Graham Cluley wrote this about a data security issue in the UK parliament. I agree completely with his points and those of @J4vvad — but as an ex public servant, I have a few points I wanted to raise.
Most importantly, government and public sector infrastructure is underfunded. It involves huge groups of diverse people at different levels of authorization, experience and training, often using their own devices at work. Tech support in hospitals, schools, council offices is not usually well paid and often very small IT Support teams are supporting hundreds if not thousands of end users at one time.
My main concern with the Dorries story is that her insouciance is damaging because it endorses and reflects attitudes in the public sector which seem alien in the corporate world. To joke about credential sharing and not remembering passwords will resonate with many end users in schools, hospitals and government offices. This is not to shame or suggest that these end users are lazy or incapable- they are not. Instead I see them as unempowered and uninformed.
Much of my career has been spent working with schools and local government offices. Pretty much every day I met someone who would express a fear of “breaking” a device they used or a dislike for technology. You send an email and three months later somone replies because the school server was down or they don’t get time to access email much. For every shiny new school with rafts of chromebooks and ipads for all, there are rooms full of staff who lack basic training and are frustrated they can’t make things work. I even fought for over a year to introduce a website to a school because the Principal and some parents disliked using the internet, saw no future in it and preferred paper. In all these situations it is frustrating or sad but it is vital to give people confidence or reassure them.
What Nadine Dorries and her colleagues have done is try to defend one MP’s alleged use of legal porn by asserting that no one knows who exactly is logged in on any device at any time in the House of Parliament. While they are all sitting merrily tweeting and giggling about porn and how they are all at it, they are damaging the work of public sector security and privacy professionals. These professionals are the ones who work hard to train staff to meet important standards. They are also the first ones who will be hauled over the coals in a breach situation.
Of course we could do more awareness and compliance training. Realistically however the public sector is a huge and unwieldy beast to wrestle. It is not impossible to improve the situation but it takes time to turn that ship. To me it represents a cultural shift and a real change in how people interact with technology.
Many constituents will hear this and say “yes, it so confusing all these passwords and tech” and so the cycle repeats itself. Dorries and her peers exist in a world where technology is often seen as a necessary evil rather than a useful tool. They exhibit a complete lack of respect of or worse no awareness of the confidential data available on their devices. The flagrant disregard for existing guidelines is shocking and should get them all disciplined but I doubt anyone will see the need to do so. The challenge is to make everyone see that ALL information has value and empower them to protect their information. Dorries and her supporters have no interest in communicating or acknowledging this. This is all about a private joke to them.
I have heard this said in infosec too, that the hacking community is not a sales and marketing department and they should not be required to do outreach. I see things differently. We are not asking every hacker or infosec professional to go out and be an evangelist. Yet we have an absence of decent political leadership, a lack of public funding, SOME OF US HAVE TO STEP UP! The more we dispel myth and fear about technology and enable people to use it well the easier our jobs can be. Even better,in this ideal world, when MPs suggested that they share credentials, there would be public outrage. We have to help the general public because right now they are being often badly served by people who care more about their instagram feed and next book deal than public service. Want to change the “hacker criminal” narrative? This could be a good place to begin?
