The Labour Party’s website has come under what the party has described as a “sophisticated and large scale cyberattack”, which has re-ignited the row over the government’s delay in publishing a parliamentary select committee’s report into the scale of Russian attempts to interfere with the democratic process, both here in the United Kingdom and further afield.
The incident has also sparked a row over Labour’s use of the word “sophisticated” to describe the attack – a row which badly misses the point and importance of what happened.
The National Cyber Security Centre has classified the attack as a “category six”, the lowest tier of the incidents it deals with, while CloudFlare, the American infosecurity company that Labour employs to manage its cybersecurity, has thus far dealt with the attack very comfortably. Labour was subject to a denial-of-service (DDOS) attack, a cyber-attack in which the perpetrator(s) tries to make a website go down by overloading its systems, essentially by simulating a website becoming incredibly busy by flooding it with requests from multiple sources.
There are two reasons why this is a bit of a red herring. The first relates to the way that launching a cyberattack is a lot like robbing a house. The second, paradoxically, relates to the ways in which launching a cyberattack is entirely unlike robbing a house.
It is like robbing a house in that, yes, a sophisticated burglar might be able to climb the five storeys of my flat, clamber onto the balcony, drill a hole through the window, crawl in and rob the place, but no matter how well-equipped a thief they might be, they are highly likely to check if the front door is unlocked first.
If someone robs my flat by breaking in through the front door, it does not mean that they were incapable of breaking in via the balcony. Similarly, an “unsophisticated” cyberattack, is not, in of itself, particularly indicative of whether or not the person or persons involved have the capability to launch a sophisticated cyberattack.
The successful cyberattack on the Democratic National Committee in 2016, which has been repeatedly and credibly linked to state actors, was achieved through unsophisticated means: John Podesta, the chair of the Clinton campaign, was tricked by a phishing email (you know, one of those messages that impersonates a request for information from Google or wherever, takes you to a screen where you enter your name and password, and steals your information that way), an Internet scam pulled off by people in the basements with astonishing regularity. The hacking of En Marche in 2017 was done in a way that the French security services described as “so generic and simple that it could have been practically anyone”. We really learn very little about the nature and perpetrator of a cyberattack from its lack of sophistication.
But it is also unlike robbing a house, in that while if I came home today to find a perfectly drilled hole in my balcony window and all my possessions gone, I would have been the victim of a master thief; a sophisticated cyberattack is not necessarily the work of a particularly sophisticated person or of a hostile state.
I’m reliably informed by multiple sources that the cyberattack also on Labour targeted Contact Creator – the system that holds information about where voters are and whether or not they say they will support the party – and the party’s fundraising information and software, two vital parts of its campaigning infrastructure. That points to its relative sophistication, but does not give us a clear sense of whether it was a state actor, a politically motivated and tech-savvy individual with a grudge, or someone hoping to make money or cause mischief for the fun of it.
What matters in this instance is that Labour’s defences held up pretty well – that’s the good news. The bad news is that someone, for some reason, has launched the first major cyberattack on a political party in the United Kingdom – and that the political discourse around what happened has been sorely lacking.