Support 100 years of independent journalism.

  1. Science & Tech
12 November 2019updated 01 Jul 2021 12:52pm

What does and doesn’t matter about the cyberattack on Labour headquarters

A serious cyberattack has happened on a political party – an argument over how Labour describes it is pointless. 

By Stephen Bush

The Labour Party’s website has come under what the party has described as a “sophisticated and large scale cyberattack”, which has re-ignited the row over the government’s delay in publishing a parliamentary select committee’s report into the scale of Russian attempts to interfere with the democratic process, both here in the United Kingdom and further afield.

The incident has also sparked a row over Labour’s use of the word “sophisticated” to describe the attack – a row which badly misses the point and importance of what happened.

The National Cyber Security Centre has classified the attack as a “category six”, the lowest tier of the incidents it deals with, while CloudFlare, the American infosecurity company that Labour employs to manage its cybersecurity, has thus far dealt with the attack very comfortably. Labour was subject to a denial-of-service (DDOS) attack, a cyber-attack in which the perpetrator(s) tries to make a website go down by overloading its systems, essentially by simulating a website becoming incredibly busy by flooding it with requests from multiple sources.

There are two reasons why this is a bit of a red herring. The first relates to the way that launching a cyberattack is a lot like robbing a house. The second, paradoxically, relates to the ways in which launching a cyberattack is entirely unlike robbing a house.  

It is like robbing a house in that, yes, a sophisticated burglar might be able to climb the five storeys of my flat, clamber onto the balcony, drill a hole through the window, crawl in and rob the place, but no matter how well-equipped a thief they might be, they are highly likely to check if the front door is unlocked first.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. A weekly newsletter helping you fit together the pieces of the global economic slowdown. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

If someone robs my flat by breaking in through the front door, it does not mean that they were incapable of breaking in via the balcony. Similarly, an “unsophisticated” cyberattack, is not, in of itself, particularly indicative of whether or not the person or persons involved have the capability to launch a sophisticated cyberattack.

The successful cyberattack on the Democratic National Committee in 2016, which has been repeatedly and credibly linked to state actors, was achieved through unsophisticated means: John Podesta, the chair of the Clinton campaign, was tricked by a phishing email (you know, one of those messages that impersonates a request for information from Google or wherever, takes you to a screen where you enter your name and password, and steals your information that way), an Internet scam pulled off by people in the basements with astonishing regularity. The hacking of En Marche in 2017 was done in a way that the French security services described as “so generic and simple that it could have been practically anyone”. We really learn very little about the nature and perpetrator of a cyberattack from its lack of sophistication.

Content from our partners
Transport is the core of levelling up
The forgotten crisis: How businesses can boost biodiversity
Small businesses can be the backbone of our national recovery

But it is also unlike robbing a house, in that while if I came home today to find a perfectly drilled hole in my balcony window and all my possessions gone, I would have been the victim of a master thief; a sophisticated cyberattack is not necessarily the work of a particularly sophisticated person or of a hostile state.  

I’m reliably informed by multiple sources that the cyberattack also on Labour targeted Contact Creator – the system that holds information about where voters are and whether or not they say they will support the party – and the party’s fundraising information and software, two vital parts of its campaigning infrastructure. That points to its relative sophistication, but does not give us a clear sense of whether it was a state actor, a politically motivated and tech-savvy individual with a grudge, or someone hoping to make money or cause mischief for the fun of it.

What matters in this instance is that Labour’s defences held up pretty well – that’s the good news. The bad news is that someone, for some reason, has launched the first major cyberattack on a political party in the United Kingdom – and that the political discourse around what happened has been sorely lacking.

Topics in this article: