From breach to resilience: How the Electoral Commission rebuilt its cyber defences

When most people think of critical national infrastructure (CNI), they tend to picture energy grids, transport networks, or hospitals. But the UK’s electoral system belongs firmly in that category too. It underpins our democracy, so protecting it from those who seek to disrupt our elections is an essential task. And the threat is real.

Around the world, electoral systems have faced a sharp rise in cyber-attacks in recent years. The UK experienced this first-hand in October 2022 when the Electoral Commission discovered its systems had been accessed in a sophisticated breach. While the attack did not affect the security of our elections, it exposed a number of vulnerabilities in the Commission’s systems and reminded us, and the wider IT community, how underinvestment can leave public bodies exposed.

Like many intrusions, the breach went undetected for longer than it should have. Our protections at the time were not strong enough to prevent the attack, and it took us longer than it should have to uncover. But recognising the scale of the problem became the catalyst for major change. We were able to act quickly alongside the National Cyber Security Centre (NCSC) to remove the compromised systems, clean our network, and eventually rebuild our security infrastructure from the ground up. From the outset we knew this could not be about patching over weaknesses and that it had to be the start of a long-term programme of resilience.

Even before the incident, we had begun a wide-ranging programme of security improvements. Since then, we have accelerated and expanded this work: moving our infrastructure to the cloud, enforcing multi-factor authentication (MFA), upgrading to Office365 E5 licences, and deploying 24/7 monitoring services. Staff now undergo continuous training, and we’ve signed up to the NCSC’s early warning system to detect threats before they escalate. We’ve tripled our annual spend on cyber security and embedded it into every aspect of how we operate. And as well as commanding the confidence of the NCSC and Information Commissioner’s Office, our improved IT systems have now received Cyber Essentials Plus certification for the first time, giving us, and our partners, assurance that we are adhering to the highest standards in information security. Taken together, these changes have given us a level of resilience that is better able to meet the challenges we face. Challenges that show no sign of abating.  

On the day the 2024 UK general election was announced, we blocked two major DDoS attacks to our website, and on polling day itself, our strengthened systems blocked more than 60,000 attempted cyber attacks to our website. This ensured that the million users that visited our site that day were able to find the information they needed about how and where to vote. The lesson for IT leaders is clear: do not mistake your recent successes as the end of the journey. Cyber security is not a destination, but a constant process of monitoring, adapting, and strengthening. The threat landscape evolves daily, and malicious actors innovate just as quickly as the technologies they exploit. Complacency is the most dangerous vulnerability of all.

The Commission’s commitment now extends beyond shoring up our own defences. We are working with the UK’s governments, political parties, and other public bodies to share what we have learned and encourage organisations to strengthen their defences. If we are to maintain public confidence in democracy, every organisation within the electoral community must recognise the risks and be ready to respond to them. The dispersed nature of the UK’s electoral system is one of its strengths, making it harder for any single point of failure to undermine the whole, but that resilience still depends on every part doing its job and functioning correctly.

I would urge peers across IT leadership not to wait for an incident to expose your weaknesses. Invest in resilience now and engage with the right partners. Share learning across sectors. Cyber threats are a reality for us all, in both the public and private sectors. Our security lies in how we prepare and how we respond. For the Commission, the breach of 2021-22 was a wake-up call that provided us with an opportunity to rebuild stronger. Although we have now recovered, we will not take our success for granted. We will continue to ensure our security keeps pace with emerging and existing threats in order to safeguard the democratic process.

Andrew Simpson is head of digital, information, technology and facilities (DITF) at The Electoral Commission.