UK gov't asleep at the wheel on Russia cyber ops threat, report warns

Natasha Lomas
A person uses a laptop computer with illuminated English and Russian Cyrillic character keys in this arranged photograph in Moscow, Russia, on Thursday, March 14, 2019. Russian internet trolls appear to be shifting strategy in their efforts to disrupt the 2020 U.S. elections, promoting politically divisive messages through phony social media accounts instead of creating propaganda themselves, cybersecurity experts say. Photographer: Andrey Rudakov/Bloomberg via Getty Images

The UK lacks a comprehensive and cohesive high level strategy to respond to the cyber threat posed by Russia and other hostile states using online disinformation and influence ops to target democratic institutions and values, a parliamentary committee has warned in a long-delayed report that's finally been published today.

"The UK is clearly a target for Russia’s disinformation campaigns and political influence operations and must therefore equip itself to counter such efforts," the committee warns, calling for legislation to tackle the multi-pronged threat posed by hostile foreign influence operations in the digital era.

The report also urges the government to do the leg work of attributing state-backed cyber attacks -- recommending a tactic of 'naming and shaming' perpetrators, while recognizing that UK agencies have, since the WannaCry attack, been more willing to publicly attribute a cyber attack to a state actor like Russia than they were in decades past. (Last week the government did just that in relation to COVID-19 vaccine R&D efforts -- attacking Russia for targeting the work with custom malware, as UK ministers sought to get out ahead of the committee's recommendations.)

"Russia’s cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security," the committee warns.

On the threat posed to democracy by state-backed online disinformation and influence campaigns, the committee also points a finger of blame at social media giants for "failing to play their part".

"It is the social media companies which hold the key and yet are failing to play their part," the committee writes, urging the government to establish "a protocol" with platform giants to ensure they "take covert hostile state use of their platforms seriously, and have clear timescales within which they commit to removing such material".

"Government should ‘name and shame’ those which fail to act," the committee adds, suggesting such a protocol could be "usefully expanded" to other areas where the government is seeking action from platforms giants.

Russia report

The Intelligence and Security Committee (ISC) prepared the dossier for publication last year, after conducting a lengthy enquiry into Russian state influence in the UK -- including examining how money from Russian oligarchs flows into the country, and especially into London, via wealthy ex-pats and their establishment links; as well as looking at Russia's use of hostile cyber operations to attempt to influence UK elections.

UK prime minister Boris Johnson blocked publication ahead of last year's general election -- meaning it's taken a full nine months for the report to make it into the public domain, despite then committee chair urging publication ahead of polling day. The UK's next election, meanwhile, is not likely for some half a decade's time. (Related: Johnson was able to capitalize on unregulated social media ads during his own election campaign last year, so, er... )

The DCMS committee, which was one of the bodies that submitted evidence to the ISC's inquiry, has similarly been warning for years about the threats posed to democracy by online disinformation and political targeting -- as have the national data watchdog and others. Yet successive Conservative-led governments have failed to act on urgent recommendations in this area.

Last year ministers set out a proposal to regulate a broad swathe of 'online harms', although the focus is not specifically on political disinformation -- and draft legislation still hasn't been laid before parliament.

"The clearest requirement for immediate action is for new legislation," the ISC committee writes of the threat posed by Russia. "The Intelligence Community must be given the tools it needs and be put in the best possible position if it is to tackle this very capable adversary, and this means a new statutory framework to tackle espionage, the illicit financial dealings of the Russian elite and the ‘enablers’ who support this activity."

The report labels foreign disinformation operations and online influence campaigns something of a "hot potato" no UK agency wants to handle. A key gap the report highlights is this lack of ministerial responsibility for combating the democratic threat posed by hostile foreign states, leveraging connectivity to spread propaganda or deploy malware.

"Protecting our democratic discourse and processes from hostile foreign interference is a central responsibility of Government, and should be a ministerial priority," the committee writes, flagging both the lack of central, ministerial responsibility and a reluctance by the UK's intelligence and security agencies to involve themselves in actively defending democratic processes.

