Hacking Concerns Delay Balloting for New UK Prime MinisterOnline Voting System Being Revamped Over Concerns Ballots Could Later Be Changed
Voting by Britain's Conservative Party to pick the country's next prime minister has been delayed over fears that online ballots could be altered by hackers.
See Also: 2022 Unit 42 Incident Response Report
The last general election in Britain was held in 2019 and won by a majority of Conservative Party MPs, led by Boris Johnson, who was the incumbent prime minister. An election must take place at least every five years.
As Johnson has announced that he will step down, Tory party members are selecting a new leader, who will serve as prime minister.
The two Tory candidates up for the leadership election are Foreign Secretary Liz Truss and former Finance Minister Rishi Sunak.
Party members can vote via postal ballot or online to pick a candidate. As originally designed, the online system allowed members to change their vote before the deadline.
But as the Telegraph first reported, Britain's National Cyber Security Center has warned the Tory party that the system could be abused by nation-state attackers or other online attackers, although it said it did not know of any active attempts to do so.
As a result, the party is altering the voting process, leading to some delays. Instead of ballots going out Monday, the party says they now may not reach recipients until Aug. 11.
Online Voting Process Revamped
Online voting has been changed so that instead of a Tory party member being able to use their unique code multiple times to change their vote, the code will instead be deactivated after they initially vote.
"The part that caused particular concern was being able to change your vote after submission," says Alan Woodward, professor of computer science at the University of Surrey.
NCSC, which is the public-facing arm of Britain's security, intelligence and cyber agency, GCHQ, confirms that it has been providing guidance to the Tory party.
"As you would expect from the U.K.'s national cybersecurity authority, we provided advice to the Conservative Party on security considerations for online leadership voting," an NCSC spokesperson tells Information Security Media Group. "Defending U.K. democratic and electoral processes is a priority for the NCSC, and we work closely with all parliamentary political parties, local authorities and MPs to provide cybersecurity guidance and support."
The Conservative Party acknowledged the cybersecurity center's input.
"We have consulted with the NCSC throughout this process and have decided to enhance security around the ballot process," a Conservative Party spokesman says. "Eligible members will start receiving ballot packs this week."
New Tory Leader to Be Announced Sept. 5
The ballot closes Sept. 2, and the winner is due to be announced Sept. 5. Election watchers say there appear to be about 160,000 active Tory party members who will be eligible to vote.
Tory party members who live in the U.K. were due to be mailed Monday a ballot pack containing a paper ballot that can be mailed back. Due to the delays, these postal ballots may now not reach recipients until Aug. 11.
"The pack will also contain details of how to vote online and two unique security codes that must be entered in order to do so," according to the Conservative Party's online FAQ for voting for leadership. "We recommend online voting where possible."
The party emphasizes that members cannot vote both online and via post. "It is your choice which method of voting you choose. It is an offense to vote more than once. Any member who attempts to do so will have their membership of the party withdrawn."
Party members qualified to vote in the election who live outside the U.K. had been due on Tuesday to be sent an email "containing a unique, secure link, allowing them to vote online." Those emails have also been delayed, the party says.