UK gov’t asleep at the wheel on Russia cyber ops threat, report warns

The UK lacks a comprehensive and cohesive high level strategy to respond to the cyber threat posed by Russia and other hostile states using online disinformation and influence ops to target democratic institutions and values, a parliamentary committee has warned in a long-delayed report that’s finally been published today.

“The UK is clearly a target for Russia’s disinformation campaigns and political influence operations and must therefore equip itself to counter such efforts,” the committee warns, calling for legislation to tackle the multi-pronged threat posed by hostile foreign influence operations in the digital era.

The report also urges the government to do the leg work of attributing state-backed cyber attacks — recommending a tactic of ‘naming and shaming’ perpetrators, while recognizing that UK agencies have, since the WannaCry attack, been more willing to publicly attribute a cyber attack to a state actor like Russia than they were in decades past. (Last week the government did just that in relation to COVID-19 vaccine R&D efforts — attacking Russia for targeting the work with custom malware, as UK ministers sought to get out ahead of the committee’s recommendations.)

“Russia’s cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security,” the committee warns.

On the threat posed to democracy by state-backed online disinformation and influence campaigns, the committee also points a finger of blame at social media giants for “failing to play their part”.

“It is the social media companies which hold the key and yet are failing to play their part,” the committee writes, urging the government to establish “a protocol” with platform giants to ensure they “take covert hostile state use of their platforms seriously, and have clear timescales within which they commit to removing such material”.

“Government should ‘name and shame’ those which fail to act,” the committee adds, suggesting such a protocol could be “usefully expanded” to other areas where the government is seeking action from platforms giants.

Russia report

The Intelligence and Security Committee (ISC) prepared the dossier for publication last year, after conducting a lengthy enquiry into Russian state influence in the UK — including examining how money from Russian oligarchs flows into the country, and especially into London, via wealthy ex-pats and their establishment links; as well as looking at Russia’s use of hostile cyber operations to attempt to influence UK elections.

UK prime minister Boris Johnson blocked publication ahead of last year’s general election — meaning it’s taken a full nine months for the report to make it into the public domain, despite then committee chair urging publication ahead of polling day. The UK’s next election, meanwhile, is not likely for some half a decade’s time. (Related: Johnson was able to capitalize on unregulated social media ads during his own election campaign last year, so, er… )

The DCMS committee, which was one of the bodies that submitted evidence to the ISC’s inquiry, has similarly been warning for years about the threats posed to democracy by online disinformation and political targeting — as have the national data watchdog and others. Yet successive Conservative-led governments have failed to act on urgent recommendations in this area.

Last year ministers set out a proposal to regulate a broad swathe of ‘online harms’, although the focus is not specifically on political disinformation — and draft legislation still hasn’t been laid before parliament.

“The clearest requirement for immediate action is for new legislation,” the ISC committee writes of the threat posed by Russia. “The Intelligence Community must be given the tools it needs and be put in the best possible position if it is to tackle this very capable adversary, and this means a new statutory framework to tackle espionage, the illicit financial dealings of the Russian elite and the ‘enablers’ who support this activity.”

The report labels foreign disinformation operations and online influence campaigns something of a “hot potato” no UK agency wants to handle. A key gap the report highlights is this lack of ministerial responsibility for combating the democratic threat posed by hostile foreign states, leveraging connectivity to spread propaganda or deploy malware.

“Protecting our democratic discourse and processes from hostile foreign interference is a central responsibility of Government, and should be a ministerial priority,” the committee writes, flagging both the lack of central, ministerial responsibility and a reluctance by the UK’s intelligence and security agencies to involve themselves in actively defending democratic processes.

“Whilst we understand the nervousness around any suggestion that the intelligence and security Agencies might be involved in democratic processes – certainly a fear that is writ large in other countries – that cannot apply when it comes to the protection of those processes. And without seeking in any way to imply that DCMS [the Department for Digital, Culture, Media and Sport] is not capable, or that the Electoral Commission is not a staunch defender of democracy, it is a question of scale and access. DCMS is a small Whitehall policy department and the Electoral Commission is an arm’s length body; neither is in the central position required to tackle a major hostile state threat to our democracy.”

