When considering critical national infrastructure (CNI), most people think of energy grids, transport networks, or hospitals. However, the UK’s electoral system is also a vital component of this category. It serves as the foundation of our democracy, so safeguarding it from those who aim to disrupt our elections is crucial. The threat is not hypothetical.
Across the globe, electoral systems have encountered a significant increase in cyber-attacks in recent years. The UK experienced this firsthand in October 2022 when a sophisticated breach was discovered in the Electoral Commission’s systems. Although the attack did not impact the security of our elections, it highlighted several weaknesses in the Commission’s systems and emphasized how underinvestment can leave public bodies vulnerable.
Similar to many breaches, this intrusion went undetected for a longer period than it should have. Our defenses at the time were insufficient to prevent the attack, and it took us longer than necessary to detect it. However, recognizing the magnitude of the issue prompted significant change. We promptly collaborated with the National Cyber Security Centre (NCSC) to eliminate the compromised systems, cleanse our network, and ultimately reconstruct our security infrastructure from the ground up. We understood from the beginning that this was not merely about addressing existing vulnerabilities but initiating a long-term resilience program.
Prior to the incident, we had already initiated a comprehensive security enhancement program. Subsequently, we have expedited and broadened this initiative: transitioning our infrastructure to the cloud, enforcing multi-factor authentication (MFA), upgrading to Office365 E5 licenses, and implementing 24/7 monitoring services. Employees now undergo continuous training, and we have subscribed to the NCSC’s early warning system to detect and address threats proactively. Our annual expenditure on cyber security has tripled, and it has been integrated into every facet of our operations. Our improved IT systems have earned Cyber Essentials Plus certification for the first time, signifying compliance with the highest information security standards and instilling confidence in us and our partners. Collectively, these changes have endowed us with a higher level of resilience to confront the ongoing challenges.
On the day the 2024 UK general election was announced, we thwarted two significant DDoS attacks on our website, and on polling day itself, our fortified systems repelled over 60,000 attempted cyber attacks on our website. This ensured that the million visitors to our site that day could access the necessary information on how and where to vote. The imperative for IT leaders is evident: do not interpret recent successes as the culmination of the journey. Cyber security is an ongoing process of vigilance, adaptation, and fortification. The threat landscape evolves daily, and malevolent actors innovate as swiftly as the technologies they exploit. Complacency is the most perilous vulnerability of all.
The Commission’s commitment extends beyond fortifying our own defenses. We are collaborating with the UK’s governments, political parties, and other public bodies to disseminate our knowledge and encourage organizations to bolster their defenses. To uphold public faith in democracy, every entity within the electoral community must acknowledge the risks and be prepared to counteract them. The decentralized nature of the UK’s electoral system is a strength, making it arduous for any single point of failure to undermine the entire system. However, this resilience hinges on each component fulfilling its role effectively.
I implore counterparts in IT leadership not to wait for a breach to expose vulnerabilities. Invest in resilience now and engage with appropriate partners. Foster cross-sector knowledge exchange. Cyber threats are a reality for both the public and private sectors. Our security lies in our preparedness and response. For the Commission, the breach of 2021-22 served as a wake-up call that enabled us to rebuild with greater strength. While we have recuperated, we will not be complacent about our success. We will persist in ensuring that our security aligns with emerging and existing threats to safeguard the democratic process.
Andrew Simpson is the Head of Digital, Information, Technology, and Facilities (DITF) at The Electoral Commission.
