NCSC security warning delays UK’s Conservative Party leadership vote

Security fears surrounding the UK’s government leadership contest have led to a delay in ballot papers being sent out to Conservative Party members. As reported in The Daily Telegraph, the National Cyber Security Centre (NCSC) warned that hackers could exploit a flaw in the voting process to interfere with and change people’s votes.

Around 160,000 Conservative Party members are due to elect either Foreign Secretary Liz or Ex-Chancellor Rishi Sunak as Boris Johnson’s successor, with the winner announced on September 5. Initial plans would have allowed members to choose whether to vote by post or online and then, if they changed their minds, use the alternative method to cancel out their previous vote. However, following advice from the NCSC, the party has made changes to the process to “enhance security around the ballot process.” This is due to potential interference by malicious actors such as a foreign state who could exploit the capability to alter one voting method to another after a vote is cast. The Telegraph said it understood fears were raised that scores of votes could have been changed by nefarious actors, although there was no specific threat from a hostile state.

An email sent to Conservative members, seen by the BBC, stated that voting packs were on their way but would “arrive with you a little later than we originally said… because we have taken some time to add some additional security to our ballot process.” The email continued that, once the ballot company receives a postal vote, the member’s online codes would be deactivated, “reducing the risk of any fraud.”

A Conservative spokesperson said: “We have consulted with the NCSC [part of GCHQ] throughout this process and have decided to enhance security around the ballot process. Eligible members will start receiving ballot packs this week.” A NCSC spokesperson added: “Defending UK democratic and electoral processes is a priority for the NCSC and we work closely with all Parliamentary political parties, local authorities and MPs to provide cybersecurity guidance and support. As you would expect from the UK’s national cybersecurity authority we provided advice to the Conservative Party on security considerations for online leadership voting.”

Cybersecurity consultant and author Raef Meeuwisse tells CSO that the incident raises the question of whether the organization managing the online piece of the Conservative Party’s leadership ballot has adequate security experience. “The UK NCSC/GCHQ openly recommending the deactivation of the online voter code when a postal vote is received strongly indicates a lack of confidence in the security and integrity of the Conservative Leadership online voter portal,” he says. “If the online voter codes can be guessed, stolen, or brute-forced, you can expect a second leg to this story in a few weeks’ time.”

ESET Global Cybersecurity Advisor Jake Moore agrees, telling CSO that political events often trigger attackers to try out new attack tactics, and whilst this has the potential of altering the outcome of a significant political event, what is worrying is that this is more likely to be used as a testing ground for more dangerous attacks in the future. “Such interference would cause lasting effects which would damage confidence in the UK political system in the future. GCHQ will be monitoring for this increase and will attempt to counterbalance this with more robust measures.”