The sobering reality of backdoors: cybersecurity and surveillance circumvention during GE2017

Cybersecurity and surveillance circumvention are not famed as classic election campaign issues. Yet both figured prominently at different times throughout the 2017 UK General Election, triggered by three devastating attacks during the campaign: the WannaCry ransomware attack that ground the NHS to a halt in early May; the Manchester Arena bombing on 22nd May that killed 23 and injured 119 people; and the London terrorist attack 3rd June that left 8 dead and 48 wounded.

The WannaCry ransomware attack affected computers worldwide (including several transnational companies), propagated through a vulnerability in computers running older versions of Windows. It reportedly affected around 45 NHS organisations across the UK with thousands of computers locked down, rendering patient records, appointment schedules and internal phone lines inaccessible. While the NHS was keen to stress that no patient data had been compromised, blame was quickly attributed to Government underspending on NHS IT infrastructure.

The Guardian reported back in May 2015 that the Government refused to renew a £5.5M million deal with Microsoft to extend support for end-of-life software. The NHS was singled out as one of several public bodies perceived as “exploitable by relatively low-skilled attackers”. Much maligned Jeremy Hunt was attacked again in May 2017, accused of ignoring “‘extensive warning signs’ that could have prevented an unprecedented global cyber-attack which has plunged the NHS into chaos”.

In the immediate aftermath of the Manchester Arena attack, the Conservative Government briefed reporters that they intended to enact parts of the Investigative Powers Act called Technical Capability Orders that would require technology and communications companies to break their own security and encryption to facilitate access for security services. According to anonymous ‘senior ministers’, “The social media companies have been laughing in our faces for too long” – with WhatsApp and Telegram messenger apps often singled out as having been used by terrorists.

May reignited the same calls for crackdown on encryption following the London Bridge attack. In what was widely perceived as a politicised intervention, she called for international collaboration to “regulate cyberspace” and argued that “We need to deprive the extremists of safe spaces online”. This seemed to revive former PM David Cameron’s plans from 2015 to ban end-to-end encryption, which was widely derided by industry experts and even opposed by Conservative stalwarts like Brexit Minister David Davis (who successfully challenged the Conservative Government on this issue in none other than the European Court of Justice). May’s calls for stronger surveillance capabilities also triggered detailed scrutiny of the Conservative record – and Theresa May’s six year tenure as Home Secretary in particular – on national security and cuts to policing.

May’s comments on encryption were entirely consistent with her previous record on internet regulation. The 2017 Conservative manifesto echoed this tough stance, proclaiming that “we do not believe that there should be a safe space for terrorists to be able to communicate online and will work to prevent them from having this capability” (p. 79). It is important to remember that these manifesto promises come in the context of the recently passed Investigative Powers Act, which “allows for some of the most extensive and intrusive surveillance practices in the world”. And that this is broadly speaking a Conservative crusade.

Whilst Labour promised to “provide our security agencies with the resources and the powers they need to protect our country”, they also took care to balance this against ensuring “such powers do not weaken our individual rights or civil liberties” and to “reintroduce effective judicial oversight over how and when they are used, when the circumstances demand that our collective security outweighs an individual freedom” (p. 77).

The Liberal Democrats were even more explicit in their opposition, by promising to “Roll back state surveillance powers by ending the indiscriminate bulk collection of communications data, bulk hacking, and the collection of internet connection records.” (p. 76), alongside other commitments to control and regulate surveillance. It was also the only manifesto to overtly pledge to “Oppose Conservative attempts to undermine encryption”.

The Green Party simply called for the internet to “be free of state and corporate surveillance, with our rights and freedoms protected.” (p. 21). The Conservative party’s new bedfellows, the DUP, promised in their manifesto merely to “support the expansion of cybersecurity research in Northern Ireland” (p. 17). The most detailed anti-surveillance manifesto pledges were from the small Pirate Party (it received only 2,321 votes in total), while others – including SNP, UKIP, Sinn Féin, or Plaid Cymru – failed to make any specific mention of cybersecurity, internet regulation or surveillance in their manifestoes.

The lack of detailed policies or manifesto pledges in this area should be of considerable concern. Opponents as diverse as Brexit Minister David Davies and BoingBoing’s Cory Doctorow, highlight that the entire premise for all of our everyday digital interactions (from banking to the health sector) is predicated on the ability to communicate securely. However well intended, any backdoor into such processes will paradoxically undermine not only the ability of your adversary to communicate securely, but also enable them to strategically target weaknesses in our own communicative systems. Case in point: the WannaCry ransomware that nearly brought the NHS to a halt at the start of the election campaign, was spreading via a Windows exploit stolen from the NSA. That is, the NSA identified the vulnerability and used it to create a backdoor for its own offensive surveillance work rather than reporting it to Microsoft to be patched – exposing weaknesses in the very same principles and methods advocated by Theresa May.