Brexit voter registration website crash could have been a DDoS, says report

A government voter registration website in the UK that crashed in the hours before the deadline for registering to vote ahead of last year’s Brexit referendum could have been targeted by a denial of service attack.

The observation is contained in a report by the Public Administration and Constitutional Affairs Committee (PACAC), entitled Lessons from the EU referendum. 

In a section discussing software problems, the committee describes the website crash as the “most significant example of software failure”, and says it cannot rule out the possibility that the “exceptional surge in demand” to register for votes ahead of the deadline last June was caused by a distributed denial of service (DDoS) attack using botnets.

The report says the crash has “indications of being a DDOS” — based on what the committee dubs as “key indicants” for such an attack: “timing and relative volume rate”.

According to the report there were 515,256 online applications to register to vote recorded on 7 June, with the previous record for the largest number of online applications received in a day being 469,047 on April 20, 2015 (ahead of the May 2015 general election).

The committee says it has no direct evidence of foreign interference in the voter registration process, but goes on to express deep concern about allegations of foreign powers such as Russia and China seeking to influence public opinion elsewhere via psychological cyber attacks in order to subvert democratic processes.

“Lessons in respect of the protection and resilience against possible foreign interference in IT systems that are critical for the functioning of the democratic process must extend beyond the technical,” the committee writes. “The US and UK understanding of ‘cyber’ is predominantly technical and computer-network based. For example, Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals.

“The implications of this different understanding of cyber-attack, as purely technical or as reaching beyond the digital to influence public opinion, for the interference in elections and referendums are clear. PACAC is deeply concerned about these allegations about foreign interference.”

The committee is therefore recommending that the government takes specific measures aimed at bolstering the cyber security of election and referendum processes in light of the risk of foreign powers seeking to influence outcomes, while also lauding the UK’s prioritizing of cyber security in recent years (back in 2015 former chancellor George Osborne named cyber security a priority, and announced a plan to double spending over the next five years).

“We commend the government for promoting cyber security as a major issue for the UK. We recommend that Cabinet Office, the Electoral Commission, local government, GCHQ and the new government Cyber Security Centre establish permanent machinery for monitoring cyber activity in respect of elections and referendums, for promoting cyber security and resilience from potential attacks, and to put plans and machinery in place to respond to and to contain such attacks if they occur,” the committee writes. “We recommend that the government presents regular annual reports to parliament on these matters.”

The report also indicates that the voter surge ahead of the Brexit vote could have been exacerbated by the spread of ‘fake news’ on Facebook — with the UK’s Electoral Commission flagging up an incorrect rumor spread via Facebook during the Brexit referendum campaign which suggested voters needed to re-register in order to be able to vote. Which was not true.

The report notes that an earlier report by the Commission found that 38 per cent of voter registration applications made during the campaign were duplicates, while an even higher proportion (46 per cent) were found to be duplicates during the period between the original cut off for voter registrations (midnight June 7) and the extended deadline of midnight June 9, after the government allowed more time for registrations owing to “unprecedented demand” to register.

“Jenny Watson [chair of the Electoral Commission], indicated that the situation was not helped by the existence, at one point in the referendum, of a Facebook rumour that incorrectly said that voters had to re-register to make sure they could vote in the referendum,” the committee notes.

The body has previously recommended the government develops an online service enabling UK citizens to check whether they are already correctly registered to vote. The committee says it endorses that recommendation. 

“Duplicate applications pose an unnecessary administrative burden on electoral registration officers and are an equally unnecessary drain on the time of electors themselves,” it writes, adding: “While PACAC is aware of the technical issues that would need to be overcome to deliver such a service, it would be of invaluable assistance in preventing the Register to Vote website from collapsing due to high levels of demand again ahead of future elections and referendums.”

The report also criticizes the government for failing to undertake adequate levels of load testing of the official voter registration website — which it argues could have flagged problems ahead of time and mitigated the surge in demand.

“The government clearly failed to undertake the necessary level of testing and precautions required to mitigate against any such surge in applications. It is worrying that when testing identified issues in system performance, mistaken assumptions meant that these issues were not investigated further and corrected.”

The EU referendum, which was held on June 23 last year, resulted in a public vote to leave the EU by 52 per cent to 48 per cent. The UK government triggered the start of the two-year negotiation process over the terms of Brexit last month.