New Times,
New Thinking.

After Liz Truss’s smartphone “hack”, will ministers finally take cybersecurity seriously?

Using personal devices for official business should be a breach of the ministerial code, says a security expert.

By Harry Clarke-Ezzidio

National security concerns have been raised following reports that Liz Truss had her personal phone hacked by a foreign entity, which many have presumed to be Russia, while she was foreign secretary. Over a year’s worth of conversations, including sensitive messages and exchanges with international foreign ministers about the war in Ukraine, are believed to have been accessed by the hackers.

It wasn’t until the Tory leadership campaign this summer that security services noticed that Truss’s phone had been compromised, the Mail on Sunday reports. Boris Johnson, the prime minister at the time, and Simon Case, the cabinet secretary and head of the civil service, imposed a “news blackout” on the hack, the paper alleges. 

Truss’s device is reported to be so heavily compromised that it has been placed in a locked safe in “a secure government location”. There have been calls for a full investigation.

The government is yet to confirm whether Truss, who was foreign secretary from September 2021 until her short-lived tenure as prime minister, indeed had her device compromised. Michael Gove, the Levelling Up Secretary, told Sky News that the government took these matters “incredibly seriously” but he did not know the full details “of what security breach, if any, took place”. A government spokesperson said that they “do not comment on individuals’ security arrangements” and added that the government “has robust systems in place to protect against cyber-threats”, which includes “regular security briefings for ministers”.

This month Suella Braverman, the Home Secretary, initially resigned after sending confidential policy documents to an adviser outside of government, and was later rehired to her post by Rishi Sunak when he became Prime Minister. Is there a need for official rules setting out how government officials conduct business and handle sensitive documents? And if the reports are true and Truss’s phone was hacked by Russia, what does it mean for national security?

“It’s a very big deal,” Alan Woodward, a forensic computing expert at the University of Surrey, told Spotlight. “Imagine being able to walk into the room and listen to the conversations, read the messages of a foreign secretary when you’re a foreign power. It’s what every intelligence service wants to know: what the person on the other side of the table is thinking, what their intentions are; who are they allying themselves to.”

[See also: The Policy Ask with Mark Girolami: “Computer science should be compulsory at GCSE level”]

Give a gift subscription to the New Statesman this Christmas from just £49

The most likely way in which Truss’s phone could have been compromised is by sophisticated spyware technology being installed onto it, Woodward said. In theory there are two ways that could be carried out: either by exploiting vulnerabilities in some of the software used on the phone, or by foul play, with someone getting “physical access to your phone, and being able to plug something in, and uploading [spyware] to your device”.

MPs are known to frequently use messaging services such as WhatsApp, where messages are protected by end-to-end encryption, but hackers could still access those messages if they had installed spyware, Woodward warned. “If it’s the right type of spyware, and it’s able to access enough on the phone, then anything on the phone – which includes messages from encrypted messaging services, emails, and potentially microphones, cameras and GPS – could be accessed.”

Officials have what Woodward referred to as a “BYOD” (bring your own device) problem: ministers often prefer to conduct official business on their personal phones, as opposed to more secure government devices, for the sake of convenience. “If someone’s using their own device [things] can get very porous. It’s almost inevitable that someone’s going to find a weak spot and target that device. When you’re a high-value target like Liz Truss, you’ve got to expect that you’re going to be targeted.”

Today’s sensitive geopolitics make the possibility of a hack on Truss’s phone even worse, Woodward said. “I wouldn’t be surprised if foreign agencies haven’t been trying to do it to many politicians. Unfortunately, this is in a period where she appears to be having some very sensitive conversations on non-government channels. It’s terribly convenient, but you shouldn’t be having those conversations on your own [personal] device.”

Politicians are given “a lot” of advice on protecting their correspondence, which includes not using personal phones for official business, from the National Cyber Security Centre and other government agencies, said Woodward, “but whether they’re sticking to it or not, I have my doubts – simply because of the convenience.”

“They’re told endlessly not to do it, but I’m afraid they do, as seen with Suella Braverman,” he continued. The Home Secretary has admitted sending government documents to her personal email address, and sending a sensitive document to a colleague from her private phone. “That’s just a no-no – you may as well send a postcard, email is just that insecure.” To protect politicians, and by extension national security, Woodward suggested that a ban on conducting official business on personal phones should be written into the ministerial code, and that those in the highest ranks of government should have their devices checked regularly for abnormalities.

While calls for an investigation into the alleged hack persist, concerns about hostile foreign agencies targeting politicians will only continue, Woodward said. “It’s not just a sign of things to come, but where we already are,” he said. “Mobile devices are very desirable. It’s Christmas if you can get into it and control it.”

[See also: NHS Digital’s Mike Fell: “Cybersecurity can sound bizarre, but getting it wrong puts patients at risk”]

Content from our partners
Building Britain’s water security
How to solve the teaching crisis
Pitching in to support grassroots football