How your MP practices information security is a local politics matter

UPDATE:Parliament’s digital chief reminds MPs logins ‘must be used only by the originator’ amid defence of minister facing porn claims.”


Members of parliament — for the most part — don’t get technology. They usually have an even worse grasp of information security. We can see this from the kinds of proposals that emerge from Westminster involving poorly designed policy on data retention requirements, weakening encryption, internet filtering and so forth. It’s a regularly occurring avalanche of a disregard for the public’s rights, and an almost proud display of digital illiteracy.

But it gets worse. We saw yesterday that this lack of awareness may extend down to whether local MPs are bothered to protect their own constituents’ information by way of securing their own online accounts or their work computers. We’re not talking about cabinet-level positions or national security related issues, but the daily deluge of personal interactions and the amount of information that results. Your MP may be exposing you and your borough to threats as well as being the weak-link in their network of contacts that allows malware to spread, even to those MPs that are in higher positions.

Context

Here’s the background: First Secretary of State Damian Green is currently the subject of a Cabinet Office inquiry over allegations that police found evidence of hours and hours of hardcore porn viewing on his parliamentary computer in 2008. At the time of the alleged discovery, Green was the shadow immigration spokesman in what was then the opposition government. He had been arrested on charges by the Home Office that he’d been leaking confidential memos in an apparent attempt to embarrass the then Labour government. That case didn’t pan out, and now we have porn allegations, the last refuge when other charges don’t stick.

Maybe the charges are true, and maybe they aren’t. But apparently he’s got an easy way out: apparently MPs don’t know who has access to their work computers or online accounts… according to other MPs.

The ‘common practice’ problem

I actually don’t have a strong opinion regarding a politician’s porn viewing habits. Obviously, it shouldn’t happen on the tax payer’s clock, and also not on a work computer. Porn aside, you shouldn’t be doing personal things on work devices anyway, especially government owned ones that may be subject to Freedom of Information requests and various logging or auditing policies. That said, the story has actually exposed a more mundane but (I’d argue) more scandalous issue: Most all MPs have little to no information security practices.

The MP for Mid-Bedfordshire talks openly about her disregard for securing accounts used to communicate with constituents on private issues.

A few of  Demian Green’s colleagues have come to his aid in very curious ways. First, there was Nadine Dorries MP (Mid-Bedfordshire) who made sure to maximise Twitter’s new 280-character limit to gush: “My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!”

We also learned from Nick Boles MP (Grantham and Stamford) that he’s always asking his staff what his login passwords are, and BBC Newsnight reporter James Clayton assures followers that this is both widespread and common practice amongst MPs, though, and that he doesn’t see anything wrong with it.

The idea here is that if anything dodgy is found on your computer, you can just blame the intern. This would be a brilliant tactic to scale across Parliament and the House of Lords: No accountability as all.  According to government regulations, this kind of activity is banned, but that doesn’t stop MPs from live tweeting their InfoSec transgressions, apparently.

His password manager is someone who emails him his password.

In subsequent tweets, MPs Boles and Dorries tried to downplay the issue: They aren’t part of the cabinet, so it’s not a big deal; they don’t have national security information; it’s just a shared email account, etc. The problem with these kinds of excuses are twofold:

  1. An MPs gets a lot of information on regular constituent matters. These aren’t matters of national security, but who cares? They still require protection and can be incredibly valuable to data thieves.
  2. A hacker could use access to a low-level, backbench MPs account to target a higher-ranking cabinet member with a social engineering or malware campaign.
Westminster IT support live coverage.

What’s wrong with sharing some account access?

The problem with these responses by a couple of Tory backbenchers and the BBC beat reporter is that they they miss (or dismiss) important points. It doesn’t matter that they aren’t accessing highly classified information. It doesn’t matter that it’s only an email account or a single computer’s login. It probably is common practice; that actually makes it worse.

If someone can access an email account, they can see anything any constituent has sent to it, and respond back as the MP. It becomes possible mass-send some malware to a whole list of email subscribers. An attacker can find out who’s asking questions about personal issues, business matters, or local disputes and use that information in social engineering or other kinds of attacks. This kind of data is likely to be more interesting to a typical malicious hacker than draft policy positions or other supposedly classified information, anyway.

Meanwhile, at the other end of the spectrum, if a state actor was interested in getting better access to confidential security-related data, it would be far better to hijack low-hanging fruit accounts like those of some sloppy backbench MPs, and use those to go after higher interest targets.

All these problems are already solved

Everything that MPS are doing wrong with their passwords and shared devices is aimed at solving the problem of needing staff, interns and associated lackeys to read and respond to constituent issues, coordinate events, meetings, book posh lunch reservations, and so forth on behalf of the MP. The need is real, but there are already ways to do this without sharing computers or account login details.

There are group working environments that allow teams to work collaboratively, but with their own accounts. There are secure file sharing methods that track and control access. These aren’t esoteric intelligence agency systems. They’re the kinds of platforms any reasonably sized organisation uses.

So, either members of Parliament don’t know about these things, which makes you wonder how they’ve lasted professionally for the last decade, or they are knowledgable about these things but have motives for not wanting to use systems that are both more secure and persistent about documenting access and use. Either way, it’s interesting considering how much this government wants everything everyone does on the internet to be tracked, categorised and preserved.

Any member of Parliament who is interested in protecting their constituent’s privacy should be doing these things:

  • Use strong passwords on all systems through which they are reached by constituents. Password rotation is much less important than password complexity.
  • Require staff to use their own accounts to access shared work spaces for managing constituent information, and log document accesses and editing.
  • Require the entire office to use 2-factor authentication on all accounts. (easy to train on and set up, highly difficult for hackers to get through.)
  • Work spaces should be accessed via encrypted connections (this isn’t rocket science or spy-level stuff. This is mainstream technology, used by Slack, Facebook, Google, your bank etc.)
  • Require staff to use password managers to deal with complex pass phrases that won’t be memorable (again, commercially available, and not highly complex).

Bonus: