Cyber security experts have called Nadine Dorries’ appointment as Culture Secretary an “unexpected choice”, four years after the former minister for mental health was embroiled in a cyber security row over sharing passwords.
Ms Dorries will oversee regulating Big Tech through the Online Safety Bill, further 5G deployment and the roll-out of gigabit broadband as part of the UK’s digital strategy in her new role, alongside culture, media and sport commitments.
The Conservative MP revealed she shared her Parliamentary digital log-ins with around four members of staff in order to handle the high volume of virtual correspondence she receives every day back in 2017, the same year the House of Commons was hit by a “sustained” cyber attack.
Ms Dorries, who was defending fellow MP Damian Green during an investigation into whether he viewed pornography on his work laptop, said her staff logged into her computer using her details “every day“.
Sharing passwords among staff could leave MPs exposed to cyber attacks, file theft and potential extortion if confidential information was stolen or compromised.
The Information Commisioner’s Office warned other officials against sharing passwords and log-ins after Conservative MPs Will Quince and Nick Boles also defended the practice, which Parliament said was against its cyber security policies.
Richard Forrest, legal director from Hayes Connor, a specialist data breach law firm, said: “We’re seeing a huge increase in data breaches in the workplace, so to have a culture secretary who has been so lax on cyber security is an unexpected choice.”
Professor Andy Phippen, professor of IT ethics and digital rights at the University of Bournemouth, said Ms Dorries’ appointment raised broader concerns about parliamentarians’ working knowledge of STEM (science, technology, engineering, and mathematics disciplines), particularly given the increased appetite for the regulation of tech and ever-growing importance of effective data protection and privacy laws.
“Given the Government is currently pondering whether we should ‘relax’ data protection regulation and move away from the GDPR, it would be great to have the confidence that our parliamentarians had the technical and legal understanding of this complex issue when considering this,” he told i.
“Equally, observing the Online Safety Bill as it moves through Parliament, one would hope those debating greater regulation of big tech (which I have no fundamental objection to) understand both what technology is capable of in terms of content monitoring and filtering, and the implications of legislation on everyone’s online experiences. Sadly, with a few exceptions, I do not have that confidence.”
Politicians’ fundamental lack of understanding of complicated technical legislation is why they saw fit to withdraw the age verification element of the 2017 version of the Digital Economy Act, he said.
“We certainly need better legislation in the tech domain, but it needs to be fit for purpose,” he added.
Brian Higgins, security specialist at Comparitech, said that while elected representatives couldn’t be expected to be experts on every aspect of the areas they oversee, sharing passwords was a “very basic security error and nobody should be doing it”.
“I’m hopeful that Ms Dorries learned her lesson and is more aware of basic cyber hygiene these days,” he said.
“If not, then she is definitely in the right department to get herself educated. I’m sure she wouldn’t want to get caught out over something so basic again.”
Mike Butcher, the editor-at-large of tech news site TechCrunch and co-founder of volunteer network TechForUK, said the continued mixing of roles was the most significant issue at hand.
“Dorries will be responsible for both regulating the media industry and setting policy for the tech industry,” he added.
“This approach is just no longer fit for purpose in 2021.”Internet Explorer Channel Network