When the Member of Parliament Nadine Dorries sent a tweet in an attempt to defend fellow MP Damian Green, she had no idea that the tweet would result in her opening a can of worms.
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
— Nadine Dorries (@NadineDorries) 2 December 2017
Recently Damian Green MP had the accusation publicly aired that he watched porn on his parliamentary computer by former assistant commissioner of the Metropolitan Police Bob Quick. Nadine Dorries defence of Damian Green was that standard practice in her office was that her login details were widely known; not only by permanent staff, but also temporary interns.
When confronted by a mass of other Twitter users, Nadine Dorries’ response was not to realise that sharing login details is poor security practice, but to dig in further an attempt to justify her actions.
You don’t have a team of 4-6 staff answering the 300 emails you receive every day
— Nadine Dorries (@NadineDorries) 2 December 2017
The behaviour of sharing login details is not unique to Members of Parliament, I’ve known many people share their login details with another person in order to get work done. This affair highlights the need of IT departments to remain as flexible as possible with people they work with and be accommodating their needs. Too often I’ve come across IT departments that have a default answer of no, making themselves completely unapproachable. This attitude results in employees only seeking help from IT when absolutely needed, usually after a serious incident has already occurred.
Unfortunately a fundamental human behaviour is to find solutions and workarounds to problems we are presented with. Nadine Dorries is a perfect example of that happening, she just happens to have tweeted about it.
Education, Education, Education
Fundamentally I think this affair shows how poor most people’s knowledge of IT really is. To people who are IT literate the pitfalls of sharing login details look to be obvious; the lack of individual traceability; the ability to impersonate the user; as well as the further likelihood that the password is shared across multiple systems. These supposedly obvious pitfalls are not however obvious to an untrained user.
For me this highlights the need to increase the amount of IT education people receive so, that the possible ramifications of poor practices such as this are more widely known.
Perhaps this also shows how poor password based login details are and the need to move to better forms of authentication that require less emphasis on users to memorise multiple usernames and passwords for different systems. Passwords remain a problem that will likely remain for a number of years yet; as the famous XKCD comic shows, generally each company will create a different standard of how they think the solution should work, resulting and a number of competing standards.
Any Business is Sensitive Business
In June 2017 the UK Parliamentary email system suffered a “sustained and determined” attack by hackers looking to gain access to email accounts used by both MPs and their staff. In order to prevent a successful attack, the IT department at the palace of Westminster decided to temporarily restrict email account access until a solution could be found. Users could only access their emails when they were physically within the parliamentary estate.
While I do have sympathy for people who struggle with restrictive IT departments, that fact that a serious cyber incident occurred in Westminster only five short months earlier and the WannaCry incident only a month before that, means it surprises me that Nadine Dorries seems to feel no remorse despite being direct contradiction of Parliamentary Digital Standards.
I’m not the Gov. I’m an MP with a computer in a shared office upon which lives an email account. That’s as exciting as my computer gets
— Nadine Dorries (@NadineDorries) 3 December 2017
One of Nadine Dorries defensive tweets is to state that as she is not in government and therefore has no need to worry about an unauthorised third party accessing her account as they would find nothing of use.
This is a terrible defence as while the content of Nadine Dorries email account may be relatively trivial the power her account could provide to an attacker is immeasurable. For example an attacker could use her email address to send an email with Malware inside to a government employee who see Nadine Dorries MP as a trusted source and so readily open the email and Malware inside. This Malware could pass itself on until it reaches a user who is a useful target with valuable data which it could then harvest for its needs.
Part of the issue is that the reality of what Malware can do is still stuck in the early 2000s where it was brash, obnoxious and its aim was either to make money or cause mayhem; think how often films and TV shows still have Malware taking over a computer and pop-ups flashing all across the screen and irritating sounds playing. Today’s reality is that the bigger threat to governments and organisations is not the classic style of Malware, but Malware created by state actors who have a range of undisclosed vulnerabilities at their disposal. This Malware is generally silent, can reside on a system for months before discovered and its aims may not be clear to the user.
Perhaps to some MPs this logic may seem like an over-the-top and alarmist reaction. Initial investigations of the June attack have pointed the finger at Iran as the culprit. I believe we are only seeing the beginning of state sponsored cyber attacks and talk of a digital Geneva Convention may not be so far-fetched.
Many of us are guilty of cyber faux pas, but I personally think that people in sensitive positions such as Nadine Dorries should be held to a higher standard than the rest of us. Even if she isn’t in the Government, she has a responsibility to ensure her constituent business is carried with utmost confidentiality.