Government ‘clearly failed’ to properly test Register to Vote site ahead of EU referendum
MPs slam government for lack of clear technical leadership and contingency planning to deal with website collapse
The Register to Vote site crashed two hours before the EU referendum deadline - Photo credit: PA
The government did not carry out enough stress-testing of the Register to Vote website ahead of last year’s European Union referendum and was not prepared to deal with the collapse of the site just hours before the registration deadline, a report has said.
In Lessons Learned from the EU Referendum, the influential Public Administration and Constitutional Affairs Committee said there was a lack of technical leadership, contingency planning and testing related to the site used for voter registration.
The report, which is critical of the motives behind the decision to call the poll, as well as the lack of Whitehall preparation for either of the possible outcomes, makes a series of recommendations for governments to consider ahead of any future elections or referenda.
This includes more technical testing be carried out on the software used for voter registration, following the collapse of the Register to Vote website, which crashed at 10.30pm on 7 June.
This led to a number of people being unable to register and the deadline being extended to midnight on 9 June.
At the time, the crash was blamed on “unprecedented demand” for the service, with 515,256 applications to vote recorded - around 46,000 more than the previous largest number, recorded on 20 April 2015.
Another factor was then identified in a follow-up report from the Electoral Commission: that a large number of the applications were duplicates. Some 38% of those made during the campaign were duplicates, while 46% of the almost 440,000 applications that came in between the original and extended deadlines were duplications.
The committee said that duplications caused an unnecessary administrative burden on registration officers and an equally unnecessary drain on voters’ time.
As such, it recommended that the government develops an online service that allows people to check whether they are already correctly registered to vote.
It acknowledged that there would be a number of technical issues to overcome to deliver such a service - which would have to work across give different IT systems across the country - but that it would be “invaluable” in preventing a similar future collapse.
‘Gaps in technical ownership’
However, the committee also said that, despite the government’s insistence that the crash was down to a last minute spike in applications combined with a large number of duplications, this could have been tested and mitigated against.
It pointed to a report by software consultants Equal Experts UK, which was commissioned by the Cabinet Office, that found that - although the Cabinet Office supported the Register to Vote service “very well”, there were gaps in technical ownership and risk management.
That report said that roles and responsibilities for the site were “unclear” within the Cabinet Office, and that “its technical responsibilities were delegated to multiple suppliers”, which made it “harder for technical issues to be identified and solved (or mitigated)”.
Moreover, the Equal Experts UK report found that testing of the website was “limited, and the conclusions drawn from the results were not sufficiently detailed or tested”, and that when load testing resulted in system performance issues, “it was assumed that such a load would not occur”.
Had the system been tested to the point of destruction, such issues would have been flagged up, the report said.
The MPs indicated that they agreed with the report’s findings, saying: “The Government clearly failed to undertake the necessary level of testing and precautions required to mitigate against any such surge in applications.”
They added that it was “worrying that...mistaken assumptions meant that these issues were not investigated further and corrected”, and urged the government to carry out both more testing more often, and to the point of destruction.
A further issue identified by the MPs’ report was that the government lacked contingency planning for a collapse of the website, with poor communication between the Cabinet Office, the Electoral Commission and the electoral administrators and electoral registration officers.
The Association of Electoral Administrators claimed administrators “effectively had to read the BBC website for updates”, while the Electoral Commission’s head of electoral guidance, Ailsa Irvine, told the committee that there needed to be a “more effective strategy between us and government to give [officers] more information earlier”.
‘No direct evidence’ of foreign interference
The PACAC report also made reference to cyber security around elections and referenda, saying that the website crash “had indications” of being a distributed denial of service attack.
Despite saying that it had “no direct evidence” of this happening in the EU referendum, the committee said “it is important to be aware of the potential for foreign interference” - comments prompted by accusations that Russia played a role in Donald Trump’s successful presidential campaign.
It is crucial that lessons about “protection and resilience against possible foreign interference in IT systems...extend beyond the technical”, the committee said.
“The US and UK understanding of ‘cyber’ is predominantly technical and computer-network based. For example, Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals.
“The implications of this different understanding of cyber-attack, as purely technical or as reaching beyond the digital to influence public opinion, for the interference in elections and referendums are clear.”
The committee recommended that the National Cyber Security Centre, GCHQ, local government, Cabinet Office and the Electoral Commission “establish permanent machinery for monitoring cyber activity in respect of elections and referendums” and to promote cyber security and resilience.
Parliamentary committee ‘remains very concerned’ about plan to eschew physical documents
Users must adopt TAXII 2 and STIX 2 to analyse and share data on attacks
Calum Steele of the Scottish Police Federation explains why investment and legislative changes are sorely needed to help support officers’ use of technology
John Swinney tells Holyrood conference that most attackers are ‘exploiting the same basic failings’
BT presents a complimentary copy of Garner's report, which highlights how, through 2022, at least 95% of cloud security failures will be the customer's fault
89 per cent of organisations say...
BT's CISO public sector, Hugh Tatton-Brown, joins Tech Talk’s recent podcast to discuss the current state of the security...
At a time when global organisations are trying to keep costs low to be competitive, BT details how security testing is not an area in which you can afford to cut corners