UK Members of Parliament Share Passwords with Staff

UK member of parliament (MP) Nadine Dorries has declared on Twitter that she shares the password to her work computer with staff ‘including interns’. 
永信至诚:乌镇世界互联网大会闭幕 网络安全人的使命刚刚启航
The immediate purpose of the statement was to lend political support to under-fire First Secretary of State Damian Green. Green was accused by a former Metropolitan Police assistant commissioner of accessing porn on his work computer following a 2008 police raid investigating Home Office leaks. Dorries’ tweet includes the statement, “For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!”
But in supporting her colleague, she might have stirred a bigger scandal than that concerning Green: MPs’ attitude towards passwords. Several other MPs have agreed with and supported Dorries’ position.
The Dorries’ Green defense is common in both politics and international cyber relations: plausible deniability through the difficulty of attribution. If multiple people can be guilty of an act, you cannot easily prove which one is the guilty party. And if multiple people have access to the password, it’s hard to prove who did what with the computer.
In security, however, the fourth criterion after confidentiality, integrity and availability (CIA) is often defined as accountability. It is clear that any MP that shares his or her password is automatically failing to maintain, or specifically obfuscating,  accountability. In reality, they are also guilty of ignoring official policy. The House of Commons Staff Handbook (section 5.8) says, “You MUST NOT… share your password.”
The UK’s National Cyber Security Center (NCSC) Password Guidance, updated in August 2016, also states, “You should never allow password sharing between users. Sharing accounts, or even occasional use by anyone other than the account holder, negates the benefit of authenticating a specific user. In particular, the ability to audit and monitor a specific user’s actions is lost.”
However, the sharing of MPs’ passwords may go beyond simply ignoring advice and/or policy. Although sharing passwords is not in itself a breach of the UK’s Data Protection Act, it could lead to a breach. The UK’s data protection regulator, the ICO, itself tweeted, “We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.”
It is questionable whether giving interns access to the potentially sensitive personal information of constituents is within the spirit if not letter of the current law. It is also concerning that Britain’s lawmakers should have such a lax attitude towards security at a time when its intelligence agencies are increasingly warning about Russia targeting the UK government.
通过向最高管理层讲述使用盗版对公司带来的商业和法律风险,我们获得了对保护知识产权及信息安全的重视和承诺。通过对公司的软件使用情况进行持续不断的监控、检查和改进,我们建立和完善了软件使用的申请和许可机制。
Security researcher Troy Hunt suggests, without condoning, that this is an example of users bypassing policy in order to work more efficiently. “Her approach to password sharing may simply be evidence of humans working around technology constraints.” This is common in all organizations — and is generally countered by security awareness training supported by technological controls.

The need to share data among several different people is not uncommon — and there are numerous technology solutions that could be employed. These include delegated access, shared access to collaboration tools (where the MP’s staff would have password-controlled access to the documents rather than to the MP’s computer), or even Microsoft’s SharePoint. 
The most worrying aspect to MPs and their password sharing is their common belief that there is nothing wrong in this. This in turn suggests that MPs do not receive adequate security awareness training and/or that parliament’s IT department isn’t offering sufficient options to make this unnecessary — or controls to make it impossible. In most private enterprises,sharing passwords would be considered a disciplinary offense.
Related: Hackers Say Humans Most Responsible for Security Breaches 
Related: UK Warns Against Gov Use of Russia-based AV Companies 
乌云安全平台创始人方小顿谈架构师和互联网安全,国内互联网的安全情况与国外相比还是有很大差距的,用户意识跟不上是关键。

猜您喜欢

提高信息安全保密意识防范军事间谍活动
CyberSecurity网络安全宣传——勿忘在外时的资产保护
网络安全法普法宣传 004《网络安全法》的突出亮点
网络安全宣教——识别、报告和防范社交工程攻击
NEXTN BUNCYREALESTATE
信息安全意识微视频—移动支付中间人攻击防范