Let's All Ask A Few More Questions Before Claiming Russia Hacked Brexit
Did a foreign government contrive to take down the UK's voter registration website? It seems fairly unlikely.
Many news outlets are covering a report by MPs into how last summer's EU referendum was conducted. The report has resulted in some pretty shocking headlines about potential foreign interference in the vote.
The House of Commons public accounts and constitutional affairs select committee published a lengthy investigation on Wednesday morning into the conduct of last summer's EU referendum campaign that includes some startling suggestions regarding the conduct of the referendum.
The most shocking claim focuses on the UK's central voter registration site, which crashed in the final hours before the 7 June deadline to apply for a vote in the referendum. This forced the government to introduce emergency legislation to extend the voter registration deadline, which had the side effect of enabling hundreds of thousands of extra people to apply for a vote.
The House of Commons committee's report into the conduct of the referendum concluded that it could "not rule out the possibility that the crash may have been caused by a DDOS (distributed denial of service attack) using botnets", which could have taken place for many reasons.
One potential reason for a DDOS attack is political activity, prompting the committee to note that foreign powers such as Russia and China "use a cognitive approach based on understanding of mass psychology and of how to exploit individuals".
This comment is what has prompted all the headlines.
Does this mean the Brexit result was the result of a hack by Russians?
Understandably people are concerned about the potential impact of such a high-profile political hack, especially one involving a highly contentious referendum.
The first issue is the description of a DDOS attack as a "hack", which suggests someone – a hacker, usually illustrated by a picture of a young man wearing a balaclava or Guy Fawkes mask – gained illicit access to a computer network by locating technical vulnerabilities or obtaining passwords.
Hackers connected to the Russia government are widely accused to have been active in the 2016 US presidential election, at one point obtaining the emails of Hilary Clinton campaign chief John Podesta.
By comparison, a DDOS attack is much cruder and does not require any special access to a website.
"A DDOS attack is not a hack, it's simply bombarding a site with traffic," computer security blogger Graham Cluley told BuzzFeed News. "It can look an awful lot like a lot of people trying to get to a website at the same time."
The committee report notes that is "has no direct evidence" for foreign involvement but it considers that it is important to be aware of the potential for foreign interference in elections or referendums. Committee chairman Bernard Jenkin also told the BBC that the evidence for a concerted effort to take down the voter registration site was "circumstantial" rather than "hard and fast" while noting the UK government had been very reluctant to discuss the topic.
Cluley said this stance is problematic as it's often difficult to say with any certainty that an attack is definitely taking place and also hard to work out where it is coming from.
"Even if it was a DDOS attack it's very hard to prove it's a foreign government – it could easily be a 14-year old boy in Grimsby," he said. "It's hard to rule it out but that's not to say there's any evidence whatsoever it's a foreign cyberattack."
The government insists the site failure wasn't down to Russian hacking but was really down to poor planning and the tendency of British people to attempt to do everything at the last possible moment.
The Cabinet Office commissioned its own report into the website's failure, which was published at the end of last year. It concluded that a lot of people decided to register to vote shortly before the midnight deadline because they had been watching a televised referendum debate that finished at 10pm and belatedly remembered to register before they went to bed.
It concluded that the voter registration system was not built to deal with hundreds of thousands of people attempting to register at exactly the same time, while the site was not tested under extreme pressure and some government staff lacked technical leadership skills.
"It is worth noting that a report ... highlighted that no DDOS attack was ongoing at the time of the incident," said the government's own account of events. Instead of a botnet simulating hundreds of thousands of people trying to access a website at the same time, it concluded that hundreds of thousands of people really did simply try to access a website at the same time.
Foreign intervention in British politics is a real concern for the UK government – as highlighted by the chief of MI6 – but in any case, the only effect of taking out a voter registration website would be to reduce the number of people who could vote, rather than shifting the result in a certain direction.
"We have been very clear about the cause of the website outage in June 2016," said a Cabinet Office spokesperson on Wednesday. "It was due to a spike in users just before the registration deadline. There is no evidence to suggest malign intervention."
Although that is, of course, exactly what you'd expect them to say.