Democratic institutions are under cyber siege. Parliaments and parliamentarians need to up their game if they are going to defend themselves. National leaders’ and decision-makers’ widespread reliance on Internet-connected digital technologies makes it critical that they use those tools responsibly and with care. It also means that those supporting leaders need to make it safe, secure and reliable for them to do so.
It’s no surprise that parliamentary computer networks have become targets of potential adversaries: national parliaments consult on, endorse or supervise all significant government actions. Planning, negotiation and decisions related to international trade agreements, strategic defence arrangements, intelligence agency collection priorities and, today, COVID-19-related issues, are all matters of understandable interest to foreign intelligence services. In addition to the threat from nation states, many of these matters may also be of interest to those inclined to conduct espionage for corporate purposes.
Meanwhile, political life is becoming increasingly reliant on the use of mobile devices by staff, colleagues, peers and constituents. The use of mobile devices carries inherent risks: users perform duties more quickly and are less likely to carefully consider the legitimacy of communications they receive. Mobile users are more likely to fall victim to social engineering and phishing campaigns which can significantly impact society and enable cybercrime. In addition, when high-profile users such as members of parliament and ministers conduct personal business and manage their social media accounts using government networks, it makes it possible for hackers to also use compromised networks to conduct other types of operations, such as disinformation campaigns, and to obtain users’ personal communications and leverage them for nefarious purposes.
Addressing this challenge requires both a high degree of user awareness and a serious commitment on the part of organisations and institutions. Both are often lacking. As recent high-impact attacks against national parliaments have demonstrated, the financial and political resources expended on dealing with consequences of these attacks would be better spent on prevention.
Prevention Is Better Than Cure
The role of parliaments would, one assumes, warrant a high degree of protection for the environment and elicit an equally high level of security awareness and concern among people using parliamentary networks. However, this is not the case. Humans can still constitute the weakest link in the cybersecurity ecosystem. By taking more care, though, they can also add significant strength to it.
Compromises of national parliaments have become both more common and more severe in recent years. Invariably, they have been attributed, with a reasonable degree of confidence, to state-sponsored threat groups. The European Parliament and the parliaments of Australia, the United Kingdom, Finland, Scotland, Norway, Germany and Estonia have all been targets of serious cyberattacks. Add to this the attacks on political parties and organisations (such as the well-reported compromise of the Democratic National Committee (DNC) in the United States), and the picture is grim. In all these cases, human error facilitated the malicious operation, with breaches most often traced to users who chose weak passwords, didn’t use multi-factor authentication or clicked on phishing emails.
The ability of states to respond to these cyberattacks is somewhat limited: there have been various forms of démarche, but outside of diplomatic expulsions and firmly worded letters, these activities may go un-countered. Unfortunately, once a country has reached the point of responding to state-sponsored malicious cyber activity targeting their core institutions, it is often too late. In the United States, the DNC hack most likely cost Democrats the US presidency while putting US-Russia relations on a collision course. Following the attack against the German Parliament, the EU adopted cyber sanctions against a number of Russian individuals and entities believed to be responsible – almost five years after the attack occurred. While such responses might be politically important, it is greatly preferable to deny the perpetrators the opportunity to cause harm in the first place.
New Zealand’s Parliamentary CISO
Every organisation likes to think of itself as unique, with special characteristics that set it apart from others. However, the parliamentary environment does truly have some unique characteristics that create specific challenges for the position of Chief Information Security Officer (CISO). And while the CISO position is one with great responsibility, too often it is still one with few actual teeth. Considered primarily a technical function, the position usually receives little political attention. That is the case with New Zealand’s parliamentary CISO: the role was a low-level managerial post and the officer’s recommendations and advice were often disregarded or watered down.
