British MPs are ignorant about basic password security, and proud of it

British MPs are ignorant about basic password security, and proud of it

Infosec twitter collectively shat itself this weekend, when Nadine Dorries — a British parliamentarian slash author of god-awful fiction — proudly announced that she shares her email with her staff — including interns.

For context: She’s talking about Damian Green; a fellow Conservative politician who is currently in a spot of bother over allegations he accessed pornography on his government-issued computer. Dorries argues that just because literally thousands of pornographic thumbnails were discovered on his computer doesn’t mean that he’s guilty.

This is startling because it suggests that credential sharing is a common practice in parliament. And indeed, other MPs chimed in to say that they too shared their log-in details with their employees. What’s the big deal?

Nadine Dorries has pointed out that she’s not a member of cabinet, and is merely a backbencher. As a result, she’s unlikely to see any confidential government communications. That’s absolutely true, and is unlikely to change any time soon given the crowning achievement of her political career is an appearance on reality TV show I’m A Celebrity, Get Me Out Of Here, where the veteran MP for Mid Bedfordshire munched on an ostrich anus in front of the entire nation.

Christ, if she ever did get a cabinet position, she’d probably be the Secretary of State for Safety Scissors. And she’ll probably need a grown-up to supervise her at all times. But I digress.

In the UK, MPs act as an advocate for their constituents in a number of sensitive areas, ranging from financial matters, to welfare and immigration issues. It’s seriously alarming Dories doesn’t regard her constituent communications as something that should be protected by adhering to industry best practices.

And as mentioned, the infosec world wasn’t impressed. Some of the best coverage came from Troy Hunt and Javvad Malik, although there was plenty of snark on display from Twitter.

As Troy Hunt pointed out in his blog post, we should approach this with a degree of understanding. Parliamentarians have hundreds of thousands of constituents to answer to. Both Dorries and Boles said they receive hundreds of emails and letters every day. These have to be answered, and it’s impossible for them to reply to them all while tending to their other duties.

The problem is, they’re going about it in entirely the wrong way. For starters, sharing credentials for government email accounts is a major no-no.

But more importantly, there’s a better way. The UK parliament’s email is based on Microsoft Office 365. This supports delegation, which allows authorized third-parties to access specific mailboxes without passing around passwords. This is traceable, revocable, and all-around better.

So, why aren’t MPs using this? It’s entirely possible that they don’t know how. Most MPs tend to have a non-technical background. A (slightly dated) analysis of MPs educational background shows that the majority of parliamentarians studied things like Law, Economics, Politics, and Geography at university. From what I could tell, only two MPs studied computer science to a degree level.

Most MPs tend to be older, too. They aren’t digital natives. The average age of an MP at the 2015 election was 50. According to Wikipeda, Dorries herself is 60.

But that isn’t a defense, and ignorance won’t protect you when a hacker (cough Fancy Bear cough) comes a-knocking.

Read next: November in Africa: Facebook’s launch, Black Friday frenzy, and loads of acquisitions