UK Parliament email hack - the industry reaction

Online security protections have been boosted across the UK government after the email accounts of a large number of MPs were alleged hacked.

The attack, which took place on Friday, saw the email accounts of nearly 90 MPs affected by as-yet-unknown hackers.

Following an alert from the National Cyber Security Centre (NCSC) the attack now appears to have been contained, with remote access to the affected email accounts suspended whilst an investigation is carried out.

The attack is the latest high-profile security alert in recent weeks, so what does the cyber-security industry have to say?

Ilia Kolochenko, CEO, High-Tech Bridge

"A simple brute force attack can normally be detected and blocked within a minute. This incident highlights once again that cybersecurity fundamentals are ignored even by the governments of leading countries. Today, two-factor authentication (2FA), advanced IP filtering and anomalies detection systems are a must-have for critical systems accessible from the Internet. Strict password policies, regular audits for weak and non-compliant passwords are also vital for corporate security. However, apparently, none of these simple but efficient security controls were properly implemented.

At this early stage of investigation, it would be inappropriate to speculate about the identity of the attackers. Such an attack is very simple and cheap to organise, and virtually any teenager could be behind it. However, for this particular incident, I would abstain from blaming any state-sponsored hacking groups. Because with such an unacceptably-low level of security - they have likely already been reading all emails for many years without leaving a trace."

Anurag Kahol, CTO, Bitglass

"Since the UK Parliament disabled email access for even legitimate users, these attackers have effectively achieved a denial of service attack. Strong authentication policies, including multifactor authentication, combined with user behavior analytics not only within applications, but across applications, could have prevented the need to block users from being able to access work applications. This holds especially true for cloud based applications which, by definition, are available from any device, anywhere.”

Bill Wohl, CCO, Commvault

“The cyber-attack targeting the UK Parliament’s systems is yet more evidence of today’s new reality: that data systems remain vulnerable,” said Bill Wohl, CCO, Commvault. “Data is becoming a critical strategic asset. It is imperative that public and private sector institutions have a proactive and holistic data management strategy, one that goes beyond strong firewall protection, and that includes proven disaster recovery and backup solutions.  Whether it’s a direct attack on individual accounts and passwords, or a larger ransomware attack, it’s clear that risk reduction and business continuity are increasingly a top priority for both public and private sector leaders."

Dr. Jamie Graves, CEO, ZoneFox

"This initial attack may have only affected under 1% of parliamentary emails, but getting into one is enough. And email access could then open up a treasure trove of information that would allow attackers deeper into the network. It really calls into question the security practices of government if in 2017 we are still being compromised by the basics, such as weak passwords; this is infosec 101.

"It’s good that NCSC managed to shut down the accounts before they could be fully taken advantage of, but questions have to be asked about the veracity of account security with such sensitive data involved. If indeed, as sources are initially indicating, the attack did stem from Russia, then we can expect that this isn’t going to be the last one we see. This time it was a ‘brute force’ attack against weak passwords - next time it could be something far more sophisticated. Therefore, the security policies of government need to be watertight, and the transfer of data in and out of the network carefully monitored with a 360-degree view for context and irregularities."

Neil Larkins, Co-founder and COO, Egress Software Technologies

“This is an attack which, like so many others, aimed to exploit human error – always the greatest area of weakness when it comes to cybersecurity. This means that a lot of the data protection mandates put in place by the government, such as Transport Layer Security (TLS), could not have prevented this attack as hackers weren't targeting the technology, but the people. By targeting MP’s passwords, the hackers were banking on poor security practices to help them through the door – and we’ve seen that for at least 90 email accounts this was the case.

“However, there are technical measures that could have been put in place to stop this attack, or reduce the risk of human error. For example, access can be restricted to known IP addresses, which would mean that anyone on an unknown external device trying to get access – even with the correct password – would be denied in the first instance. Auditing unusual behaviour from foreign IP addresses could have also identified suspicious activity.

“Furthermore, as many MPs have highlighted, the real risk of this attack was that constituents' emails could be accessed, or that email content could leave MPs vulnerable to blackmail. If, however, the government had implemented message-level encryption, sensitive content would be secured and would require a separate access control. 

“Ultimately, what this attack shows is that there is still more work to be done on the most basic level of security – password protection. Unfortunately, we cannot trust MPs, or the staff of any organisation, to always make the best security choices – so again there is a role for technology here. There has to be a system in place to enforce a stringent minimum requirement of password security, and provide more comprehensive training and incentives for staff to adopt better security practices. In order to protect the public sector from attacks that target people, organisations must get the human element under control.” 

Richard Parris, CEO, Intercede

“It’s one thing for a business or consumer to be hacked, but the UK Parliament? The past few years have seen company after company hacked at the hands of opportunistic cyber criminals, and it’s no surprise that they’ve now moved on to legislative bodies and government departments. Why? Because we’re making it too easy for them. Cyber criminals don’t have to be geniuses, particularly when we continue to use outdated, insecure forms of security such as usernames and passwords to protect our nation’s secrets.

“The sustained hack on the UK Parliament should be a wake-up call for all organisations and enterprises that continue to use passwords as the first point for securing systems. When it becomes a question of national security, we need to think about the people and systems we’re counting on for protection. Legacy systems need to be updated, appropriate funding needs to be allocated and users need to be educated on best practice so that any holes can be plugged. 

"More importantly, government needs to be looking at more robust methods of security – strong authentication – that incorporate three distinct elements. These are possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, such as a fingerprint or an iris scan). This type of security method is much more robust, and verifies that the person accessing the service is who they say they are.

“Consumers are already losing confidence in businesses that continue to play fast and loose with their data. The UK government should be learning from the private sector’s mistakes; the repercussions and backlash could be far more severe and difficult to come back from if warnings are not heeded.”