-profile release is being held back until closer to election day.

In our view, points (1) – that UK party politics is unprecedentedly difficult as a target of cyber-attack – and (2) – that UK politicians are either too boring or too virtuous to leave behind embarrassing digital traces – can be discounted for several reasons.  First, although we note that the National Cyber Security Centre has recently offered to assist political parties with cyber security issues, there have been several reports in recent years of UK politicians and their advisers using private webmail to discuss policy issues, suggesting that lax information security practices are not unknown in British politics, and regarding the ‘boring virtue’ of politicians, we simply point, as a counter example, to the continued existence of the tabloid press. To this we could obviously add several other rebuttals, such as that the absence of a real scandal is not a barrier to the creation of ‘fake news’ scandals (as is alleged to have been at least partly the case in France with the Macron leaks).

In our list of competing hypotheses, this leaves (3), (4) and (5): either the UK general election just isn’t as important a target as the US or French presidential elections, or perhaps Theresa May’s snap election announcement has made an effective cyber operation much more difficult to execute in the limited time, or on-going cyber-attacks are encountering the kind of difficulties that routinely beset them (e.g. reliance on waiting for a lucky break, like targeted users clicking on links in phishing emails), or, finally, the operation is on course, merely waiting for the moment of maximum impact to release a damaging cache of data.

These hypotheses are less easy to dismiss, especially with no access to the internal deliberations of hostile foreign intelligence services or the governments that direct their activities (for short-hand, we’ll just say ‘Russia’ from now on, but there are clearly other threats too). It is certainly possible that, with finite capacity, Russia prioritised resources to the known quantities of the US and French elections, meaning that – whatever the desirability of an attack on UK political parties – any operational activities are at an earlier phase, not well placed to intervene in a June General Election.  (We read today, for example, that at least some apparently unsuccessful efforts were made earlier this year by an unknown hostile party to hack the private communications of a small number of MPs.)  If we don’t see a similar episode to the release of hacked emails in the US or France, one possible explanation would indeed be that the UK had a lower priority in the Russian operational pecking order during this time-period.

But there are several competing explanations that would also be consistent with this series of events.

For example, one competing scenario is that a concerted effort is indeed underway to hack political parties – presumably the Conservatives, as we don’t really see what Russia would gain from damaging Jeremy Corbyn’s electoral prospects.  (But maybe Russian intelligence agencies are just very thorough, so who knows?)  These operations are difficult, they take time, and they rely on a significant dose of good fortune, in the form of poor security practices by individuals or systemic shortcomings in the targeted organisations.

Just because we might not see a public release of hacked data during the election campaign, this wouldn’t be conclusive evidence that an operation wasn’t underway to hack British political parties. In fact, it wouldn’t even mean that such an operation had been unsuccessful: Russia has the capability to intervene directly in elections by leaking covertly acquired information, but that doesn’t mean that it always will do so. Traditionally, intelligence agencies collect information to inform the political masters’ decision making: British political parties could indeed have been hacked, but the data might have been used secretly to inform officials in the Ministry of Foreign Affairs or the Presidential Administration, rather than to execute an overt intervention during the General Election campaign.

So, it’s clear from this brief round-up that there are few hypotheses that could be completely dismissed should a leak fail to occur, excepting the hypothesis that Russia both has the information and intends to leak it.  If they haven’t done so by 8 June, we should at least be able to assume that they had reconsidered, but we couldn’t take it as confirmation that no information was stolen, because such information could be used differently, to inform Russian decision-makers, or perhaps it could be stock-piled for a future, more overt use.

In analysing these competing hypotheses, we find it most plausible to believe that a combination of scenarios (4) and (5) is true: hacking is difficult, time-consuming and relies on luck, so whilst Russia might be keen to stage this kind of operation, the surprise of an early general election has made it even more difficult than usual to execute. This explanation could be amplified by elements of scenario (3), in the sense that resource- and other structural-constraints could mean that operations against the US and French presidential elections had had the effect of pushing the UK to a lower-tier targeting status over this time-period.

On this basis, especially in the apparent absence of similar operations during the 2015 General Election and 2016 referendum campaigns, we have reached the tentative conclusion that it is unlikely that a similar hack will occur before 8 June. How unlikely? Let’s say we’re as sure as we were that Donald Trump would lose the November 2016 presidential election. We certainly wouldn’t recommend betting on our forecast.  But in forecasting political events you’ve got to start somewhere, and then continuously revise those forecasts in the light of subsequent evidence.

Disinformation from the White House

For anybody who saw the remarkable unscheduled press conference of the new White House Press Secretary, Sean Spicer, it was an astonishing event and worth watching in full. Was it spontaneous and based on unfavourable reporting? Or was it a pre-planned part of the new administration’s media strategy?

The statement was a lecture to the media on inaccurate reporting. It began with the ‘deliberately false reporting’ of the removal bust of Martin Luther King from the Oval office by Zeke Miller, a Time journalist. This was not true and Miller corrected by deleting the original tweet and producing another tweet retracting it.  This is likely to be misinformation: that is misreporting due to bias/incomplete information. Miller’s explanation is that that the bust was obscured and he could not see it. His own biases made him more likely to believe that the new administration would remove it and with the low effort cost of a tweet he reported it.

Continue reading

What might Trump mean for the Korean Peninsula?

Post by Rebecca Story, Research Intern at ICSA

Whilst President-elect Donald Trump’s plans for East Asia are still largely unknown, his lack of foreign-policy experience and  intentions to renegotiate trade and defence deals have led some to suggest that his presidency may contribute to destabilisation across the region, and particularly on the Korean Peninsula. Negative consequences for the Republic of Korea’s (ROK) economy, uncertainty over defence and heightened tensions with regards to the Democratic People’s Republic of Korea (DPRK) are all possible features of the ROK’s post-Trump future.

During his election campaign, Trump asserted that he would decrease US defence spending in the ROK and demand a greater ROK contribution to the shared costs of defence against the DPRK threat. With the cost-sharing agreement between the ROK and the US up for renegotiation in 2017, these remarks raise concerns that a Trump presidency will lead to a weakening of the alliance between the two countries and exacerbate instability on the Korean Peninsula. Continue reading

Facebook, Fake News and Verification

Facebook has a fake news problem. In the aftermath of Donald Trump’s election as the 45th President of the United States, the social network has come under sustained criticism for failing to prevent the spread of misinformation and disinformation. Numerous articles have been written dissecting the phenomenon, the possible impact it had on the US election and what Facebook should be doing about it.

But what has been fundamentally missing from the discussion is the responsibility of users to verify the content they consume online; particularly on social media where content is shared by “trusted” friends and family. As an open source intelligence (OSINT) centre, our day-to-day work involves critically evaluating publicly available information to verify the accuracy, veracity and reliability of sources and content.  Continue reading

The Strongman Bond: Trump and Erdogan

Post by Ed Roberts, Research Intern at ICSA

A Trump administration will likely see a warming of relations between the USA, Turkey, and Russia. With regards to Turkey, Trump has praised Erdogan, stating in an interview with the New York Times, that the suppression of the coup on July 15th was ‘quite impressive from the standpoint of existing government.’ Continue reading