Ciaran Martin has led the Civil Service teams which run and protect the UK’s electoral process. Here he reflects on what’s been learned about digital interference
Listen to this article (AI generated audio)
In the period between the calling of a UK general election and the poll itself, the experience of Civil Servants will vary considerably. Many continue to work normally, or near normally, paying out benefits or administering long standing programmes. Policy officials at the centre, by contrast, have already had to down tools, or at least stop working on policy announcements and switch their attention to what they think might come next.
For at least two sets of teams, however, those people within the Civil Service charged with running and protecting the electoral process itself, the current transitional period represents an operational peak in their activities. In my own career I was privileged enough to lead both efforts.
The first team administers the Civil Service’s constitutional policy capability in the running of elections. After occupying four different departmental homes so far in the 21st century, its members currently sit in the Department for Levelling Up, Housing and Communities. They comprise a remarkable repository of Civil Service expertise. Many have long experience in this specialism, and know everyone who matters in electoral administration throughout the length and breadth of Great Britain (Northern Ireland is managed separately). They are deeply knowledgeable about arcane matters of electoral law and process. Their role is separate to that of the Electoral Commission, which sets the rules and monitors the fair conduct of the election. The job of DLUHC’s electoral administration team is to make sure the election is properly resourced and managed in the first place.
A general election for this team is not a national event: it is an aggregation of 650 local ones so they are responsible for liaising with local authorities and others throughout the whole country. Membership of the team carries with it an awesome responsibility for the smooth running of elections and, in the best traditions of the Civil Service, its work only gets noticed when things go wrong.
Our assessment of what can go wrong with elections has shifted dramatically over the past decade. Here, year zero is 2016, when a well-executed ‘hack-and-leak’ operation carried out by Vladimir Putin’s intelligence services threw the US Presidential election into chaos. Tens of thousands of documents were stolen from the server of the Democratic National Committee, and from a key aide to its candidate, Hillary Clinton. At the time it was not a surprise that Russia would spy on a US Presidential election candidate; what was unusual was the wholesale leaking of the stolen material, the reporting of which destabilised US politics. Whether or not the Kremlin actually wanted to see Donald Trump win is beside the point: the fact that what the former President continues – falsely – to call “the Russia hoax” continues to divide and polarise Americans. Job done for the Russians.
This brings us to the second set of UK Civil Servants mentioned earlier – those charged with protecting elections from the sort of digital disruption experienced in the US. Spooked by what happened there in 2016 (and a much less successful attempt to interfere in the French Presidential election a year later) the British state moved to protect our own democracy. A plan to ‘Protect 2020’ – the year when, under the old Fixed Term Parliaments Act, this country was next due to go to the polls – was quickly drawn up. However, Theresa May’s decision to dissolve Parliament in April 2017 meant that what would have been a three year programme had to be condensed into eight weeks. Ironically, America’s Cybersecurity and Infrastructure Security Agency subsequently appropriated the ‘Protect 2020’ slogan, organising what one of the Trump Administration’s senior officials certified as one of the “safest” elections in American history. The President, who had not noticed the operation until late in the day, was apparently not amused and dismissed the agency’s head, by tweet of course, a few days after the election.
In the 2017 and 2019 elections the UK Civil Service teams responsible for electoral protection focussed on four things. First, they charged the national security state – mainly GCHQ (through its new National Cyber Security Centre, which I led at the time) and the other intelligence agencies – with getting a grip on those trying to attack our democratic process: the groups, their techniques, what we could do to block and disrupt them.
The second set of efforts involved a large-scale outreach to the electoral administration community – notably those responsible for electoral registration and the printing of ballot papers rather than the manual acts of voting and counting – to make sure they knew how to protect themselves from digital attack.
Thirdly, the National Cyber Security Centre provided guidance to key election participants – the political parties, which are powerful, but small, organisations, not likely to have the cyber defences of a multinational conglomerate; the candidates; and media outlets. Finally, there was the beginnings of a partnership with the Big Tech companies – led by DCMS- to tackle disinformation (essentially making up lies and amplifying them on the Internet) as swiftly as possible.