"Whilst we understand the nervousness around any suggestion that the intelligence and security Agencies might be involved in democratic processes – certainly a fear that is writ large in other countries – that cannot apply when it comes to the protection of those processes. And without seeking in any way to imply that DCMS [the Department for Digital, Culture, Media and Sport] is not capable, or that the Electoral Commission is not a staunch defender of democracy, it is a question of scale and access. DCMS is a small Whitehall policy department and the Electoral Commission is an arm’s length body; neither is in the central position required to tackle a major hostile state threat to our democracy."

Last July the government did announce what it called its Defending Democracy programme, which -- per the ISC committee report -- is intended to "co-ordinate work on protecting democratic discourse and processes from interference under the leadership of the Cabinet Office, with the Chancellor of the Duchy of Lancaster and the Deputy National Security Adviser holding overall responsibility at ministerial and official level respectively".

However the committee points out this structure is "still rather fragmented", noting that at least ten separate teams are involved across government.

It also questions the level of priority being attached to the issue, writing that: "It seems to have been afforded a rather low priority: it was signed off by the National Security Council only in February 2019, almost three years after the EU referendum campaign and the US presidential election which brought these issues to the fore."

"In the Committee’s view, a foreign power seeking to interfere in our democratic processes – whether it is successful or not – cannot be taken lightly; our democracy is intrinsic to our country’s success and well-being and any threat to it must be treated as a serious national security issue by those tasked with defending us," it adds.

The lack of an overarching ministerial body invested with central responsibility to tackle online threats to democracy goes a long way to explaining the damp squib of a response around breaches of UK election law which relate to the Brexit vote -- when social media platforms were used to funnel in dark money to fund digital ads aimed at influencing the outcome of what should have been a UK-only vote.

(A redacted footnote in the report touches on the £8M donation by Arron Banks to the Leave.EU campaign -- "the biggest donor in British political history"; noting how the Electoral Commission, which had been investigating the source of the donation, referred the case to the National Crime Agency -- "which investigated it ***" [redacting any committee commentary on what was or was not found by the NCA]; before adding: "In September 2019, the National Crime Agency announced that it had concluded the investigation, having found no evidence that any criminal offences had been committed under the Political Parties, Elections and Referendums Act 2000 or company law by any of the individuals or organisations referred to it by the Electoral Commission.")

"The regulation of political advertising falls outside this Committee’s remit," the ISC report adds, under a brief section on 'Political advertising on social media'. "We agree, however, with the DCMS Select Committee’s conclusion that the regulatory framework needs urgent review if it is to be fit for purpose in the age of widespread social media.

"In particular, we note and affirm the Select Committee’s recommendation that all online political adverts should include an imprint stating who is paying for it. We would add to that a requirement for social media companies to co-operate with MI5 where it is suspected that a hostile foreign state may be covertly running a campaign."

On Brexit itself, and the heavily polarizing question of how much influence Russia was able to exert over the UK's vote to leave the European Union, the committee suggests this would be "difficult" or even "impossible" to assess. But it emphasizes: "it is important to establish whether a hostile state took deliberate action with the aim of influencing a UK democratic process, irrespective of whether it was successful or not."

The report then goes on to query the lack of evidence of an attempt by the UK government or security agencies to do just that.

In one interesting -- and heavily redacted paragraph -- the committee notes it sought to ascertain whether UK intelligence agencies hold "secret intelligence" that might support or supplement open source studies that have pointed to attempts by Russia to influence the Brexit vote -- but was sent only a very brief response.

Here the committee writes:

In response to our request for written evidence at the outset of the Inquiry, MI5 initially provided just six lines of text. It stated that ***, before referring to academic studies. This was noteworthy in terms of the way it was couched (***) and the reference to open source studies ***. The brevity was also, to us, again, indicative of the extreme caution amongst the intelligence and security Agencies at the thought that they might have any role in relation to the UK’s democratic processes, and particularly one as contentious as the EU referendum. We repeat that this attitude is illogical; this is about the protection of the process and mechanism from hostile state interference, which should fall to our intelligence and security Agencies.

The report also records a gap in the government's response on this issue -- with the committee being told of no active attempt by government to understand whether or not UK elections have been targeted by Russia.

"The written evidence provided to us appeared to suggest that HMG had not seen or sought evidence of successful interference in UK democratic processes or any activity that has had a material impact on an election, for example influencing results," it writes.

