On Friday evening a Commons spokesperson announced that there had been a cyber-attack on Parliament. On Sunday, the spokesperson said that the “sustained and determined” attack had affected “significantly fewer than 1% of the 9,000 accounts on the Parliamentary network.” The attack involved hackers trying to discover passwords. Those affected by the attack had “weak passwords” which did not meet Parliamentary Digital Service guidance.
This attack shows that more needs to be done to protect MPs who need to better understand digital technology, make use of the help that is on offer from parliamentary authorities who in turn must improve digital and online security.
MPs have speculated that Russia or North Korea are the potential sources of this latest attack and both the Chief Executive of the National Cyber Security Centre (NCSC) and the Defence Secretary have previously warned that the UK needs to be prepared for Russian attacks.
Last week the Institute for Government published a report on improving the management of digital government. The report found that the threats and risks from cyber-attacks - including those from state sponsors like Russia - are growing.
In May, the WannaCry attack affected hospitals and doctors’ surgeries across the country. Like Parliament, the NHS has a large network of people who are partly responsible for their own digital security, albeit with advice and support from others. While the WannaCry attack appeared to have a financial motive, and affected the NHS by chance, it is reasonable to assume that the aim of Friday’s attack was to influence Members of Parliament. This could involve blackmailing MPs using information from their private emails, or by gathering information about MPs which could be used for a further cyber or other intelligence attack.
Last year, the charity Doteveryone helped four MPs to improve their use of digital technology. They found that “staff were unsure about what potential security breaches they faced. We helped them understand what is secure and where the threats lie.”
At the recent launch of the Institute for Government report on improving the management of digital government, one of the panellists Ciaran Martin - CEO of the NCSC - spoke about the practical support that the NCSC provides. This support, he suggested, is proportionate to the threat and the capacity of the organisation being supported. He added that “most [cyber-attacks] are unnecessary, preventable and of poor quality. It is a subject shrouded in mystique and it shouldn’t be.”
The parliamentary authorities, drawing upon advice from NCSC, do provide support to MPs. But MPs are often too busy to take advantage of this support and many do not understand the issues involved.
Three steps could be taken to support cyber security in Parliament. Firstly, MPs must better understand digital technology. Secondly, MPs must make use of the help that is already on offer from parliamentary authorities. Finally, parliamentary authorities must improve digital and online security.
Like other leaders, MPs need to get past the mystique of cyber security so that they, and the country, can maximise the benefits and minimise the risks presented by the digital age. It is still acceptable for public officials to say bluntly that they don’t understand digital technology. This should no longer be the case.