In April of last year, the United Kingdom took the historic step of voting to leave the European Union. Hours before that referendum, the official website used for voter registration crashed, leading to speculation that it had been targeted by a cyberattack intended to influence the result.
A report by the Public Administration and Constitutional Affairs Select Committee noted “indications” that the registration site was targeted by a botnet, which launched a Distributed Denial of Service (DDoS) attack that rendered the service inaccessible.
We do not rule out the possibility that there was foreign interference in the EU referendum
The episode echoes concerns raised during investigations in the United States about whether foreign cyberattacks affected presidential elections. U.S. intelligence agencies have accused state-linked Russian actors of hacking to influence political outcomes.
DDoS attacks have become both more frequent and more powerful in recent years, driven in part by botnets such as Mirai that exploit insecure Internet of Things (IoT) devices. One notable assault on the DNS provider Dyn last year generated a record peak of 1.2 terabits per second, disrupting services including Twitter, PlayStation Network, and GitHub. Recent reporting has also discussed efforts by some individuals to combat insecure devices by deploying malware that disables vulnerable equipment before it can be co-opted into a botnet.
“We do not rule out the possibility that there was foreign interference in the EU referendum caused by a DDoS using botnets, though we do not believe that any such interference had any material effect on the outcome of the EU referendum,” MPs stated in the report.
Turnout for the referendum was higher than in many previous national votes, and a larger than usual share of first-time and younger voters took part. Observers suggest younger voters tended to favor remaining in the EU, so any disruption to the registration process could have prevented some of those people from voting.
The committee’s report also criticized the government for displaying a pro-Remain bias. It said the presentation of government analyses, particularly Treasury reports, and the decision to spend £9.3 million on sending a leaflet advocating a Remain vote to every UK household, were inappropriate and potentially counterproductive.
It remains unclear whether the suspected attack or perceived government bias changed the referendum’s outcome. However, events in both the UK and the U.S. underline the need for governments to strengthen defenses against cyber operations by foreign actors seeking to influence major democratic decisions.
Do you think stronger protections are needed to guard against foreign cyberattacks? Share your views in the comments.