Analysis: What Parliament has said so far about the cyber attack suggests a failure to take at least one of the measures regarded as essential for security
The inquest on the cyber attack on Parliament is likely to continue for some time, but from what we’ve been told one lesson has already emerged: it only takes the neglect of one element of cyber security to create a serious vulnerability.
The basics are that Parliament’s email systems were hit by a heavyweight attack on Friday – the source of which is not yet clear – that cracked up to 90, or 1% in total, of its email accounts. The digital security team had to respond by shutting down the network and denying MPs remote access to their emails.
While the investigations are ongoing, the House of Commons has issued a statement attributing the breakdown in security to the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service.
In other words, a significant number of users did not follow the advice on creating strong passwords. This points to a failure to follow one of the 10 Steps to Cyber Security – the National Cyber Security Centre’s (NCSC) guidance to good practice in the field – to produce user security policies on use of IT systems and keep up the awareness of cyber risks.
It seems that awareness was not wide enough to ensure that all the users had strong passwords, and indicates that falling short on just one of those 10 steps can open the door for a damaging attack. Maybe this was related to the recent influx of new MPs, although it is unlikely that Parliament will want to attribute any blame to new entrants.
User privileges and configuration
There could also be a question over whether the system should have been set up to activate an account only if a strong password had been installed. This would involve shortcomings related to two of the other steps: managing user privileges effectively and ensuring secure configuration.
Keeping things in perspective, there has apparently been a quick recovery, with Speaker of the House John Bercow telling Parliament that good progress was being made on reinstating remote access to MPs and their constituency offices.
Users have been informed to change their passwords and install multi-factor authentication. The latter involves users supplying a mobile phone number to the IT team, which could then send them a security code with guidance on how to create a strong password.
Meanwhile, a spokesperson for the House of Commons said it would not reveal whether any data was lost while the investigation was going on, and that: “We have made a series of technology changes to increase user account security and will continue to assess and improve our risk mitigation measures. Users are being required to change their passwords are being proactively reminded of the best practice cyber security advice.”
The National Cyber Security Centre has also confirmed that it has been working with Parliament’s digital security team to understand what has happened and provide advice on any actions.
Image from http://paulclarke.com