How the Parliamentary Digital Service is working to keep the Commons secure
Following a major cyberattack and revelations of shared passwords, the team charged with protecting Parliament has been on a drive to help MPs stay safe
Credit: CC BY 3.0
Parliament is tackling MPs’ poor IT security habits by removing reasons to share passwords with staff, as well as through education – not to mention novelty mouse mats.
“As Parliament, we need to ensure we are putting things in place that allow people to work without the need for them to do things that are unsafe,” says Tracey Jessup, director of the Parliamentary Digital Service (PDS).
“Just like with any organisation, there’s a balance between the technical measures you put in place for passwords and the advice and guidance,” she adds. “Whatever you do, you will always have somebody who has the weakest password. We are clear that people should not be sharing passwords.”
Not sharing passwords and locking computers when leaving desks are not just guidance but rules in the House of Commons staff handbook
In December, as part of arguments over how pornography found its way onto the computer of former deputy prime minister Damian Green, one-time I’m a Celebrity contestant Nadine Dorries tweeted “All my staff have my login details,” while fellow Conservative MP Nick Boles added that he often forgot his password and had to ask staff for a reminder. James Clayton, a BBC producer, said it was “extremely common” for MPs to share login details.
Since then, at least one MP has altered how he works. Conservative MP Will Quince, who tweeted in December that he sometimes left his machine unlocked so his staff could use it, says that, while he hadn’t been able to fit sufficient context into his original tweet, “I have spoken with the Parliamentary Digital Service, and reviewed my working arrangements accordingly”.
Neither Nadine Dorries nor Nick Boles responded to questions on whether they have changed their ways.
They have all been reminded of the need to do so, with the Information Commissioner’s Office writing to all MPs about their responsibilities under data protection law.
This letter highlights the importance of following good practice in respect of password management and information security,” says a spokesperson.
The problem is that members of Parliament are not your average workforce: people who collectively write the laws of the land are perhaps unlikely to submit to mere organisational rules they don’t like. And at least some of the password-sharing has been down to systems that have not allowed MPs’ staff to carry out work on their bosses’ behalf, even with permission.
Part of the answer is MemberHub, which allows members to delegate work to their staff through a specific IT system rather than by sharing logins. It was introduced in November to accept questions from opposition and backbench MPs to ministers, replacing a number of incompatible electronic and paper systems.
The result has been much less retyping of such questions. From launch to Parliament’s February recess, 68% of oral questions (which MPs ask in person, but are tabled in advance) and 85% of written questions went through MemberHub, with 348 MPs and 452 staff using it.
“It’s going to be a one-stop shop for members and their staff to do a number of things,” says Jessup.
Number of entry attempts repelled in one hour during June 2017 cyberattack
Number of email accounts compromised as a result of the attack
Number of MPs – out of a total of 650 – using MemberHub, a service which allows them to delegate work to staff without sharing logins
The system allows members to register their staff, control what those staff can do on their behalf, and provide an audit trail.
As well as introducing new systems, PDS works to educate the 9,000 users of its services in better digital security. In February it hosted a month of talks with topics including the dark web, cryptocurrencies and specific advice for those working in Parliament. The latter included speakers from GCHQ’s National Cyber Security Centre and the Metropolitan Police’s national lead on open-source digital intelligence, who spoke about ‘finding you on the internet’.
Novelty merchandise plays a role, too.
Jessup hands over a bag available at such events, labelled “There are no passwords kept in this bag overnight!” containing sticky notes headed “Please tell me this isn’t your password?”, reusable plastic mugs labelled “I’m not a cyber mug”, fortune cookies with messages like “A weak password gathers many hacks” and a mouse mat reading “Treat your password like you treat your toothbrush, never share it”.
"Whatever you do, you will always have somebody who has the weakest password. We are clear that people should not be sharing passwords."
The aim of serious talks and amusing promotional items is to help keep members and staff safe online both at work and in general.
“We’re trying to take a very holistic, in-the-round approach,” Jessup says. “Things like mouse mats that just remind people what to do through a small visual cue are as important as any type of message that says ‘this is very bad’.”
PDS is also promoting security in MPs’ constituency offices across the UK, some of which have just one or two staff. Jessup says PDS participates in regional events for such employees, most recently in York, and her staff are visiting every constituency office and advising on security as part of introducing Microsoft services including Office 365, SharePoint, One Drive, and Skype for Business for all users, work that will continue during 2018/19.
But to convince people that cybersecurity is a real problem, there’s nothing like an actual cyberattack.
On Friday 23 June, such an attack was spotted by PDS’ 10-strong cybersecurity team, working in a security operations centre set up just six months previously. Former
PDS director Rob Greig wrote that, at the attack’s height, systems blocked 48,000 entry attempts in one hour. The attack compromised 39 of Parliament’s 9,000 email accounts.
“Nobody would wish a major cyberattack would happen to the UK Parliament, but you would be in a hole not to know it had happened,” says Jessup (pictured left). “In terms of our 9,000 users, their level of awareness that this is a threat is obviously much higher having had the evidence of a real threat.”
She adds that the attack helped justify the work PDS had already undertaken to improve security, while Yochana Henderson, head of identity and access management, was recognised with an MBE in the New Year’s Honours List partly for her work in June.
“Her role in the cyberattack was most certainly recognised – she’s an absolutely key part of our staff and a really great example of a woman in cybersecurity, which is a pretty rare thing,” says Jessup.
What PDS decided to on the Sunday following the attack shows how it has to persuade its users, rather than just tell them what to do. It had just introduced multi-factor authentication for MPs newly elected in the previous month’s general election and their staff, and decided to compress the key elements of what it had planned as a year-long deployment into a few hours.
“When you came in on Monday, if you were a pass-holder, there were police officers handing out a two-page simple guide,” says Jessup, who led the recovery effort. “There were rooms open full of our staff across the Parliamentary estate for each type of our customers, in order to help them.”
Ministers stress mass deletion was result of ‘human error’
Former head of NCSC Ciaran Martin believes that ‘war on Whitehall’ has ended – to minimal discernible effect
Foundation set up in memory of late Cabinet Secretary Jeremy Heywood seeks ideas for how to solve challenges created by coronavirus
Keeper of the National Archives Jeff James on how coronavirus has reinforced the importance of public information
In 2020 public sector organisations have been tested to a degree never experienced before. According to CrowdStrike, increasing cybersecurity attacks are an additional complication they must...
The remote-first world has seen email being relied on more than ever as a core communication mechanism - but with 93% of IT leaders acknowledging a risk to sensitive data, what steps should be...
2020 was a cyber security wake up call for many organisations. Attempting to provide secure remote access and device flexibility quickly exposed the flaws in legacy systems and processes. As we...