By way of context, an important constitutional feature of the Westminster system of government is that each of the three branches of government – the Executive, Legislative and Judicial Branches – is independent of the others and may not attempt to influence the affairs of the others. Most government agencies or departments sit quite neatly within the Executive Branch (in that they are responsible for executing the intent and objectives of the government) but there is often strong resistance from parliament to any hint of interference (perceived or actual) in the parliamentary process by the Executive Branch or anyone else.
New Zealand’s parliament is supported by a service established under the Parliamentary Service Act 2000 and is not a government department per se but is part of the state service. This means that it sits outside the control of the Executive Branch of government as a quasi-independent entity, albeit one that is fully funded by the public purse and reports to the Speaker of the House, who is the responsible Minister. In New Zealand there is a fusion of power and the members of the Executive (i.e. Ministers) are drawn from the membership of the Legislative Branch and are accountable to that branch. This, in itself, complicates what is an already-complicated security operating environment. The boundaries provided by a pure separation of powers are necessarily blurred, requiring the use of some functions of the Executive branch to ensure the secure operation of the Legislative branch. This fusion makes it challenging to adequately protect the communications that are critical to the functioning of a democracy while also respecting the constitutional boundaries of the parliamentary model.
Lessons for Other Democratic Institutions
In most organisations, appropriately vetted staff have the ability and technology to inspect Internet traffic, scan email content and attachments and apply stringent security policies to devices which are appropriate to meet the assessed threat level. However, in a parliamentary environment, there can be considerable resistance to good cybersecurity practices.
Habits are perhaps the most difficult thing to change. Many politicians and senior officials have developed ways of operating based on convenience due to the pressure and pace of their work. Examples are the widespread practice of sharing account credentials with staff, resistance to cybersecurity awareness training and the use of personal webmail accounts outside of the protected parliamentary IT environment for political communications. On the matter of technical controls, there are a number of basic security steps that are universally recommended to keep important information safe. These are things such as using long passwords which are unique to each account, turning on multi-factor authentication (i.e. using a one-time code as well as a password) and keeping devices and software updated to the latest versions. Too often though, these absolute basics are seen as inconveniences to the user. Their implementation is often met with resistance and the primary responsibility for security is thus effectively shifted to the security team rather than shared by the end user.
The natural suspicion of anything misperceived as an attempt at oversight or control of elected officials by the Executive makes it even more challenging to secure the cyber environment. Measures with significant security benefits, such as locking down computers to a standard build (to prevent malware running on them), implementing data-loss prevention policies (to prevent intentional or accidental leaks of sensitive information) and making it possible for agents of the state to manually inspect email attachments for malware, are just a bridge too far for many. But the trade-off that the officials face is quite simple: accept that their emails may be read by foreign powers or allow a cyber analyst with security clearance to access their account when required to investigate and eliminate security threats.
There are several lessons to be learned from New Zealand’s experience:
- Most compromises of parliamentary networks could have been prevented, had the most stringent of security controls been allowed to be enforced and/or had users had a high degree of security awareness.
- Politicians must accept that they are targets for hostile attention from foreign governments and must take measures appropriate to that threat level. They share the responsibility for the security of the networks they use as well as for the potential consequences of a breach. They also need to be held accountable for their actions by their constituents.
- Organisations such as the Parliamentary Service that are tasked with providing a safe and secure digital environment to enable democracy must put more faith in the experience and advice of the people they pay to do this.
Politicians and parliamentary support agencies should not underestimate the threat that they face on a daily basis and must take steps appropriate to meet that threat. Humans are often flagged as the weakest link in the chain of cybersecurity. But they can also be its strongest component if these few basic practices are followed. The stakes are much higher than just emails or networks being compromised. Citizens’ well-being, elected governments’ legitimacy and, ultimately, world peace are on the line too.
About the Author
Steve Honiss was the inaugural Chief Information Security Officer at New Zealand’s parliament, coming from a background in law enforcement, international relations and intelligence. He is the Director of Aardwolf Consulting Ltd (Wellington) and a Senior Fellow at the Azure Forum for Contemporary Security Strategy (Dublin).