A later redacted paragraph indicates an assessment by the committee that the government failed to fully take into account open source material which had indicated attempts to influence Brexit (such as the studies of attempts to influence the referendum using Russia state mouthpieces RT and Sputnik; or via social media campaigns).

"Given that the Committee has previously been informed that open source material is now fully represented in the Government’s understanding of the threat picture, it was surprising to us that in this instance it was not," the committee adds.

The committee also raises an eyebrow at the lack of any post-referendum analysis of Russian attempts to influence the vote by UK intelligence agencies -- which it describes as in "stark contrast" to the US agency response following the revelations of Russian disops targeted at the 2016 US presidential election.

"Whilst the issues at stake in the EU referendum campaign are less clear-cut, it is nonetheless the Committee’s view that the UK Intelligence Community should produce an analogous assessment of potential Russian interference in the EU referendum and that an unclassified summary of it be published," it suggests.

In other recommendations related to Russia's "offensive cyber" capabilities, the committee reiterates that there's a need for "a common international approach" to tackling the threat.

"It is clear there is now a pressing requirement for the introduction of a doctrine, or set of protocols, to ensure that there is a common approach to Offensive Cyber. While the UN has agreed that international law, and in particular the UN Charter, applies in cyberspace, there is still a need for a greater global understanding of how this should work in practice," it writes, noting that it made the same recommendation in its 2016-17 annual
report.

"It is imperative that there are now tangible developments in this area in light of the increasing threat from Russia (and others, including China, Iran and the Democratic People’s Republic of Korea). Achieving a consensus on this common approach will be a challenging process, but as a leading proponent of the Rules Based International Order it is essential that the UK helps to promote and shape Rules of Engagement, working
with our allies."

The security-cleared committee notes that the public report is a redacted summary of a more detailed dossier it felt unable to publish on account of classified information and the risk of Russia being able to use it to glean too much intelligence on the level of UK intelligence of its activities. Hence opting for a more truncated (and redacted) document than it would usually publish -- which again raises questions over why Johnson sought repeatedly to delay publication.

Plenty of sections of the report contain a string of asterisk at a crucial point, eliding strategic specifics (e.g. this paragraph on exactly how Russia is targeting critical UK infrastructure: "Russia has also undertaken cyber pre-positioning activity on other nations’ Critical National Infrastructure (CNI). The National Cyber Security Centre (NCSC) has advised that there is *** Russian cyber intrusion into the UK’s CNI – particularly marked in the *** sectors.)")

Most recently Number 10 sought to influence the election of the ISC committee chair by seeking to parachute a preferred candidate into the seat -- which could have further delayed publication of the report. However the attempt at stacking the committee was thwarted when new chair, Conservative MP Julian Lewis, sided with opposition MPs to vote for himself. After which the newly elected committee voted unanimously to release the Russia report before the summer recess of parliament, avoiding another multi-month delay.

Another major chunk of the report, which tackles the topic of Russian expatriate oligarchs and their money; how they've been welcomed into UK society with "open arms", enabling their illicit finance to be recycled through "the London ‘laundromat’, and to find its way inexorably into political party coffers, may explain the government's reluctance for the report to be made public.

The committee's commentary here makes particularly awkward reading for a political party with major Russian donors. And a prime minister with Russian oligarch friends...

"It is widely recognised that the key to London’s appeal was the exploitation of the UK’s investor visa scheme, introduced in 1994, followed by the promotion of a light and limited touch to regulation, with London’s strong capital and housing markets offering sound investment opportunities," the committee writes, further noting that Russian money was also invested in "extending patronage and building influence across a wide sphere of the British establishment – PR firms, charities, political interests, academia and cultural institutions were all willing beneficiaries of Russian money, contributing to a ‘reputation laundering’ process".

"In brief, Russian influence in the UK is ‘the new normal’, and there are a lot of Russians with very close links to Putin who are well integrated into the UK business and social scene, and accepted because of their wealth," it adds.

You can read the full report here.

Update: Johnson has responded to the report with a short statement in which he writes: "I welcome the report and thank the former Committee for the work that has gone into this; this has clearly been an extensive effort spanning almost two years."