This work to improve electoral security produced some satisfying, and indeed amusing, moments. Given the 2016 Brexit electoral registration fiasco, the service had been overhauled and monitoring, particularly around election time, was significantly upgraded. Ahead of the 2019 election, at almost exactly the same point in the registration cycle when the system collapsed three years later, there was a sixteen-fold increase in traffic on the website (from 3,000, in line with projected activity, to 48,000). Fearing this was foreign hackers attempting to collapse the system, the NCSC and others urgently investigated the cause. It turned out that the rapper Stormzy had tweeted out an appeal to young people to register, sending thousands of his fans to a Government website. The serious part of this story was that, unlike in 2016, we were able instantly to spot anomalous activity on the website and work out whether the cause was malign or benign.
These efforts were subsequently absorbed into a cross-Government effort known as the Defending Democracy taskforce, bringing together Ministers and operational chiefs from across a wide range of Government agencies with a role to play in ensuring electoral integrity.
So how has Britain fared in the age of hostile digital interference? What have we learned, and what can the Civil Service do about it? Again, there are four things to look at.
The first is for everyone in a position of responsibility to keep the problem in perspective. If we give the impression that election integrity is in doubt without any evidence, our adversaries will have won without having to lift a finger. One example of this was the damaging hype that surfaced when the UK’s Register to Vote website collapsed in early 2016 just ahead of the deadline for registering to vote on Brexit (around the same time as the hack of the Democrats in the US). Many commentators, including a Parliamentary committee in 2017, refused to rule out foreign interference. The reality – established clearly by an independent technical expert report – was that a badly designed system had failed to cope with a late surge of interest from voters. This had nothing to do with the Russians; it was an embarrassing Civil Service IT failure, which happily has been addressed with the introduction of a vastly better system.
The reality is that so far the UK has suffered very little from successful cyber interference in elections. Russia made some attempts to disrupt the 2014 Scottish referendum, as Parliament’s Intelligence and Security Committee has reported, but what the ISC did not say was that Russian efforts have been mostly risible. The only one to ‘cut through’ was the hack-and-leak of a letter from Liam Fox, apparently showing a willingness to open up the NHS to American suppliers in pursuit of a US trade deal. This had no overall impact on the 2019 election, in which campaign it surfaced.
The second lesson is that, despite what’s happened (or not happened) previously, there is a real threat and it is changing. The discussion has moved beyond what those in cyber security call “hacking and leaking” to AI-generated fake content. Deepfakes, particularly audio, are now ridiculously easy to make. So we have to keep changing our defensive playbook. In last year’s election in Slovakia, a malicious actor circulated a deepfake audio which, thanks to a series of bungled efforts to articulate the truth, gained widespread credence and correlated with a four point swing in the polls in a tight race. Back in the US, there is some evidence that a targeted ‘robocall’ purporting to be from President Biden, telling them to stay at home, discouraged voters in New Hampshire from taking part in the state’s primary election.
The third is that there is plenty the Civil Service can do to secure our political process against attackers. Last October’s widely circulated and incendiary deepfake of London Mayor Sadiq Khan aimed at intensifying polarisation over the conflict in Gaza, is a great example. Thankfully its impact was close to negligible because the Government – headed of course by political opponents of the Mayor – correctly saw this as an attack on British democracy, not something to be exploited for partisan advantage, and moved swiftly. The Defending Democracy Taskforce quickly established that the recording was fake, and issued swift and clear statements asking the media not to report them as genuine. As a result, a malicious attempt to inflame tensions did not succeed. Hackers and spoofers will only succeed in dividing us if we let them.
This leads to the final lesson: the need for a comprehensive and agile cross-Civil Service response. In some cases, it will be the security services in the lead, identifying and blunting a new group of hackers or deepfake makers. In other areas, it will be DCMS officials reaching out to the media, or Big Tech, to point out fraudulent or stolen information and asking them to respond responsibly. Elsewhere, officials will be working to help political parties and candidates identify and report interference attempts. And much more.
For this reason alone, the 2024 general election period will be one of crucial importance for very different parts of the Civil Service.
Ciaran Martin was the founding Chief Executive of the National Cyber Security Centre, part of GCHQ.
