EUobserved
MPs and media create Brexit hacking scare
By Peter Teffer
Respectable news agencies from Europe and beyond reported on Wednesday (12 April) that the British referendum that led to the UK's departure from the EU may have been "hacked".
In a news ticker, EUobserver also initially used the word "hacked", which we quickly corrected.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
-
It should be noted that a DDoS attack is different from hacking. (Photo: Sebastiaan ter Burg)
This shocking revelation was reportedly uncovered by a committee in the UK's House of Commons.
However, the media reports appear to be based on a misunderstanding of digital affairs and have quoted the report out of context.
First of all, the use of the word hacking is incorrect.
The UK parliament's public administration and constitutional affairs committee published a report on Wednesday with the title "Lessons Learned from the EU Referendum".
In chapter 4, the committee discusses “software problems”.
On 7 June 2016, the last day on which voters could register for the in/out referendum, the voter registration website collapsed for several hours.
The committee criticised the website's crash, and stated that the British government “clearly failed to undertake the necessary level of testing and precautions required to mitigate against any such surge in applications”.
In a sentence picked up by international media, the committee said that it “does not rule out the possibility that the crash may have been caused by a DDoS (distributed denial of service attack) using botnets”.
It should be noted that a DDoS attack is different from hacking.
Hacking is the digital equivalent of breaking and entering, and possibly stealing something, whereas a DDoS attack is more like a sit-in that prevents people from accessing a building. They are very common.
Last year, security firm Inerva reported that the UK is on the receiving end of 9.3 percent of the world's DDoS attacks, second only to the US.
According to Kaspersky Lab, a cybersecurity software company, during the first half of 2016 there were some 124,000 DDoS attacks worldwide each week.
The attacker does not usually reveal themselves, and the motive often remains unclear. It could be political, but also commercial, or an act of vandalism.
The hacking narrative gives the impression that the Brexit referendum outcome had been influenced.
While the crashed website would have been very inconvenient, a cyber attack causing it would not have changed any of the votes cast in the 23 June referendum, which was won by the Leave side with 52 percent - leading to Brexit.
The only way that an attack would have had an influence on the outcome, was if voters of one of the two sides were more likely to register in the last minute, and were prevented from registering and thus casting their votes.
No evidence
The committee said that “the crash had indications of being a DDoS (distributed denial of service) ‘attack'”.
But it also wrote that it had “no direct evidence” that any foreign power had tried to influence the referendum, only that “it is important to be aware of the potential”.
While several news outlets used headlines that Russia and China may have been involved, that claim is only based on a single sentence, about the differences in understandings of “cyber”, often a shorthand for cyber warfare.
“The US and UK understanding of ‘cyber’ is predominantly technical and computer-network based. For example, Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals.”
The committee then goes on to say that it is “deeply concerned about these allegations about foreign interference”, without citing any specific allegations.
To news media that do not read reports so diligently, putting the words Russia and China in the same paragraph that discussed possible foreign interference, was a red flag.
It led to CNBC headlining with "Russia, China could have influenced Brexit vote, lawmakers claim".
While the committee's MPs cannot be blamed for the media taking their words out of context, a report that has “no direct evidence” could have been worded more accurately or clearly.
Saying that you can “not rule out the possibility” that the website crash “may have been caused” by a cyber attacker of unknown origin, is an almost gratuitous statement that could be made by anyone.