Politicians and their staff are potentially the weakest link in the cyber security of our political system, and they are being warned to beef up their security to avoid a DNC-like hack.
When politicians are elected to Parliament, they and their staff are given security briefings on how to protect themselves from potential physical dangers or violent attacks, but they are not given briefings on how to protect themselves from cyber attacks. Some MPs are so lax with security they have a single “office password” given to all staff to use for the various email, social media and other communications services MPs use to do their jobs.
All the attention given to the Russian hack on the Democratic National Committee to influence the outcome of the US presidential election has drawn sharp focus on the security of political parties themselves, with some experts warning Australian political parties were not protected from similar state-sponsored attacks. To that end, Prime Minister Malcolm Turnbull announced on Tuesday that the leaders and top staff of the major political parties would be given classified briefings by Australian Signals Directorate on how to better protect themselves from DNC-like attacks (although the parties were not made aware of this until it had been reported in The Australian overnight).
Turnbull specifically pointed to people opening dodgy attachments, poor password management and not using two-factor authentication.
But Labor MP Tim Watts argues that the briefings need to go to every single elected member of parliament, candidates and their staff, because they will often represent the weakest point in the security of the party. When the DNC hack became an issue in the US election, Watts began offering briefings to his colleagues and their staff about how to protect themselves, but he says wider training is required for the unique risk politicians face.
“We are in a perceptions business. It makes us vulnerable to doxing [where personal information is posted online], it makes us vulnerable to blackmail, it makes us vulnerable to ransomware because our public perception is our livelihood,” he said.
“When you look at the major attacks around the world, the vectors have targeted the weak spots … they’ve targeted often campaign staff, or they’ve targeted staff of elected representatives, so it is really important that this message filters out because you’re only as strong as your weakest link in this space.”
Watts, who had previously worked for Telstra before getting into politics, says that security is taken much more seriously in the private sector than the public sector, where the focus has more been on ministers and the handling of classified materials. Politicians, in addition to their APH emails — which the Chinese had access to for most of a year back in 2014 — are on a variety of online services, including their electorate systems, social media, their personal phone and email accounts, Slack accounts and other communications.
“MPs have multiple people touching those platforms. They have staff, they have campaign volunteers, they have a range of actors with access to those accounts, and that increases the security risk significantly. These sites are getting owned every day of the week. If you have the same password on one, you’re owned on all of them,” Watts said.
A backbench MP might seem like a low risk for an attack, but Watts says often these attacks have a long lead time, so the junior opposition backbencher hacked today might be a future defence minister.
While Watts can teach his Labor colleagues, there is no training across party lines yet. If politicians and their staff had basic awareness to keep an eye out for spear-phishing attacks, social engineering, and proper security management, Watts says they would mitigate much of the risks facing parliamentarians.
“We don’t do information sharing at the moment between members of parliament, between political parties, and our cyber security agencies, but you only have to look at the junk folders for members of parliament email addresses and it is clear there are spear-phishing attacks in there.”
Watts says while the government was arranging for briefs to the parties, no one from DPS or the Speaker’s or Senate President’s offices had contacted MPs about their own cyber security yet.