The theft of something precious to 40 million people would, in most circumstances, be cause for instant outrage. That appears not to have been the case when the scene of the crime was a database held by the UK Electoral Commission. The delay in detection and muted reaction are as alarming as the heist itself.
At some point after August 2021, hackers gained access to the names and addresses of everyone who registered to vote between 2014 and 2022. The security breach was only discovered last October and made public this week. The perpetrators have been identified as “hostile actors”, which could be a criminal gang, a foreign state, or the former acting on behalf of the latter. Official suspicion has fallen primarily on Russia.
The Kremlin has a record of interference with British democracy. A 2019 report by the House of Commons intelligence and security committee described Russian cyber-meddling as a “new normal”. Publication of those findings was blocked by Boris Johnson, then prime minister, until July 2020 – after an election campaign in which Russia is also alleged to have interfered. MPs have been unable to assess the effectiveness of Kremlin influence because the government has not investigated it.
That reflects the reluctance of a winning side to unearth evidence that might dim the glow of victory, but is symptomatic also of complacency about digital sabotage. The legal underpinning of fair elections is built around analogue processes. Rules governing the use of data, conduct of campaigns, how money is spent and where it comes from apply also to the digital arena, but are harder to enforce there. That is why it is so important to have a powerful regulator, and why it is so damaging that the Electoral Commission has been exposed as a vulnerable target for hackers.
When ministers might have been upgrading democratic safeguards, they instead undermined the independence of the commission, making it subject by law to political priorities defined by the government. Some Conservative MPs, seemingly aggrieved by inquiries into pro-Brexit campaign spending irregularities, have even suggested that the regulator be abolished. Instead of investigating genuine risks, the government chased the phantom threat of in-person fraud at polling stations, suppressing voter turnout.
It isn’t yet clear what nefarious purpose the stolen information might serve. The huge dataset could be exploited for scams and misinformation. The mere fact of its loss corrodes trust in public institutions.
The same applies to an egregious breach of data privacy this week by the Police Service of Northern Ireland. That leak, exposing sensitive information about serving officers, has been attributed to “human error” – a balls-up, not a burglary. But the fragility of safeguards that let secret information slip so easily through official fingers speaks to a culture of naivety around data security. Some accidents should not be allowed to happen.
Public awareness of the risks in these cases lags well behind the sophistication of the criminals and rogue states that exploit the weakness. Instead of acting to reinforce national defences, the government has played cynical games of deflection and exploited the antiquity of the system for partisan advantage. Britain has a venerable, long-established culture of democracy, but that doesn’t confer immunity from modern modes of sabotage. It needs a regulator fit for the 21st century and a government that believes in robust regulation.