Brexit vote site may have been attacked, MPs say in report

  • Published
Media caption,

Committee chairman: Government 'reluctant to delve into this'

A voter registration site that crashed in the run-up to last year's EU referendum could have been targeted by a foreign cyber-attack, MPs say.

The "register to vote" site crashed on 7 June last year just before the deadline for people to sign up to vote.

The UK government and electoral administrators blamed a surge in demand after a TV debate.

But MPs on the parliamentary Public Administration Committee say a foreign cyber-attack could not be ruled out.

The suggestion came in their report at the end of their inquiry into Lessons learned from the EU Referendum.

The report, and published evidence with the report, does not appear to quote anyone saying that the voter registration site had been targeted.

And the Cabinet Office, which commissioned its own report into the website crash, said: "We have been very clear about the cause of the website outage in June 2016. It was due to a spike in users just before the registration deadline.

"There is no evidence to suggest malign intervention. We conducted a full review into the outage and have applied the lessons learned. We will ensure these are applied for all future polls and online services."

The website crashed at about 10.15pm on 7 June 2016, shortly after a televised debate and amid social media campaigns to get people to register to vote ahead of the midnight deadline. Official figures suggest 525.000 people applied to register to vote that day.

Image source, PA

The Public Administration Committee's chairman, Leave-supporting Conservative MP Bernard Jenkin, told BBC News there was "circumstantial", rather than "hard and fast" evidence the registration site had been targeted.

He said the committee's report had included the possibility that the crash "may have been caused by a DDoS (distributed denial of service attack) using botnets" in its report "on advice".

"The government were clearly very reluctant to delve into this," he said.

"We took quite deep advice on this from various places and it's not unreasonable, given there's quite a lot of this going on in other countries, that this could have happened in this case," he added.

After the website crash the then Prime Minister David Cameron extended the deadline by 48 hours for registering to vote in the referendum - 430,000 people applied to register to vote during that extension period.

According to evidence submitted to the committee from the Association of Electoral Administrators the electoral registration system "could not cope with the demand... and any contingency measures were wholly inadequate".

It says: "This concern had been raised on a number of occasions... reassurances had been given that what actually occurred could never happen."

Media caption,

EXPLAINED: What is a DDoS attack?

Analysis by Chris Baraniuk, Technology reporter

That foreign parties might have tried to crash a government website in the lead-up to a key poll is a serious suggestion, but does it carry much weight? Cybersecurity experts are sceptical.

"I think there's lots of conjecture," says Ollie Whitehouse at NCC Group. "It appears to be one committee's opinion but with no supporting evidence."

He also pointed out that government websites were known to suffer during periods of unusually high demand, though their robustness had improved in recent years.

The wording of the report is, indeed, "very vague", notes John Graham-Cumming at networking firm Cloudflare. In order to really know what happened, traffic to the website prior to the downtime would have to be analysed.

That is only possible if adequate records have been kept, Mr Graham-Cumming adds.

"Most websites don't store very detailed information," he notes. But if logs show traffic from a large number of sources around the world, that might indicate that a botnet - a system of enslaved computers - was used to attack the site. "That could be interesting," he says.

In its report the committee has also criticised Mr Cameron's "questionable" motives for calling a referendum in the first place, saying it had been done to "call the bluff" of his critics and shut down "unwelcome" debate.

It urged future governments to think carefully before promising nationwide votes on controversial issues, particularly if they are not prepared to implement an outcome they do not like.

"There was no proper planning for a Leave vote so the EU referendum opened up much new controversy and left the prime minister's credibility destroyed," the report says.

It said that civil servants should be required to prepare for both possible outcomes in future referendums - such as a second vote on Scottish independence - something they had been prevented from doing in the run-up to the Brexit vote.

Image caption,
Online voting registration proved popular, especially with younger voters

The committee called on the government to set up a new Cyber Security Centre to monitor and contain potential attacks on UK elections and referendums - particularly foreign attempts to influence public opinion and disrupt the democratic process.

"The US and UK understanding of 'cyber' is predominantly technical and computer-network based," said the report.

"For example, Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals.

"The implications of this different understanding of cyber-attack, as purely technical or as reaching beyond the digital to influence public opinion, for the interference in elections and referendums are clear," the report added.