On behalf of all those involved in security generally, and information security in particular, may I be the first to say, ‘thankyou very much’ to those Members of the British Parliament who insist on using weak passwords contrary to best practice. If true, you provide yet another example for us to use in our presentations and training on the topic. But if these initial indications are correct, and British MPs have compromised their own and their Nation’s security by not following simple instructions, will they be sacked? Where will the buck stop?
[British MPs have also given Western citizens another reason to doubt their governments when in the context of debates on data retention these governments seek to reassure their citizens their information is safe with the government. But this is the subject of a different post.]Who Did It?
Of course everyone is pointing their fingers at the Russians and North Koreans. I have my money on a spotted youth operating out of Dad’s shed taking a break from trading Bitcoins to have a crack at the Houses of Parliament – just because he can. I amuse myself by believing British Members of Parliament exercise more discipline when using public WiFi after reading my post on the topic here, and let their guard down in the office. They probably think someone else is looking after their security for them.
This would be a distraction. Even if it was a foreign government, it is their role to spy on the UK government, as it is Britain’s to spy on others. Accordingly it is the role of British MPs to both do their bit for collective security and set an example for others by not getting caught with their pants down.
Your Emails are More Interesting Than You Think
More seriously, for those in the Humanitarian and Development sectors delivering essential programming support in areas riven with conflict; Somalia, the cholera response in Yemen, the vast numbers of displaced across West Africa (Boko Haram being just one of many causes), Afghanistan, and any kind of humanitarian programming in Syria or Iraq there is a lot of interest in your email accounts and servers to parties to the conflict.
How much money are you spending? Where does it come from? If doing remote programming in Syria, who are the local staff you are employing? How and how much are you paying them? What information are they providing? All of this information and more is contained in the email traffic of Country Directors, Heads of Programming, Heads of Finance, Security Focal Points and others.
We are reminded that security is everyone’s business, and this is especially the case for information security. The days of believing you can just ‘do your job’ and leave safety to the driver, security stuff to the security bloke and IT stuff to the IT guy are long gone. We all must work together.
Responsibility and Accountability
It is early days in this British investigation. Let us assume the smoking gun is pointing in the right direction and the accountability for this vulnerability remains with MPs failing to follow simple procedures. Will the British Prime Minister do us all a favour and immediately sack or severely sanction those MPs who have put their own and their nation’s security at risk by being lazy?
What a great example that would be!
(Main photo courtesy of MapAction operating in Tacloban after the 2013 hurricane.)
If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.