Parliament reveals lack of digital security
Updated on 26 March 2009
The parliamentary IT system has suffered a virus attack, joining millions of other computers that have fallen victim to the Conficker computer virus.
But astonishingly, an email sent to MPs, lords and their staff reveals that parliament's IT network seems to be completely unsecured.
The Conficker virus that has found its way computers used by MPs and members of the House of Lords has been in circulation on the internet since November 2008.
It is known as a "worm", which means that it propagates itself over the internet and computer networks, spreading from computer to computer without the user noticing.
Conficker effectively makes the computers that it infects slaves, and on 1 April the creator of the virus will take control of computers infected to perform some as yet unknown function.
In the past, these types of viruses have been used to crash particular websites, and some have suggested it could be linked to the G20 summit being held in London the following day.
A spokesman from the Houses of Parliament refused to tell Channel4 News when their anti-virus systems were last updated.
Microsoft received the first notification of the virus on 21 November, and from 26 November they and anti-virus companies like Sophos have protected computers and IT networks from becoming infected.
The fact that parliament's systems have become infected implies that they haven't updated their anti-virus software in order to provide protection. This could also mean that Parliament is also vulnerable from other attacks.
A spokesman from the Houses of Parliament refused to tell Channel4 News when their anti-virus systems were last updated.
Most experts recommend automatically updating anti-virus systems daily. Peter Sommer, Professor of Information Systems at the London School of Economics, told Channel4 News: "Having a virus checking programme without it being frequently updated and protecting you against all threats is quite frankly a waste of time."
An email was sent to staff warning them about the virus which included the following request: "We therefore ask that if you are running a PC or portable computer not authorised to be on the Network that you take it off immediately."
This implies that it has historically been the case that laptops and other computers have been able to connect to the parliamentary network without prior authorisations, virus checks or firewalls. This is highly unusual; most companies allow only secured computers to plug in.
"For the parliamentary network to have to ask all unauthorised computers to be taken off its network is, frankly, embarrassing."Rob Cotton, CEO of NCC Group
When Channel4 News repeatedly asked parliament why this was the case, we were told that the spokesperson was unable to answer the question.
When Channel4 News asked why he couldn't answer the question, we were told: "I'm not authorised to answer why we can't answer the question."
Rob Cotton, CEO of IT security company NCC Group told Channel4 News: "This incident clearly shows, once again, that when it comes to even the most basic of security procedures, parliament is lagging behind everyone else.
"One of the foremost rules of good corporate IT governance is that machines not regulated by the organisation should never be allowed to connect to its network, and for good reason.
"For the parliamentary network to have to ask all unauthorised computers to be taken off its network is, frankly, embarrassing.
"Unauthorised machines shouldn't even be capable of coming anywhere near an official network like this, particularly one which could provide a doorway to seriously sensitive material.
"Even worse, this particular virus is one that has been around since November last year, and security updates and patches have previously been issued to deal with it.
"The Parliamentary Network administrators are clearly not doing their jobs properly if a well-publicised problem is still capable of causing this much chaos."