Last July the government did announce what it called its Defending Democracy programme, which — per the ISC committee report — is intended to “co-ordinate work on protecting democratic discourse and processes from interference under the leadership of the Cabinet Office, with the Chancellor of the Duchy of Lancaster and the Deputy National Security Adviser holding overall responsibility at ministerial and official level respectively”.

However the committee points out this structure is “still rather fragmented”, noting that at least ten separate teams are involved across government.

It also questions the level of priority being attached to the issue, writing that: “It seems to have been afforded a rather low priority: it was signed off by the National Security Council only in February 2019, almost three years after the EU referendum campaign and the US presidential election which brought these issues to the fore.”

“In the Committee’s view, a foreign power seeking to interfere in our democratic processes – whether it is successful or not – cannot be taken lightly; our democracy is intrinsic to our country’s success and well-being and any threat to it must be treated as a serious national security issue by those tasked with defending us,” it adds.

The lack of an overarching ministerial body invested with central responsibility to tackle online threats to democracy goes a long way to explaining the damp squib of a response around breaches of UK election law which relate to the Brexit vote — when social media platforms were used to funnel in dark money to fund digital ads aimed at influencing the outcome of what should have been a UK-only vote.

(A redacted footnote in the report touches on the £8M donation by Arron Banks to the Leave.EU campaign — “the biggest donor in British political history”; noting how the Electoral Commission, which had been investigating the source of the donation, referred the case to the National Crime Agency — “which investigated it ***” [redacting any committee commentary on what was or was not found by the NCA]; before adding: “In September 2019, the National Crime Agency announced that it had concluded the investigation, having found no evidence that any criminal offences had been committed under the Political Parties, Elections and Referendums Act 2000 or company law by any of the individuals or organisations referred to it by the Electoral Commission.”)

“The regulation of political advertising falls outside this Committee’s remit,” the ISC report adds, under a brief section on ‘Political advertising on social media’. “We agree, however, with the DCMS Select Committee’s conclusion that the regulatory framework needs urgent review if it is to be fit for purpose in the age of widespread social media.

“In particular, we note and affirm the Select Committee’s recommendation that all online political adverts should include an imprint stating who is paying for it. We would add to that a requirement for social media companies to co-operate with MI5 where it is suspected that a hostile foreign state may be covertly running a campaign.”

On Brexit itself, and the heavily polarizing question of how much influence Russia was able to exert over the UK’s vote to leave the European Union, the committee suggests this would be “difficult” or even “impossible” to assess. But it emphasizes: “it is important to establish whether a hostile state took deliberate action with the aim of influencing a UK democratic process, irrespective of whether it was successful or not.”

The report then goes on to query the lack of evidence of an attempt by the UK government or security agencies to do just that.

In one interesting — and heavily redacted paragraph — the committee notes it sought to ascertain whether UK intelligence agencies hold “secret intelligence” that might support or supplement open source studies that have pointed to attempts by Russia to influence the Brexit vote — but was sent only a very brief response.

Here the committee writes:

In response to our request for written evidence at the outset of the Inquiry, MI5 initially provided just six lines of text. It stated that ***, before referring to academic studies. This was noteworthy in terms of the way it was couched (***) and the reference to open source studies ***. The brevity was also, to us, again, indicative of the extreme caution amongst the intelligence and security Agencies at the thought that they might have any role in relation to the UK’s democratic processes, and particularly one as contentious as the EU referendum. We repeat that this attitude is illogical; this is about the protection of the process and mechanism from hostile state interference, which should fall to our intelligence and security Agencies.

The report also records a gap in the government’s response on this issue — with the committee being told of no active attempt by government to understand whether or not UK elections have been targeted by Russia.

“The written evidence provided to us appeared to suggest that HMG had not seen or sought evidence of successful interference in UK democratic processes or any activity that has had a material impact on an election, for example influencing results,” it writes.

