CW500: A perfect storm – the cyber attack that hit Parliament

In June 2017, the Houses of Parliament were hit by a significant cyber attack. At the latest CW500 club, former director of the Parliamentary Digital Service (PDS) Rob Greig described what happened during the attack, why it was a “good experience”, and the importance of being on top of cyber security.  

image



On Saturday 24 June, PDS had to suspend remote access to the accounts of parliamentary network users, meaning members of Parliament (MPs), peers and other staff were unable to access their emails. The attack had been discovered the previous day, but, in fact, it had been going on for much longer.

In early June, the security operations centre, which Greig added as the “best investment we ever made”, discovered suspicious activity on its network.


After monitoring it for a few weeks, and liaising with the National Cyber Security Centre, on Thursday 22 June, PDS made a decision to lock out 18 “high-risk accounts” while it investigated the activity further.


Little did Greig know, that a few hours later, it would turn into a full-blown cyber attack which would ensure he barely slept for the next 72 hours. 


“On the Friday, I was walking between meetings, and suddenly I get a phone call [from the security operations centre] saying I better get down there. It was the beginning of more than 200,000 attempts of getting into our network,” he said. 


So what happened? It turns out that on the previous day, when the centre had made the decision to lock out those high-risk accounts, it meant “the hackers knew what we knew, and it transpires they’d been going at us since the fifth of June.” 


Difficult decisions 


And so began the perfect storm. “Unfortunately, there’s no big red button on the wall that you press and it shuts it down,” said Greig.


“There’s no shields up button, because we’re running complex systems, thousands of applications, large distributed networks, lots of different levels of security, lots of different levels of access and egress and ingress, and there’s always the worry about command and control. It’s not just the data coming in you need to worry about; it’s the data going out too.”


With around 9,000 users, many of whom are MPs, holding surgeries in their local constituencies on the weekends, making the call to disable access was a huge decision. 


Greig said the team sat down and discussed what success looked like: the basics of maintaining the operation of the business. He added that at the same time, you’re trying to balance in your mind how much disruption you want to cause to the business. 


What the team was seeing that Friday was a series of failed log-in attempts on all of the user accounts. Greig said all 9,000 accounts were getting tried every hour, six or seven times an hour – Parliament’s lock-out rate for failed attempts is eight times an hour. 


By this point, Greig said, they had figured out this probably wasn’t some kid in his or her bedroom playing around, but someone who has done “some serious scoping and intelligence around how our environment works and what security policies we got in place”.


Cyber security programme


In the end, only 26 out of the 9,000 accounts were compromised, something which can be seen as somewhat of a win, as well as a testament to Greig’s achievements at PDS.

When Greig joined the then newly formed Parliamentary Digital Service, which was set up to merge Parliament’s ICT department and its Web and Intranet Service teams in early 2015, he knew he had a big challenge on his hands.


Within a couple of weeks of beginning his new job, he realised there was a “very big cyber security risk” as the organisation was “really exposed”. 


However, making changes were not as easy as Greig thought, but eventually he got approval to set up a cyber security centre. The centre, along with the previous general election, turned out to be saviours.


Greig said the snap election meant PDS had around 36 days to refresh everybody’s IT kit, which normally takes around two years to plan.


Newly elected members would be expected to arrive in Parliament the next day and be set up with new kit, which proved a challenge, but also allowed the team to accelerate cyber security work.


This included the roll-out of multi-factor authentication (MFA), which were rolled out to all new members, with the rest planned for completion during 2018.


When the attack happened, the hackers were hitting the active directory federation services, and the team decided to block that off, which Greig calls a “crucial point”.


The hackers then changed their vector, and Greig and his team almost thought, “Gotcha, you’re done”, as they were watching the traffic drop off. Unfortunately, it then started again, with the hackers hitting Parliament’s single sign-on infrastructure for Microsoft Office 365.


“It’s a real difference than dealing with malware, because you’re dealing with someone trying to actively penetrate your environment. Through that first night, the team worked endlessly, limiting systems, controlling them and shutting down systems,” said Greig.


However, after a stressful Saturday morning and afternoon, around 3pm when the team noticed “some data exfiltration”, where data was left from a user that doesn’t work remotely, Greig made the decision to lock out all of the 9,000 user accounts.


“That was a really difficult decision to make,” he said, adding that parliamentary bosses had been “brilliant” and understood the cyber security team were the experts and needed resources to do what they needed to do.


“So we made the decision to lock out these accounts and then we got into recovery mode,” he said. This included biting the bullet and simply rolling out MFA to all users instantly.


“This one-year plan was suddenly to be done in a day,” Greig said, adding that on the Monday following the attack, police and security officers were handing out “cheat sheets” to members on how to enrol on MFA. 


Always be brave


Greig, who at the time of the cyber attack had just handed in his notice to take up the role as CIO at Arup, said it might not have been an easy decision to lock out users, but “you have got to be brave”. The attack showed that cyber incidents are not just about IT, technology and the digital crew, but about everybody. 

“This is about the wider scope with cyber security responses, and practicing that, and waking up to the fact is really important,” Greig said.


“It should be treated on the same scale as a major fire, an explosion or a terrorist attack, because the one thing I learned from this is that everybody is involved when it happens.”


He added that, overall, the attack was “a really good experience”. Of course, having 26 user accounts compromised is not a good thing, and Greig adds that he’s not trying to “underestimate the impact of that”.


However, the incident meant that cyber security rose to the surface. “I put it all into the public domain and that was a really good experience because it, in many respects, fulfilled the business case of what does success looks like,” he said.