UK government officials have been called out by infosec experts for lax attitudes towards cybersecurity protocols.
Cybersecurity has never quite occupied the public consciousness as much as in recent months, from the WannaCry attack that affected the NHS, to the Equifax data breach that leaked millions of customers’ details.
The increasing awareness of potential threats and good practice is not shared by everyone, as several UK MPs have demonstrated over the last few days. Recently, a retired police officer claimed that first secretary of state, Damian Green, owned pornographic material found on a computer belonging to him in 2008.
Conservative MP Nadine Dorries questioned the accusation and tweeted that her staff log on to her computer every day with her login details, in an effort to show that the owner of the pornographic material may not have been Green himself.
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
— Nadine Dorries (@NadineDorries) December 2, 2017
Dorries was then forced to defend her position, with the MP claiming that sharing of passwords was standard practice in UK parliament despite being a clear breach of cybersecurity rules. Nick Boles, another Conservative MP backed Dorries up, also tweeting that he shared login details with staff.
I certainly do. In fact I often forget my password and have to ask my staff what it is.
— Nick Boles MP (@NickBoles) December 3, 2017
Will Quince, MP for Colchester, said he leaves his machine unlocked for others to use, and his office manager also knows his login.
Less login sharing and more that I leave my machine unlocked so they can use it if needs be. My office manager does know my login though. Ultimately I trust my team.
— Will Quince MP (@willquince) December 3, 2017
Infosec expert Graham Cluley was quick to note that the cavalier attitude towards passwords and credentials was especially egregious considering recent targeted computer attacks on Westminster.
Cluley added that if MPs are so concerned about remembering passwords and allowing others access to their machines, then a password manager would be the ideal solution for this problem.
The BBC asked two MPs – one Labour and one Conservative – about their attitudes to cybersecurity and what they have both seen in their time on the job. Both said they would never share their login details but noted that colleagues were not as strict.
One MP said a code of practice would be hard to enforce as each MP runs their respective office independently. “Ultimately, this is a result of each MP and their office functioning as entirely independent small businesses. If one person wants to make daft decisions, there is no way of forcing them not to.”
The Guardian reported that data protection officer Carl Gottlieb said: “Sharing access to confidential systems should always be minimised, especially in government, where security and audit trails are paramount.
“MPs and the civil service have a track record of lax practices around sharing passwords, and this needs to change. MPs, like many senior managers, have teams around them that act as a bubble of trust.”
The trouble begins when this bubble bursts.