‘Ultimately, fewer people will vote’: How the cyber attack on Hackney Council could damage local democracy
On 7 December 2020, Graham Woodruff, 51, a Hackney resident and software engineer, filed a Freedom of Information (FoI) request with the Town Hall. The time limit for a response passed. The long year turned.
On 6 February, Woodruff asked again. This time he added that he wanted the handling of his case to be reviewed. Three days later, his request was denied. Providing him with the information could leave defence mechanisms vulnerable, the council said. It cited 31 (1) (a) – an exemption that applies to ongoing criminal investigations.
Hackney Council is reeling from a serious cyber attack last October that shook its IT department and continues to disrupt many of its services. It is being investigated by the National Cyber Security Centre, National Crime Agency, Information Commissioner’s Office, the Metropolitan Police and others.
By filing an FoI, Woodruff was seeking more clarity on why it happened in the first place. He asked to know what operating systems were being used and about the council’s policy for data back-up at the time of the attack. As a software engineer, he said he knows what it’s like to lose sleep over whether or not his clients’ systems are upgraded and backed up, especially when legacy systems are being used, as was the case with the council.
“Even though I sympathised with them having been hacked and I could see certainly for a month or so that you’d want to just lock everything down, there seemed to be a large amount of data that was actually lost forever, which is what really surprised me,” he said, perplexed by the lack of a back-up.
When the hackers – using software known as PYSA or Mespinsoza – preyed on the council, many services were paralysed whilst the data was being restored. Some of this data was stolen, some data was published online and some data was lost without a means of recovery.
With the irretrievable data, the council has to start again from scratch. One such example is the applications for postal voters, with the Town Hall announcing in January that these would need to be resubmitted as a result of the attack.
Bruce Devile, head of business intelligence, elections and member services, later sent an email to election agents – representatives from parties appointed to liaise on matters of elections – on the 27 January: “Whilst we have been able to rebuild the electoral register following the cyber attack, we have not been able to recover the postal vote application forms.”
Hackney had approximately 31,000 registered postal voters at the time of the hack. The council says more than two thirds of these voters have already reapplied following an extensive communications drive, and it continues to encourage all residents to register for postal voting amid the Covid pandemic.
The Town Hall also reiterated that existing postal voters who do not register again will still be able to vote in person, and that the wider electoral register was unaffected and published as required by law last month.
The elections, postponed last year, are set to go ahead on 6 May. These include the battle for London Mayor, the London Assembly, and council by-elections in the wards of Stamford Hill West, Kings Park, Hoxton East & Shoreditch and Woodberry Down.
In the run-up, there is an undercurrent of a conflict between transparency and security. It is seen in Woodruff’s FoI case, where his quest for transparency was met with silence followed by a denial for security reasons. On the one hand there is a need to win back public trust of those like Woodruff, so that residents feel comfortable to share their data and register for postal votes again or for the first time. On the other, there is a need for secrecy so that not too much is given away whilst systems are being mended.
“Well, these are really hard, hard, hard things to recover from in terms of public trust. Transparency is important; honesty is important,” said Professor Steven Schneider, director of the Surrey Centre for Cyber Security, whose research includes the intersection between cyber security and voting.
Transparency on the part of the council, he added, would mean being open about the lessons learnt and the new defensive measures being put in place for the future. “But it’s not a quick fix,” he empathised.
According to an annual UK-wide study conducted by the Election Commission in 2020 on public attitudes towards voting, people have greater confidence in voting at a polling station (85 per cent) than voting by post (64 per cent). This postal voting figure dropped from 68 per cent in the previous year, which indicates an eroding trust in the practice.
“The cyber-attack has compounded what was already a very difficult situation for the democratic process in Hackney,” said Darren Martin of Hackney Liberal Democrats. The loss of postal voting applications in the cyber attack had undone the efforts to encourage postal voting, considered the safest way to vote in the pandemic.
Martin expressed a commitment to push for postal voting but said that residents he had been speaking to were hesitant to register. “I think what’s happened with the cyber attack is that it’s undermined people’s trust in Hackney Council’s ability to protect their data,” he reflected.
Concerned about a diminished turnout, Martin speculated: “Essentially, it’s going to mean that fewer people register again to vote by post who already used to do it, and it’s going to mean that fewer people register to vote, and that will ultimately mean fewer people will vote, which is obviously to the detriment of the democratic process, and everyone who lives in the borough.”
The local Green Party expressed worry about the wider electorate, particularly those who are not party members and cannot be reached by email.
Its election agent Stefan Liberadzi said the loss in data and the process of re-registering could disenfranchise many vulnerable communities: “I think that’s going to affect all the demographics that are already most excluded from voting and the electoral process, such as ethnic minorities, young people, renters, and people in insecure housing.”
He added that Hackney’s transient population could miss out on the letter from the council reminding them to sign up for postal voting.
The chairman of Hackney Conservatives, Jack Sutcliffe, claimed that a large proportion of their members vote by post and this was a key issue for the party. He echoed the concerns about the cyber attack, but credited the electoral services for doing their part.
“I have huge doubts about the competency of the Hackney Council, but I have been pleased with how proactive the electoral services division has been,” he said.
A Labour Party spokesperson pointed to past council statements on the cyber attack in lieu of an interview.
Some of the vulnerabilities of postal voting highlighted by Steven Schneider include the possibility of coercion, which is very tricky to monitor. Another danger is sending too many ballot forms to the same address. Therefore, it is crucial to manage the electoral register carefully and check the legitimacy of addresses that forms are sent to.
Checking signatures, as Hackney Council does, can mitigate fraud in the process of postal voting.
Bruce Devile, in his email to election agents, said: “When an elector applies for a postal vote they supply a sample signature and date of birth on their application form and it is these which are verified in the postal vote verification process before their ballot paper is accepted.”
He confirmed that it was this data of residents’ signatures and their dates of birth that the council was having trouble in recovering after the attack.
Tim Shields, Hackney Council’s chief executive and electoral registration officer, said: “This serious and sophisticated cyber attack by organised criminals continues to disrupt council services, and I’m sorry for any inconvenience this is causing residents.
“While there remains a live criminal investigation, we are limited in what we can say about the nature of the attack, but our teams are working as hard as possible behind the scenes to restore services safely, in partnership with the National Crime Agency, the Metropolitan Police, and other external experts.
“Safeguarding our democratic processes and running a secure, safe and fair election remains one of our highest priorities. There is no evidence that the data we are asking residents to provide to re-register for postal voting has been stolen or published by the attackers – but we have been transparent that we are unable to access or recover some of the files we hold due to the damage to our systems.
“That’s why we wrote to every registered postal voter in Hackney in January to ask them to register again – supported by a wider communications campaign. More than 21,000 people – two-thirds of existing postal voters – have now re-registered, and more continue to do so every day. I’d encourage everyone to return their form – and we’ll shortly be sending those who haven’t another reminder to do so.
“Through our work to recover the systems that were attacked, we are accelerating the move to modern, cloud-based systems that was already in progress before the attack. This provides industry-leading security for our systems and data, and the council will continue to work with experts to achieve the highest levels of security possible.
“It’s important to note that the rest of our electoral systems are not affected. We’ll continue to encourage more people to register to vote in the coming weeks to ensure as many people take part in May’s elections as possible.”
Local councils have increasingly been victims of ransomware attacks.
“They don’t have the resources to defend, but they still manage information that’s valuable and by which a lot of disruption can be caused,” explained Schneider.
But ultimately, he said, it was a case of human or user frailty; something almost impossible to escape. What is possible is to have strong defences in place to control the damage and to recover from an attack.
With pockets of mysteries in the unfolding case of the cyber attack, the seeds of doubt in public trust and the thick cloud of security that hangs over this season of pandemic elections, the road to 6 May will be formative in paving the relationship between the public and their local government.
To register for a postal vote in Hackney, visit hackney.gov.uk/ways-to-vote to download a form, or contact electoral services at electoralservices@hackney.gov.uk or on 020 8356 3232 for more information. Applications close at 5pm on 20 April.
Update: this article was originally published on 11 March but was republished on 12 March to include a full response from Hackney Council