UK member of parliament (MP) Nadine Dorries has declared on Twitter that she shares the password to her work computer with staff ‘including interns’.
The immediate purpose of the statement was to lend political support to under-fire First Secretary of State Damian Green. Green was accused by a former Metropolitan Police assistant commissioner of accessing porn on his work computer following a 2008 police raid investigating Home Office leaks. Dorries’ tweet includes the statement, “For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!”
But in supporting her colleague, she might have stirred a bigger scandal than that concerning Green: MPs’ attitude towards passwords. Several other MPs have agreed with and supported Dorries’ position.
The Dorries’ Green defense is common in both politics and international cyber relations: plausible deniability through the difficulty of attribution. If multiple people can be guilty of an act, you cannot easily prove which one is the guilty party. And if multiple people have access to the password, it’s hard to prove who did what with the computer.
In security, however, the fourth criterion after confidentiality, integrity and availability (CIA) is often defined as accountability. It is clear that any MP that shares his or her password is automatically failing to maintain, or specifically obfuscating, accountability. In reality, they are also guilty of ignoring official policy. The House of Commons Staff Handbook (section 5.8) says, “You MUST NOT… share your password.”
The UK’s National Cyber Security Center (NCSC) Password Guidance, updated in August 2016, also states, “You should never allow password sharing between users. Sharing accounts, or even occasional use by anyone other than the account holder, negates the benefit of authenticating a specific user. In particular, the ability to audit and monitor a specific user’s actions is lost.”
However, the sharing of MPs’ passwords may go beyond simply ignoring advice and/or policy. Although sharing passwords is not in itself a breach of the UK’s Data Protection Act, it could lead to a breach. The UK’s data protection regulator, the ICO, itself tweeted, “We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.”
It is questionable whether giving interns access to the potentially sensitive personal information of constituents is within the spirit if not letter of the current law. It is also concerning that Britain’s lawmakers should have such a lax attitude towards security at a time when its intelligence agencies are increasingly warning about Russia targeting the UK government.
Security researcher Troy Hunt suggests, without condoning, that this is an example of users bypassing policy in order to work more efficiently. “Her approach to password sharing may simply be evidence of humans working around technology constraints.” This is common in all organizations — and is generally countered by security awareness training supported by technological controls.
The need to share data among several different people is not uncommon — and there are numerous technology solutions that could be employed. These include delegated access, shared access to collaboration tools (where the MP’s staff would have password-controlled access to the documents rather than to the MP’s computer), or even Microsoft’s SharePoint.
The most worrying aspect to MPs and their password sharing is their common belief that there is nothing wrong in this. This in turn suggests that MPs do not receive adequate security awareness training and/or that parliament’s IT department isn’t offering sufficient options to make this unnecessary — or controls to make it impossible. In most private enterprises,sharing passwords would be considered a disciplinary offense.
Related: Hackers Say Humans Most Responsible for Security Breaches
Related: UK Warns Against Gov Use of Russia-based AV Companies
More from Kevin Bowers
- Alexa May Be Recording More Than You Realize
- UK’s NCSC Adopts HackerOne for Vulnerability Coordination Disclosure
- Artificial Intelligence in Cybersecurity is Not Delivering on its Promise
- Untangle Partners With Malwarebytes to Bring Layered Security to SMBs
- Testing Security Products: Third-Party Standards vs. In-House Testing
- New Cyber Readiness Program Launched for SMBs
- Personal Details of 120 Million Brazilians Exposed
- Researchers Find Thousands of Twitter Amplification Bots in Just One Day
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
