How rule to let Tories vote twice for new leader led to cyber hack alarm bells

Conservative voters selecting Britain’s next leader have raised the alarm over fears of hostile state interference in their voting system after a dramatic intervention by the security services . Fears that Russia, China or Iran could hack into the poll and influence who becomes the next prime minister led to the last-minute change. Concerns were raised by surveillance chiefs at GCHQ over the potential for hackers to break into a system and give the 160,000 Conservative members the ability to vote twice. Originally the party had allowed members to vote by post ― in ballot papers that were supposed to arrive on Monday ― but they were able to change their vote online if they wanted to reverse their original decision. However, there were security concerns that hackers could break into the online poll and change the outcome as the voting came to an end. Members will now be sent a one-time code to vote by post or digitally, which will then be deactivated once a vote has been registered. The concerns prompted Conservative Central HQ to delay issuing the ballot papers, potentially until August 11. The setback will raise questions over the process and the six-week period between the final vote by MPs last month and the announcement of a new prime minister on September 5. But it might also give Rishi Sunak the opportunity to make up ground on opponent Liz Truss, who has surged in opinion polls, with the latest survey putting her 34 points clear of the former chancellor. The change is an embarrassment for the party after it had to take advice from the National Cyber Security Centre that is attached to GCHQ. It is understood that an assessment was carried out on the vulnerability of the system to hacking, especially after Russian interference in the 2016 and 2020 US presidential elections. It was the unusual "vote twice" system that the Conservatives allowed that is understood to be the greatest vulnerability, although there has been no evidence of any hacking attempts as yet. The voting system will now be adjusted so that members will be able to lodge only a single vote, either by post or online. They will not be allowed to make their vote early, then change their mind towards the end of the contest and vote a second time. Conservative members were told of the delay in a message from party headquarters on Tuesday evening. “Your ballot is now on the way ― but it will arrive with you a little later than we originally said. Please do not worry,” the letter said. “This is because we have taken some time to add some additional security to our ballot process, which has delayed us slightly.” Party members were told that “once used, your codes are invalid and you won't be able to re-enter the site”, confirming that they are now allowed only a single vote. Those using the postal ballot for their vote were told “we will deactivate your online codes, reducing the risk of any fraud”, meaning they cannot vote twice. The membership is largely baffled by the letter, asking questions about what the security issues might be. “It was quite odd receiving the message as we had expected to be voting by now,” one member told The National . “But it always seemed a highly unusual process for us to be able to vote twice, something that could always be vulnerable to fraud. It is concerning that GCHQ believes that a country like Russia could interfere in electing the next prime minister. But probably, like me, it’s not entirely clear who they would plump for.” Lord Peter Cruddas, a former party treasurer who has been campaigning to keep Boris Johnson in office, said the leadership contest should be suspended as a result of the cyber security concerns. “If the members vote to keep Boris, then there is no need for a leadership campaign and no more cyber security threats,” he said. The NCSC told The National that it was a priority to defend Britain’s democratic electoral process. “We work closely with all parliamentary political parties, local authorities and MPs to provide cyber security guidance and support,” a spokesman said. “As you would expect from the UK’s national cyber security authority, we provided advice to the Conservative Party on security considerations for online leadership voting.” Questions have also been raised over the undue length of the six-week campaign, during which the two candidates will undertake 12 hustings. But it is understood that there are no plans to shorten the contest, with the deadline for votes to arrive by post or online set for 5pm on September 2. “This does raise the question of whether this process was put in place so that Boris Johnson could remain in Downing Street as long as he possibly could,” the Tory source said. “It also raises the prospect that whichever candidate is successful will be exhausted when they become prime minister, just as the country faces a severely challenging energy and economic situation.”

How rule to let Tories vote twice for new leader led to cyber hack alarm bells

Surveillance experts warn party of potential security threat from cyber agents in hostile states