The UK government is to impose widely anticipated sanctions on two individuals and a company based in China, after it accused state-backed hackers of carrying out cyber-attacks on the Electoral Commission and individual Members of Parliament.
The affected MPs however, have claimed the government has not gone far enough, with one of its targets – former Conservative leader Iain Duncan Smith – declaring yesterday’s actions as the equivalent of “an elephant giving birth to a mouse.”
Industry experts also weighed in, adding that with a UK general election on the horizon, the government needed to send out a clear message to state-backed threat actors and to also ensure that its cyber practices were up to date and fit for purpose.
In a widely pre-briefed speech in the House of Commons yesterday afternoon, deputy prime minister Oliver Dowden reiterated that the attack on the UK’s elections watchdog marked a “clear and persistent pattern of behaviour that signals hostile intent from China”.
FBI director fires critical infrastructure hack warning
However, Dowden stopped short of officially declaring China as a threat to UK democracy.
As a result of the sanctions, two individuals – Zhao Guangzong and Ni Gaobin – and one business – the Wuhan Xiaoruizhi Science and Technology Company – have been sanctioned by the UK.
All have been accused of working for the China state-affiliated cyber espionage group Advanced Persistent Threat Group 31 (APT31).
The government sanctions will freeze assets, preventing UK citizens and businesses from handling their funds or resources. A travel ban will also prevent individuals or people working for the company from entering or remaining in the UK.
The Chinese embassy in the UK denies the attacks were anything to do with China, adding that the claims amounted to “malicious slander”.
The cyber attack on the UK Electoral Commission between August 2021 and October 2022 enabled hackers to access the personal details of about 40m voters and to gain sensitive emails from its “control systems” and between election officials over six by-elections.
The MPs targeted are all members of the Interparliamentary Alliance on China, which scrutinises the activities of Beijing.
They include former Tory leader Duncan Smith, former minister Tim Loughton and the SNP’s Stewart McDonald, who all sustained harassment, failed hacks and impersonations by groups seeking to influence foreign dignitaries.
However, security experts and the affected MPs claim that the actions amounted to ‘too little, too late’, accusing Dowden of missing an opportunity to designate China as a “threat” and send out a clear message.
Former immigration minister Robert Jenrick joined Duncan Smith in criticising the action, saying the response was “feeble” and would only “embolden China”.
These MPs’ concerns were echoed by many cyber security firms, who not only felt that the UK government has been treading too softly in its dealings with China on this issue, but that it needed to refine its cyber security practices ahead of the next general election.
According to Al Lakhani, CEO of security firm IDEE, while international relations are built on good faith and mutual interests these don’t always correlate with good cybersecurity practices “which must be built on zero trust”.
He added: “The government is blatantly tiptoeing around the issue, evidently paralysed by the fear of alienating global superpowers, but the result is compromised personal data and undermining confidence in electoral processes.”
CTO of Advanced Cyber Defence Systems Elliott Wilkes added that while the conventional option was to sanction individuals, these actions rarely yield successful results.
“To my knowledge, none of the individuals associated with the OPM breach who were sanctioned by the US government have been arrested.
“A bolder step might include more direct cyber action, but this has the potential to escalate already heightened tensions between the UK (and the West) and China.
“The danger of this attack is that it underscores the ability of a major global power to act in a way designed for intelligence gathering but also intimidation, without fear of significant recourse,” he said.
Jamie Akhtar, co-founder and CEO at CyberSmart added that the situation emphasized the need for the UK to “continually refine its holistic cyber security strategy”
He added: “Defence needs to go further than protection for state institutions. As we’ve seen time and again, nation-state actors will also target businesses that provide services to the government too.
“Without a defence strategy that incorporates every aspect of society, from small businesses to schools to state bodies, nation-state actors will keep finding new routes in,” he warned.
The cyber experts also reiterated that while nation-state attacks are often perceived as highly sophisticated, most breaches are successful due to spear-phishing campaigns, and exploitation of software vulnerabilities.
“The government needs to find better ways of protecting its systems and data. When it comes to something as important as national security, relying on outdated cybersecurity solutions that detect attacks, but stop short of preventing them, is nothing short of dangerous,” said Lakhani.
“I hope that lessons have been learned from past breaches, that this marks a turning point in the UK’s cyber security preparedness, and that we move towards a digitally secure future rooted in identity proofing and transitive trust,” he added.
Subscribe to our Editor's weekly newsletter
Newsletter
Share
