Rob Greig

Picture copyright
Chris McAndrew

Picture caption

Rob Greig: “They hit us with every thing they might”

On 23 June the British parliament got here underneath a sustained cyber assault. In a matter of hours hackers made round 200,000 makes an attempt to get into on-line person accounts. It was Rob Greig who acquired the decision: “That you must get your self over there proper now.” And so battle started.

The assault – which led to officers disabling distant entry to hundreds of e mail accounts of MPs, friends and their workers – was first noticed by parliament’s safety operations centre.

This was the place Mr Greig, as director of the parliamentary digital service, was summoned to that Friday morning.

There had been some suspicious exercise his crew had checked out.

That was not significantly uncommon. The earlier night, the crew had elevated safety on a variety of accounts.

However this, in flip, triggered the occasions that unfolded that Friday morning. The hackers realised that the defenders had noticed their work and had been on to them.

And they also stepped up a gear.

“They hit us with every thing they might,” Mr Greig says. “We noticed round 200,000 makes an attempt to get into our customers’ accounts.”

‘Somebody was watching’

There was an automatic “brute power” ingredient of the assault which focused weak passwords.

However the attackers additionally knew sufficient about parliamentary safety insurance policies to attempt to keep away from being noticed, by spacing out their makes an attempt.

By 13:30, Mr Greig had knowledgeable the 9,000 customers of the parliamentary system that an incident was underneath means.

His crew fought to maintain the attackers out of the system by blocking entry to explicit companies – however then the attackers tailored.

Picture copyright

“Their assault vector modified they usually got here for a distinct service,” says Mr Greig.

“So somebody was sat there watching. It wasn’t simply [an automated] script operating. Somebody was reacting.”

The tussle between attackers and defenders lasted for about 24 hours as members of the crew cancelled weekend and vacation plans and in a single case, even left a marriage, to assist handle the response.

On Saturday, it turned clear that some knowledge had been compromised and stolen. Due to that, the choice was taken to lock all accounts so they might not be accessed remotely outdoors of parliament.

It was at this level that information of the assault became public as parliamentarians revealed they might now not entry their emails.

“Our primary precedence was to take care of the democratic exercise that takes place in these two chambers – and all of the techniques, companies and databases that run round that – that is what our determination making was primarily based on and that is what we achieved,” Mr Greig explains.

He mentioned subsequent investigations revealed that fewer than 50 e mail accounts belonging to fewer than 30 customers had been compromised (a determine smaller than initially reported however which stays topic to vary).

So who was behind it?

The Nationwide Crime Company and Nationwide Cyber Safety Centre are each investigating, and so there’s warning about saying an excessive amount of.

“What I’d say is that it would not seem like to me to be an novice assault,” says Mr Greig.

“My course of journey by way of the place we’re going from this, it appears to be like extra like a state exercise than anything.”

Mr Greig was two years right into a three-year cyber safety programme to improve parliamentary cyber safety.

Multifactor authentication – which protects e mail accounts by requiring greater than only a password to go browsing – had already been rolled out to new members and workers on the common election.

That was shortly prolonged to all customers, accelerating current plans.

There are a selection of challenges particular to defending parliament – together with the presence of greater than 650 workplaces in each constituency in addition to 9,000 customers.

Picture copyright

Parliament additionally guards its independence from authorities. The so-called Wilson doctrine limits the power of intelligence companies to observe the communications of parliamentarians.

That is designed to cease them being spied on, however makes it trickier to hold out the defensive monitoring of digital communication that happens at authorities departments.

Mr Greig says it didn’t hinder responding to the June incident, however acknowledges there are points in the way it operates within the present world of recent cyber assaults.

“There’s a query mark over the relevance of the Wilson doctrine and the way efficient it’s as a coverage,” he says.

Parliaments and the political course of have been focused in a variety of international locations in latest months and Mr Greig is aware of this might not be the final time he will get a cellphone name summoning him to the Safety Operations Centre.

“It was at all times going to occur,” Mr Greig says, the screens on the wall stuffed with proof of all of the exercise on the community.

“And I am certain one thing will occur once more.”