The Public Administration and Consitutional Affairs Committee of the House of Commons today released a report on lessons learned from the EU referendum. Immediately, the press has seized upon a couple of paragraphs to do with cyber-security, to re-animate the old stories about the referendum being ‘hacked’.
In particular, the MPs claim that it is possible that the outage on the voter registration website was caused by a distributed denial-of-service (DDoS) attack. They offer no evidence for the assertion. They even admit they don’t have any. Even the internal investigation into the matter concluded that the website outage was caused by an ill-anticipated spike in legitimate traffic as people rushed to register last minute. And a DDoS attack isn’t really ‘hacking’ anyway
That hasn’t stopped those who are disappointed by the democratic process from seizing on this as a means to call the result of the referendum into question. The irony is clearly lost on them, that they are so intent on showing that democracy was somehow subverted that they themselves are subverting it through tendentious reporting and misrepresenting fact.
But there is a very valid point in the HoC report. It is established beyond doubt that there was interference surrounding the US election, which could be traced back to threat groups such as APT-28, themselves linked to the Russian government. What has not been shown beyond doubt, and probably couldn’t be, is whether or not this interference had any tangible impact on the outcome.
Now misinformation is a valid concern. Evidence shows that a sizeable number of tweets during the referendum campaign were generated by accounts using ‘heavy automation’; interestingly, the proportion was approximately the same for both sides: 15.1% for Remain related hashtags, and 14.7% for Leave related hashtags, although the absolute number of pro-Brexit accounts was larger (both bot and human).
But simply because bots are used to amplify messages doesn’t mean much by itself, if one is seeking to delegitimise a result as being down to foreign interference. There are a host of other factors which have to align: the messages must be misleading; they must have had a measurable impact on the result; and they must be linked back to a foreign threat actor. None of this has been done. And again, misinformation itself isn’t ‘hacking’.
While the Home Secretary is floundering around attempting to censor the uncensorable, wasting her time and that of tech companies prattling on about necessary hashtags and attempting to prevent ISIS videos being uploaded, she should be looking to protect the nation from threats such as these. The threat of election interference is real, albeit the effectiveness is not known. And it goes far more to the heart of our democracy than rampaging extremists armed with hire cars and kitchen knives, as heinous as such attacks may be.
Handling ‘active measures’ campaigns is a complicated and delicate matter. Some information needed to combat this activity might well be derived from secret intelligence, from the security services. Other information can come from commercial players: security researchers, technology experts, etc. And social media companies themselves have a role to play, as they have access to various metrics which can be used to differentiate bot traffic from legitimate human postings.
But this must also be conducted in the open. If it is a secret operation, presided over by intelligence agencies (who do possess capabilities for both generating and countering online narratives), then there is a clear conflict of interest: what would the proper position have been for the agencies during the Brexit campaign? They are as much a branch of the civil service as any other, and therefore it would have been inappropriate to intervene on either side.
The delegitimising effect would be just as great if it was discovered that domestic intelligence services had intervened as it would if it were foreign. One need only look across the Atlantic to see the damage done to the public image of the intelligence community there as accusations and counter-accusations are thrown about, even though there is no evidence of bad faith or that the agencies did anything other than try to defend against potential threats.
Thus if the Home Secretary is to be engaging with social media companies, it should be about these matters. There is a strong public interest in understanding the nature of the threat, its extent, and to have credible reassurance that the necessary measures are in place to avert it, without compromising free expression or the level playing field of political campaigning. And above all, the defence must guided by principles of verifiable neutrality and transparency, for a clear Achilles’ heel of liberal democracies is public trust in the process, and it is weak spots such as these on which our adversaries will seek to capitalise.
Brexit wasn’t ‘hacked’. But future campaigns may well be, and it would behoove us to be prepared.
Stephen is a Policy Analyst for Conservatives for Liberty. A pragmatic minarchist and instinctual conservative, he likes free speech, free markets, and free people. Follow him on Twitter: @
The views expressed in this article are that of the author and do not necessarily reflect the views of Conservatives for Liberty