Parliament to the populace: Do as we say, not as we do.
That's the quick take on lawmakers' lack of cybersecurity prowess, to put it nicely. Or to be blunt, call it a flagrant disregard for the U.K. privacy laws that they themselves voted into effect.
"The distance between how tech nerds think people use computers, and how they actually do, is so vast."
In recent days, multiple Members of Parliaments' poor information security choices have been revealed in their attempt to defend Damian Green. He's the U.K.'s deputy prime minister who has dismissed allegations that he downloaded and viewed pornography on his Parliament-issued PC by saying that he shared the PC with staffers and interns. And some of his fellow Conservative lawmakers have said they also share their passwords or leave their workstations unlocked (see Parliament's Email Practices Probed by Privacy Watchdog).
Cue a firestorm of criticism, because MPs receive sensitive communications from their constituents. They can, of course, also be privy to other sensitive information and national secrets.
In response to the criticism, some Conservative MPs including Nadine Dorries - who tried to defend Green by admitting to regularly sharing her password with staff - have claimed that they're too low level to have access to any information that someone might want to mishandle or steal. That their email accounts might be used as stepping stones to socially engineer their fellow parliamentarians or constituents does not seem to have occurred to them.
Flattered by [the] number of people on here who think I'm part of the Government and have access to government docs— Nadine Dorries (@NadineDorries) December 3, 2017
I'm a back bench MP - 2 Westminster based computers in a shared office. On my computer, there is a shared email account. That's it. Nothing else. Sorry to disappoint!
Some Education Required
Not for the first time, it appears that some lawmakers need to pay attention to the cybersecurity training on offer from Parliament, including warnings about how to use passwords, email and Parliament's Microsoft Office 365 cloud-based service not only securely but in a manner that doesn't violate the country's data protection laws (see Tainted Leaks: Researchers Unravel Cyber-Espionage Attacks).
Of course, no one is born knowing how to operate Office 365 securely, British lawmakers included.
"Outside of law firms that I've worked for, _nobody_ is trained on how to use email - and it's the single biggest attack vector/vulnerability most organizations face (in terms of people)," says Sean Sullivan, a security adviser at Finnish security firm F-Secure, on Twitter.
Many developers, however, discount how users use their software. "The distance between how tech nerds think people use computers, and how they actually do, is so vast," says information security expert Dan Kaminsky via Twitter. "That's not a judgment. It's just a statement of fact."
But better training might help.
"I'd love to know what their current training looks like. There's definitely been a failure to get past the 'why would attackers want my data?' bias," says cybersecurity consultant Jessica Barker via Twitter (see Successful Security? Stop Blaming Users).
Representatives for Parliament didn't immediately respond to my request for comment.
When I asked a spokesman in June about whether parliament.uk email account holders were forced to comply with email security guidance issued by the Parliamentary Digital Service, he declined to comment, citing what was then an ongoing investigation into poor email password security practices (see Parliament Pwnage: Talk Weak Passwords, Not 'Cyberattack').
But Parliament insiders describe a culture in which the individuals in charge - in this case, MPs - feel free to flout information security rules. Doing so also gives people in positions of power a ready excuse for anything that might be found on their system.
"It's an open secret (now including MPs tweeting it) that many MPs have simply decided these things don't apply to them, including the belief they have no liability for what happens on Parliament network BECAUSE they openly share logins," says British security expert Kevin Beaumont via Twitter. "It's really bad practice and needs to stop."
Parliament offers regularly scheduled cybersecurity training programs, Associated Press reporter Raphael Satter points out.
If some MPs don't get cybersecurity it doesn't appear to be for lack of trying on Parliament's part. Here're some events organized earlier this year at Westminster.https://t.co/3CkjkprcuY pic.twitter.com/oQGitp8GFe— Raphael Satter (@razhael) December 4, 2017
When it comes to email security, chances are that U.K. lawmakers are not some outlier. In the United States, for example, the U.S. intelligence establishment has accused Russia of meddling in the 2016 presidential election after gaining access to numerous politicians' email accounts, including John Podesta, the chief of Hillary Clinton's election campaign.
To help, several grassroots organizations are attempting to educate politicians and political campaigns about how to better secure their operations (see As 2018 Campaign Gears Up, Candidates Get Security Advice ).
Maciej Ceglowski, who runs bookmarking site Pinboard, is educating Congressional campaigns. Harvard Kennedy School's Belfer Center for Science and International Affairs, as part of its Defending Digital Democracy project, has also issued a Cybersecurity Campaign Playbook for lawmakers.
Earth to Parliament
Parliament, however, has the benefit of an in-house IT advisory group whose mandate is to help them with all of their cybersecurity needs.
First, however, more parliamentarians need to pay attention. Just because they set cybersecurity laws doesn't mean they're exempt from them.