Britain’s Houses of Parliament must be a pretty stressful place to be a computer security admin.
For starters, it’s a given that you’ll find yourself defending the House’s 650 MPs, 800 Lords, and 2,000 or so other staff from daily state-sponsored cyberattacks, such as the one that led to the compromise of dozens of MP’s email accounts in June.
Not easy.
Then there is the large and frankly risky porn habit of some of Parliament’s public servants, which amounted to a reported 110,000 attempted accesses to X-rates sites in 2016 (itself a marked reduction on previous years).
Apart from being rather sleazy for the mother lode of democracy, porn sites are like malware flypaper, so that’s not good either.
Rounding out the misery list is the lax personal behaviour of the MPs themselves, which this week we learned runs to sharing precious account passwords with their staff willy nilly.
Ironically, news of this behaviour emerged from comments made by MP Nadine Dorries, who was defending fellow Conservative First Secretary of State Damian Green from recent accusations that he downloaded porn to his computer in 2009.
She tweeted:
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
— Nadine Dorries (@NadineDorries) December 2, 2017
The reasoning being that if porn was accessed from Green’s PC while he was apparently logged into email and other accounts, this did not necessarily mean he was personally responsible.
Before anyone could dismiss Dorries’ remark as a one-off, fellow MP Nick Boles tweeted his agreement:
I certainly do. In fact I often forget my password and have to ask my staff what it is.
— Nick Boles MP (@NickBoles) December 3, 2017
But perhaps it is Dorries’ next tweet that deserves more attention:
Flattered by number of people on here who think I’m part of the Government and have access to government docs 😅
I’m a back bench MP – 2 Westminster based computers in a shared office. On my computer, there is a shared email account. That’s it. Nothing else. Sorry to disappoint!— Nadine Dorries (@NadineDorries) December 3, 2017
No need to worry, then – who beyond Dorries’ office could possibly be interested in something as trifling as an email account and its measly credentials?
By now, Parliamentary IT staff reading these exchanges were probably feeling the need to head for darkened rooms for a long lie down.
Then the Information Commissioners Office (ICO) intervened on their behalf:
We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.
And that section 2.7.2 of the official data protection advice for MPs and staff (2010) clearly states:
Keep personal information secure and introduce office practices to ensure that security measures are followed. Take particular care when sharing information or sending it off-site.
Might some of this be unfair to Dorries and password-sharing MPs in her situation?
It could be countered that the problem is not simply what she is owning up to – MPs have a legitimate, if limited, need to share credentials after all – but her lack of awareness that there are safer ways to achieve this by, for instance, using an online password manager.
Sharing passwords (or using delegated access) in a formal way also preserves accountability because it allows behaviour to be tied to the real person accessing an account. MPs should never be able to hide online behaviour behind the exuse that someone else was using an account on their behalf.
Parliamentary IT earlier this year championed its first cybersecurity awareness month designed to help MPs and staff “brush up their existing knowledge and learn new skills.”
All very worthy, but if recent cyberattacks and Dorries’ tweets tell us one thing, it’s that the model of leaving security up to busy politicians is ineffective to say the very least.
Mahhn
Good thing it’s not a real job, that would get them fired, or at least corrective action.
Just twits tweeting to the world how incompetent they are, and use it as an excuse for fellow staff to be incompetent too. wow.
Is something going to hit the news soon? Plausible deniability for a big data leak about to hit?
Dan D. Lyon
Astonishingly ignorant and tone-deaf. Especially the felt need to double down. But it’s also instructive. Information Security professionals wonder why their jobs are so hard. Why, it seems like leadership is actively working against them.
Disgruntled Lemin
As a civil servant I am not surprised to read this. MPs do many things that are in contradiction of the Civil Service Code… But then again they declared themselves not to be civil servants.
This action is classed as a major security breach, and if I were to do the same thing I would be dismissed.
One rule for us and one rule for them….
Machine_Silver
It is not just the staff though because as I recall in June, it was found that they were using weak and stupid passwords which were brute forced. This means no password complexity or expiry enforcement which is a basic IT configuration error. Bit of an Omni shambles really! Most home users and school children know better. Pity they didn’t learn a few tricks from US politicians as they could then have used their own private mail servers for government business too!
No wonder nearly everything the Government does gets leaked.
pez0
“Just twits tweeting to the world how incompetent they are, and use it as an excuse for fellow staff to be incompetent too.” I couldn’t have said it any better than that
Ian
Fingerprint scanner and 2nd step authentication is what is needed.
gaz
ian well said but there just gonna share the fingerprints
Tony Gore
These are the same incompetent people who want security services to have a backdoor into encryption? You do not need to share a password for email – for more than a decade, Outlook has had the facility to designate additional people as delegates, and with various levels of control over what they can do e.g. just read, reply on behalf of etc. In general “ignorance of the law” is no defence for normal people like the rest of us. It is a pity that the ICO cannot act on this and prosecute MPs with lax security. And as for Damian Green – the original investigation into him was because he was leaking information. Also, why are they not being forced to use 2 factor authentication – this would stop password sharing.
Bert
MPs are not really employed by parliament they are elected by their constituents so they can’t be removed for misconduct in the same way as a company employee.
But that doesn’t get away from the crazy talk they are publicising. But MPs are not unique high level persons who believe that the inconvenience of security is beneath them. Despite being the highest value target in an organisation.
I hope the security services take the attitude of MPs into account when designing security systems to limit the damage these arrogant individuals can cause.
Outside the Marginals
Is Green Porn sustainable?
BTW is “runs to sharing precious account passwords with their staff willy …” appropriate language?
MikeW
The ones who’ve admitted this are clearly interested in plausible deniability themselves.