Tucked into the Digital Strategy for Parliament we wrote an aspiration: secure technology that works. These four words have translated into a three year cyber security programme to improve all aspects of cyber security in Parliament.
Two years in and those changes were put to the test for real in May. It was the WannaCry ransomware infecting 300,000 computers worldwide and we came away unscathed. It was a long weekend and the cyber team, which had grown to a young but talented team of 10, had shown what they could do.
Changing attitudes to cyber security
Over the last two years our attitude to cyber security has completely changed. It’s no longer about what can be stopped. It's about building awareness, detection and response capability.
Once you realise that anything connected to the internet can be hacked, then you have to think differently. Security improvements are an important part of a comprehensive security strategy, but that's only the start.
You can’t decide when you get attacked
You can plan and practice for a cyber attack and we had. A lot. But you can’t decide when you are going to get attacked. On Friday 23 June as I headed to a meeting in the Palace of Westminster, a message popped up from the cyber security team. “Rob, can you come to the Security Operations Centre?"
On arrival at the Centre, which is only six months old and still smelling of new carpet, I found a team that was clearly concerned. The monitoring tools were showing suspicious activity. As one team member got on the phone to our 24/7 threat monitoring partner, another called the National Cyber Security Centre (NCSC) as we began to figure out what we were looking at.
9,000 users and 50,000 connected devices
We have been here before. A faulty server, a noisy network card, they have had us jumping into action on previous alerts. All had been false positives. Monitoring the security of a network spanning the whole of the UK with 9,000 users, and 50,000 connected devices generates a lot of data.
Despite the powerful tools we now have, it takes an expert eye and some time to interpret what's on the screen. Someone, somewhere was trying to get in. They were pretending to be a legitimate email client and methodically trying every password, but not frequently enough to lock out any accounts. We had to find what we call 'indicators of compromise' in the data to help identify and combat the hack.
As soon as we realised it was the real deal, we started the response and all users were notified of a security incident. It became a 24-hour battle to protect Parliament. These kind of incidents are never as clear cut as they look from the outside and decisions had to be made quickly. Having shut down the authentication services which were being attacked, the attack moved to another part of the network, trying every possible entry point.
This went on for several hours as the attackers hit the network from servers all over the world. Towards the end of the attack our systems blocked 48,000 attempts to get into the network in a single hour.
Ultimately, it was an all too familiar story of those at most risk being users with weak passwords. IT has to move on from passwords, but that will take time and until then, passwords will always be a weak point regardless of how clever the technology gets.
Sustained and determined attack
Fortunately for us we had started to roll-out a new multi factor authentication system which had already been implemented for new MPs at the general election. What was going to be a planned and careful roll-out designed to tackle legacy systems going back years, became an intense period of activity to get every user account secured.
Right at the beginning of the attack we agreed the priority. It would be keeping the core systems of Parliament up and running to let democratic activity continue and to contain the attack.
We also decided early on that we would be as open as possible with everyone about what was happening. In later messages to users I described a 'sustained and determined attack' on email accounts which, to my surprise, was repeatedly quoted in the media.
The House of Commons and House of Lords communications teams worked as part of the incident team and enabled quick and efficient communication of what was going on. We call it a cyber incident, but the reality is staff from PDS and across Parliament all worked tirelessly to handle the response.
Unfortunately some accounts had been compromised in the early part of the attack and we suspect some email data has been taken. It looks like it affected less than 1% of accounts. At no time did the systems on the Parliamentary estate go offline and our objective was achieved. A lesser response would have resulted in a total loss.