MPs bring down wrath of cyber professionals by admitting to password sharing

Rules about password sharing don't apply to MPs

Backbench Conservative MP Nadine Dorries has come under fire from the cyber security Twittersphere after revealing that she routinely shares has password with all of her staff, including interns.

Dorries revealed the worrying fact in a tweet while defending her colleague, and First Secretary of State, Damian Green, who has been accused of - among other things - accessing pornography on his Commons computer.

Dorries, responding to the allegations of a retired police officer, said, "To claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!"

In a series of follow-up tweets, Dorries defended herself, saying that her staff responded to hundreds of emails every day:

Fellow MP Nick Boles tweeted his support of Dorries, saying that he also shares his password with staff.

The internet, predictably, had a meltdown about the case. Technology writer Kate Bevan wrote, "Nobody, whatever their seniority, should have anyone else's login details," while Steve Wilson, an analyst at Constellation Research, said that Dorries was "normalizing [sic] crappy cybersecurity" to grant her colleagues "plausible deniability".

Security blogger Graham Cluley tweeted: "I'm going to assume UK MP @NadineDorries didn't admit to such crazy infosec practices, and instead just had someone else use her Twitter account instead."

Tony Pepper, CEO at cybersecurity company Egress, said:

"The cyber security industry makes the point about human fallibility time and again for obvious reasons. Passwords tend to be one of the basics when training staff in cyber security - and for good reason, as shared or reused passwords create weaknesses in an organisations' cyber defence. From there, a creative attacker can move sideways through a network, implement phishing attacks or undertake any number of malicious actions. An enterprise can deploy all the advanced tech it likes to track, stop and forensically analyse attacks - but if people make mistakes, these are neutered.

"Although Nadine Dorries' actions are certainly not best practice, publicly vilifying one MP for this single case won't help. This speaks to a much wider need for cultural change, blending roles across HR and technology to make sure people are aware of when colleagues are doing something wrong and challenging this to keep their organisation safe. Smart technological solutions will only work if used in tandem with smart work policy."

The rules must be rewritten

This is hardly the first security headache to affect the Government - it was only a few months ago that 90 accounts were breached in a brute force attack - but it emphasises the need for a new set of rules for MPs.

The House of Commons staff handbook does actually include a section banning the sharing of passwords; but, as BBC technology writer Rory Cellan Jones notes, these apply to HoC staff, not Members of Parliament.

It is notoriously difficult to enforce codes of conduct on MPs, with each Member and their staff acting independently within the House.

Carl Gottlieb, data protection officer for Sky News, drew parallels with Edward Snowden. He told The Guardian: "[Sharing passwords] usually works well until, eventually, the bubble bursts, and previously trusted personnel make mistakes or go rogue.

"Edward Snowden was the greatest example of this, with his NSA colleagues trusting him with their passwords, leading to the biggest breach in security the world has ever seen."