As the media has covered in the last couple of days, Tory MP Nadine Dorries’ attempt to defend Damian Green over his alleged viewing of pornography on his parliamentary computer led to her rash admission that she routinely lets her staff use her credentials to log onto her own parliamentary computer – and that she often has to ask them to remind her what her password is:
This revelation sparked social media astonishment on the part of IT professionals:
It seems that the IT managers of Parliament’s Digital Service were equally appalled, as demonstrated by a email it sent to all parliamentary personnel this afternoon. The email’s drips with the exasperation of someone who works hard to achieve an objective only to see it all undone by idiocy, along with a tone of suppressed panic:
No matter how many technical systems we put in place, we also rely on you to help us to protect yourself, your office and the wider parliamentary community from cyber attack. Cyber security is everyone’s responsibility.
A strong password, known only to you, is an essential first- line defence . As the attack in June demonstrated, weak and shared passwords can put the entire parliamentary network at risk.
Parliament’s ICT Security Policy, which we all agree to comply with as a condition of using parliamentary digital services, clearly states:
“Passwords must be considered as confidential and must be used only by the originator (and so not shared with other users)”. If you share your password, or login as anyone other than yourself, you are in breach of this policy.
If you have been working in an insecure way by sharing your password with others, or by logging in to someone else’s account, we would like to help. In most scenarios, the solution is to provide colleagues with delegated access to your email and calendar via their own accounts. Contact the Support Desk on 020 7219 2001 to set this up. If your issues are more sensitive or more complex, please contact firstname.lastname@example.org , and someone will call or email you back.
This email, which veers from a strict tone at first to the forced gentleness you might use when asking a toddler to put down a loaded gun, demonstrates beyond question that Ms Dorries has been in breach of a strict policy that she personally signed to accept.
But the fact that the Digital Service had to send this message to every user of the parliamentary ICT system suggests that such bad practice may well be widespread around Westminster.
As the email points out, Parliament suffered a serious IT security breach as recently as June:
Everyone with access to Parliament’s network was told to change their passwords after parliamentary users’ log-in details were compromised – but it appears that the first thing at least some of them then did was to render the security of Parliament’s IT systems defunct by giving those new passwords to various other people.
The Digital Service was not the only organisation to be horrified by the poor practice. The Information Commissioner’s office also issued a stern warning that MPs may be breaking the law:
The amount that Parliament spends on ICT security will undoubtedly run into millions – but with terrifying casualness it has been rendered a waste of money by people who don’t understand, or don’t care about, such trivial matters as preventing unauthorised access to potentially very sensitive information.
The prospect that the sharing of passwords with staff has been a widespread practice on the parliamentary estate means that information security in Parliament has been compromised for months or even years – no matter how much money has been spent on system security.
Who knows what information has passed into the wrong hands because of arrogance or simply astonishingly sloppy, unthinkingly-casual poor practice?
Nadine Dorries was contacted for comment but did not respond by the time of publication.
The SKWAWKBOX needs your support. This blog is provided free of charge but depends on the generosity of its readers to be viable. If you can afford to, please click here to arrange a one-off or modest monthly donation via PayPal. Thanks for your solidarity so this blog can keep bringing you information the Establishment would prefer you not to know about.