As the UK’s general election fast approaches, a leading security expert has warned that a British political party will be at risk of a cyber attack. Whether it be an email hack or phishing, it seems that the question is not if it will happen, but when. Speaking to The Guardian, James Norton, a former official at the US Department of Homeland Security and head of the security consultancy Play-Action Strategies, said: “It wouldn’t surprise me if there’s already been some emails stolen… it would surprise me if it didn’t happen.”
Political campaigns are particularly vulnerable, according to Dick O’Brien, Threat Researcher, Symantec, because while governments are well secured political parties are not. Seeing as the nature of a political campaign is ephemeral, people are more likely to use cloud services and email that they wouldn’t use in a permanent organisation. This lack of security concern makes them much more vulnerable to attack.
British elections are more fragmented than their French or US counterparts, which can be both a blessing and a curse for security experts. On the one hand, the fragmented nature means low-level breaches would not leak an entire campaign’s data. Campaigns’ access to data is limited to that relevant to their local area. On the other hand, there is a much greater number of potential targets for hackers.
Opinions towards cyber security differ wildly between political parties. Speaking to The Guardian, Elaine Bagshawe, the Liberal Democrat candidate for east London’s Poplar and Limehouse, said she received limited training from the party. Instead, she relied on knowledge from her previous job at the Financial Conduct Authority.
Emma Coad, Labour’s Kensington candidate, had a similar experience. She explained that Labour offered information security webinars, “if you want to get hold of them.”
In order to tackle the security threat, Norton believes that both regular, deliberate training and technology updates are required. Too often people don’t know strangers are accessing their networks until months after their ‘arrival’.
It seems that local campaigns are also falling behind in this aspect: Coad stated that the Labour party had never spoken to her campaign about one of the ways to limit the damage a phishing attack can have: two-factor authentication.
The fragmented nature of the various campaigns means a one-size-fits-all attack will be harder to implement effectively, but nevertheless many expect an attack of some form.