Politicians boast about sharing passwords, bask in blissful ignorance

Britain’s Houses of Parliament must be a pretty stressful place to be a computer security admin.

For starters, it’s a given that you’ll find yourself defending the House’s 650 MPs, 800 Lords, and 2,000 or so other staff from daily state-sponsored cyberattacks, such as the one that led to the compromise of dozens of MP’s email accounts in June.

Not easy.

Then there is the large and frankly risky porn habit of some of Parliament’s public servants, which amounted to a reported 110,000 attempted accesses to X-rates sites in 2016 (itself a marked reduction on previous years).

Apart from being rather sleazy for the mother lode of democracy, porn sites are like malware flypaper, so that’s not good either.

Rounding out the misery list is the lax personal behaviour of the MPs themselves, which this week we learned runs to sharing precious account passwords with their staff willy nilly.

Ironically, news of this behaviour emerged from comments made by MP Nadine Dorries, who was defending fellow Conservative First Secretary of State Damian Green from recent accusations that he downloaded porn to his computer in 2009.

She tweeted:

The reasoning being that if porn was accessed from Green’s PC while he was apparently logged into email and other accounts, this did not necessarily mean he was personally responsible.

Before anyone could dismiss Dorries’ remark as a one-off, fellow MP Nick Boles tweeted his agreement:

But perhaps it is Dorries’ next tweet that deserves more attention:

No need to worry, then – who beyond Dorries’ office could possibly be interested in something as trifling as an email account and its measly credentials?

By now, Parliamentary IT staff reading these exchanges were probably feeling the need to head for darkened rooms for a long lie down.

Then the Information Commissioners Office (ICO) intervened on their behalf:

We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.

And that section 2.7.2 of the official data protection advice for MPs and staff (2010) clearly states:

Keep personal information secure and introduce office practices to ensure that security measures are followed. Take particular care when sharing information or sending it off-site.

Might some of this be unfair to Dorries and password-sharing MPs in her situation?

It could be countered that the problem is not simply what she is owning up to – MPs have a legitimate, if limited, need to share credentials after all – but her lack of awareness that there are safer ways to achieve this by, for instance, using an online password manager.

Sharing passwords (or using delegated access) in a formal way also preserves accountability because it allows behaviour to be tied to the real person accessing an account. MPs should never be able to hide online behaviour behind the exuse that someone else was using an account on their behalf.

Parliamentary IT earlier this year championed its first cybersecurity awareness month designed to help MPs and staff “brush up their existing knowledge and learn new skills.”

All very worthy, but if recent cyberattacks and Dorries’ tweets tell us one thing, it’s that the model of leaving security up to busy politicians is ineffective to say the very least.


This is a Security Bloggers Network syndicated blog post. Read the original at: Naked Security 2017-12-05.