Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

UK Members of Parliament Share Passwords with Staff

UK member of parliament (MP) Nadine Dorries has declared on Twitter that she shares the password to her work computer with staff ‘including interns’. 

UK member of parliament (MP) Nadine Dorries has declared on Twitter that she shares the password to her work computer with staff ‘including interns’. 

The immediate purpose of the statement was to lend political support to under-fire First Secretary of State Damian Green. Green was accused by a former Metropolitan Police assistant commissioner of accessing porn on his work computer following a 2008 police raid investigating Home Office leaks. Dorries’ tweet includes the statement, “For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!”

But in supporting her colleague, she might have stirred a bigger scandal than that concerning Green: MPs’ attitude towards passwords. Several other MPs have agreed with and supported Dorries’ position.

The Dorries’ Green defense is common in both politics and international cyber relations: plausible deniability through the difficulty of attribution. If multiple people can be guilty of an act, you cannot easily prove which one is the guilty party. And if multiple people have access to the password, it’s hard to prove who did what with the computer.

In security, however, the fourth criterion after confidentiality, integrity and availability (CIA) is often defined as accountability. It is clear that any MP that shares his or her password is automatically failing to maintain, or specifically obfuscating,  accountability. In reality, they are also guilty of ignoring official policy. The House of Commons Staff Handbook (section 5.8) says, “You MUST NOT… share your password.”

The UK’s National Cyber Security Center (NCSC) Password Guidance, updated in August 2016, also states, “You should never allow password sharing between users. Sharing accounts, or even occasional use by anyone other than the account holder, negates the benefit of authenticating a specific user. In particular, the ability to audit and monitor a specific user’s actions is lost.”

However, the sharing of MPs’ passwords may go beyond simply ignoring advice and/or policy. Although sharing passwords is not in itself a breach of the UK’s Data Protection Act, it could lead to a breach. The UK’s data protection regulator, the ICO, itself tweeted, “We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.”

It is questionable whether giving interns access to the potentially sensitive personal information of constituents is within the spirit if not letter of the current law. It is also concerning that Britain’s lawmakers should have such a lax attitude towards security at a time when its intelligence agencies are increasingly warning about Russia targeting the UK government.

Advertisement. Scroll to continue reading.

Security researcher Troy Hunt suggests, without condoning, that this is an example of users bypassing policy in order to work more efficiently. “Her approach to password sharing may simply be evidence of humans working around technology constraints.” This is common in all organizations — and is generally countered by security awareness training supported by technological controls.

The need to share data among several different people is not uncommon — and there are numerous technology solutions that could be employed. These include delegated access, shared access to collaboration tools (where the MP’s staff would have password-controlled access to the documents rather than to the MP’s computer), or even Microsoft’s SharePoint. 

The most worrying aspect to MPs and their password sharing is their common belief that there is nothing wrong in this. This in turn suggests that MPs do not receive adequate security awareness training and/or that parliament’s IT department isn’t offering sufficient options to make this unnecessary — or controls to make it impossible. In most private enterprises,sharing passwords would be considered a disciplinary offense.

Related: Hackers Say Humans Most Responsible for Security Breaches 

Related: UK Warns Against Gov Use of Russia-based AV Companies 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...