A later redacted paragraph indicates an assessment by the committee that the government failed to fully take into account open source material which had indicated attempts to influence Brexit (such as the studies of attempts to influence the referendum using Russia state mouthpieces RT and Sputnik; or via social media campaigns).

“Given that the Committee has previously been informed that open source material is now fully represented in the Government’s understanding of the threat picture, it was surprising to us that in this instance it was not,” the committee adds.

The committee also raises an eyebrow at the lack of any post-referendum analysis of Russian attempts to influence the vote by UK intelligence agencies — which it describes as in “stark contrast” to the US agency response following the revelations of Russian disops targeted at the 2016 US presidential election.

“Whilst the issues at stake in the EU referendum campaign are less clear-cut, it is nonetheless the Committee’s view that the UK Intelligence Community should produce an analogous assessment of potential Russian interference in the EU referendum and that an unclassified summary of it be published,” it suggests.

In other recommendations related to Russia’s “offensive cyber” capabilities, the committee reiterates that there’s a need for “a common international approach” to tackling the threat.

“It is clear there is now a pressing requirement for the introduction of a doctrine, or set of protocols, to ensure that there is a common approach to Offensive Cyber. While the UN has agreed that international law, and in particular the UN Charter, applies in cyberspace, there is still a need for a greater global understanding of how this should work in practice,” it writes, noting that it made the same recommendation in its 2016-17 annual
report.

“It is imperative that there are now tangible developments in this area in light of the increasing threat from Russia (and others, including China, Iran and the Democratic People’s Republic of Korea). Achieving a consensus on this common approach will be a challenging process, but as a leading proponent of the Rules Based International Order it is essential that the UK helps to promote and shape Rules of Engagement, working
with our allies.”

The security-cleared committee notes that the public report is a redacted summary of a more detailed dossier it felt unable to publish on account of classified information and the risk of Russia being able to use it to glean too much intelligence on the level of UK intelligence of its activities. Hence opting for a more truncated (and redacted) document than it would usually publish — which again raises questions over why Johnson sought repeatedly to delay publication.

Plenty of sections of the report contain a string of asterisk at a crucial point, eliding strategic specifics (e.g. this paragraph on exactly how Russia is targeting critical UK infrastructure: “Russia has also undertaken cyber pre-positioning activity on other nations’ Critical National Infrastructure (CNI). The National Cyber Security Centre (NCSC) has advised that there is *** Russian cyber intrusion into the UK’s CNI – particularly marked in the *** sectors.)”)

Most recently Number 10 sought to influence the election of the ISC committee chair by seeking to parachute a preferred candidate into the seat — which could have further delayed publication of the report. However the attempt at stacking the committee was thwarted when new chair, Conservative MP Julian Lewis, sided with opposition MPs to vote for himself. After which the newly elected committee voted unanimously to release the Russia report before the summer recess of parliament, avoiding another multi-month delay.

Another major chunk of the report, which tackles the topic of Russian expatriate oligarchs and their money; how they’ve been welcomed into UK society with “open arms”, enabling their illicit finance to be recycled through “the London ‘laundromat’, and to find its way inexorably into political party coffers, may explain the government’s reluctance for the report to be made public.

The committee’s commentary here makes particularly awkward reading for a political party with major Russian donors. And a prime minister with Russian oligarch friends

“It is widely recognised that the key to London’s appeal was the exploitation of the UK’s investor visa scheme, introduced in 1994, followed by the promotion of a light and limited touch to regulation, with London’s strong capital and housing markets offering sound investment opportunities,” the committee writes, further noting that Russian money was also invested in “extending patronage and building influence across a wide sphere of the British establishment – PR firms, charities, political interests, academia and cultural institutions were all willing beneficiaries of Russian money, contributing to a ‘reputation laundering’ process”.

“In brief, Russian influence in the UK is ‘the new normal’, and there are a lot of Russians with very close links to Putin who are well integrated into the UK business and social scene, and accepted because of their wealth,” it adds.

You can read the full report here.