This article is more than 1 year old
Malware infested MPs' PCs inflate leak risk
Four in five Parliamentary machines pwned in last year
Comment "That's one of those irregular verbs, isn't it? I give confidential security briefings. You leak. He has been charged under section 2a of the Official Secrets Act." (Bernard Woolley, Yes Minister)
The ongoing MPs' expenses row has brought public opinion of politics and politicians in the UK, never very high, towards unplumbed depths.
Embarrassing disclosures about how politicians across the political spectrum subsidised their living expense from the public purse follow hard on the heels of leaked emails regarding a proposed New Labour smear campaign against senior Tories, cobbled together by spin doctors Derek Draper and Brown aide Damian McBride in the style of In the Loop's Malcolm Tucker.
In both cases the emails and leaked files were probably obtained by someone with access to the information, who subsequently attempted to auction it off to national newspapers. The incidents illustrate the fact that all manner of sensitive and potentially embarrassing information is held on the PCs of MPs, ministers and their advisers.
Given the career-threatening implications of data leaks, it's therefore surprising how lax politicians and their advisors are when it comes to data security.
We know that parliamentary computers were infected with the Conficker superworm in March. Conficker hasn't been activated to do anything but it remains of concern that Parliament can be so easily compromised in the first place, something that's happened numerous times in the last twelve months. In March, for example, we reported that police failed to record a crime, still less investigate, when Alun Michael MP discovered a malware infection on his office PC. Michael was able to detect and remove the unidentified malware himself.
These incidents are far from isolated. In response to questions in parliament on Wednesday, Nick Harvey, a Lib Dem member of the House of Commons Commission said that the vast majority of the 5,000 PCs in use around the Palace of Westminster had been hit by malware over the last year.
In the past 12 months 86 per cent of computers on the estate have been attacked by malware, 78 per cent of which were cleaned automatically by Parliament's anti-virus software, with 8 per cent needing a visit by an engineer. There are 4,991 computers on the estate.
The security of parliamentary PCs ought to be more important than those of a regular office system, because of the confidentiality of MPs' work with their constituents, not to mention the potential for leaks of embarrassing information. Malware-infected computers are certainly no help to the general smooth running of parliamentary business, either.
In fairness, staff running the House of Commons IT systems have their work cut out for them. One security expert compared the system to a University campus network in terms of the institutional lack of control. It's probably even worse than that, because of the sensitivity of the data in question, not to mention the bolshieness - if not arrogance - of some of our elected representatives and their advisors.
The Conficker infection prompted a temporary ban on mass storage devices, including MP3 players, on parliamentary systems. Security experts we've spoken to reckon that more needs to be done, such as the introduction of access controls and encryption across parliamentary systems. The possible application of data loss prevention technology also comes to mind.
Wider use of PGP by politicians might be a good start, except for the fact the parliamentary BOFHs recently told users that PGP is incompatible with its remote access software, for reasons even PGP has been unable to fathom thus far.
The lamentable state of PC security in the mother of parliaments creates a real risk of leaks of sensitive information in the future, even if this has not happened already. MPs ignore such possibilities at their peril.
Politicians - typically lawyers or lecturers by trade, with little awareness of computers much less information security - need to get up to speed with the internet or else risk looking as hapless as fictional politicians like Hugh Abbot and Jim Hacker. ®