In a detailed written response, the government also welcomed the report and thanked the committee for its work, before going on to claim: "The Government has made clear to the Kremlin that an improvement in relations is only possible if Russia desists from its attacks on the UK and its allies. Meanwhile we will be resolute in defending our country, our democracy, and our values from such Hostile State Activity.

"We do this through a cross-Government Russia Strategy and structures that combine the UK’s diplomatic, intelligence, and military capabilities, its hard and soft power, to maximum effect. We act in concert with our allies, seeking to lead the West’s collective response to hybrid threats to our societies and values. This includes concerted campaigns to counter disinformation, as well as to bear down on illicit finance, combat influence operations, and fend off cyber-attacks."

In remarks addressing the report's critique of the government's approach to combating the threat posed by foreign cyber operations, the government said: "We have made clear that any foreign interference in the UK’s Democratic processes is completely unacceptable. It is, and always will be, an absolute priority to protect the UK against foreign interference, whether from Russia or any other state.

"We have worked with industry, civil society and international partners to implement robust systems to secure our Democratic processes and deter attempts to interfere in it. This work is undertaken with the utmost regard for the freedom of the press, political and parliamentary discourse and freedom of speech. We will always balance the need to secure our Democracy with our duty to uphold our values."

On the committee's recommendation to develop a protocol for dealing with social media companies to ensure they promptly address state-backed disinformation, the government pointed to the work of the Counter Disinformation Unit -- claiming to have established "strong relationships" with platforms which it said have given government units access to "accelerated reporting portals".

"This allows the Government to quickly identify content which is in breach of platform terms and conditions, to ensure that platforms can take appropriate action such as removal of content or suspension of accounts," it wrote. 

It also pointed to the Met police's Counter-Terrorism Internet Referral Unit (CTIRU), which it says has referred more than 310,000 pieces of terrorist content to platforms that have then removed the content since the unit was set up in 2010. 

"The Government has pressed companies to increase the use of technology to automate the detection and removal of content where possible. The Government is also working in partnership with UK Data Science companies to develop technical solutions to aid in quicker detection and removal of terrorist content and offer these free of charge, to enable companies to take quicker action on terrorist content," it added.

"The Government’s relationship with the social media companies continues to evolve. In the context of the COVID-19 response, we are learning valuable lessons which will be applied to our future approach to countering disinformation and other forms of online manipulation. While the Government welcomes the actions taken by social media companies thus far, including the cooperation they have shown in tackling these issues together, there still issues to be addressed. DCMS will continue pushing platforms to take the actions necessary to improve and safeguard the information environment."

On digital advertising the government said it is "considering how best to take forward our work in this area", following the 2019 election (which it admitted last week had been targeted by Russian disops).

"Government has committed to increasing transparency over who is promoting material online. This will be addressed as part of our proposed digital imprints regime," it added. "Through new imprints on digital election material, we will strengthen trust and ensure people are informed about who is behind online election material. We will continue to strive to uphold transparency in the digital campaigning framework. The Cabinet Office is taking forward work in this area."

On Brexit, it reiterates a claim that: "We have seen no evidence of successful interference in the EU Referendum" -- before going on to reject the idea of opening an investigation by arguing "a retrospective assessment of the EU Referendum is not necessary".

However, given the committee's critique is that the government has avoided investigating whether there was successful interference in the UK's EU referendum, its rejection of a probe on the grounds of 'not having seen any evidence' is of course pure sophistry.

On the problem of illicit finance and the committee's call for new legislation to tackle foreign influence threats, the government also claims to already be hard at work.

"The Government committed in the December 2019 Queen’s Speech to introduce legislation to provide the security services and law enforcement agencies with the tools they need to disrupt this hostile activity," it wrote. "The Home Office leads on this and is considering several measures for introduction via new primary legislation to make the UK a harder environment for adversaries to operate in."

"The Government is also considering legislation which, when implemented, would strengthen the UK’s defences against illicit finance in general, and not specifically in relation to Russian elites. This includes reforms to strengthen the powers of Companies House; to the law governing Limited Partnerships, to make them less open to abuse in money laundering; as well as to establish a register of beneficial ownership information of foreign companies owning UK property," it added.