Who is this Handbook for?
This Handbook was written with a simple goal in mind: to help your parliament develop an understandable and implementable cybersecurity plan. As the world increasingly moves online, cybersecurity is not just a buzzword but a critical concept for the success of parliaments, and the security of information (both online and off) is a challenge that requires focus, investment and vigilance.
Your parliament will likely find itself – if it has not already – the target of a cybersecurity attack. This is not intended to be alarmist; it is reality even for parliaments that do not consider themselves to be particular targets.
In an average year, the Center for Strategic and International Studies, which maintains a running list of what they term “Significant Cyber Incidents”, catalogs hundreds of serious cyberattacks, many of which target dozens if not hundreds of organizations at once. In addition to such reported attacks, there are likely hundreds of other smaller attacks each year that go undetected or unreported, many aimed at governmental institutions, legislative bodies, and political organizations.
Cyberattacks like these have significant consequences. Whether their aim is to disrupt parliamentary operations, damage your reputation, or even steal information that can lead to psychological or physical harm to your members or staff, such threats need to be taken seriously.
The good thing is that you do not need to become a coder or a technologist to defend yourself and your parliament against common threats. However, you do need to be prepared to invest some effort, energy, and time in developing and implementing a strong parliamentary security plan.
If you have never thought about cybersecurity for your parliament, have not had time to focus on it, or know some basics about the topic but think your parliament could enhance its cybersecurity, this Handbook is for you. Regardless of where you are coming from, this Handbook aims to give your parliament the essential information it needs to put a strong security plan in place - a plan that goes beyond simply putting words on paper and enables you to put best practices into action.
Who Manages Parliamentary Cybersecurity?
An effective and secure parliament requires staff with the skill and proper authority to implement the recommendations included in this Handbook. With that said, those responsible for cybersecurity in parliaments can vary widely, and there is no one “right” model for who should handle cybersecurity. In some cases, it may be a dedicated cybersecurity team within your IT unit, and in others a group of different administrative staff and members alike. Regardless, keep in mind that while it is important to have a good team in charge of your parliament’s cybersecurity, it is also the responsibility of everyone in and around parliament to follow the policies and procedures necessary to keep parliament safe. Below are a few examples of different staffing models for managing parliamentary cybersecurity:
United States House of Representatives
In the United States House of Representatives, some individual member offices hire a systems administrator who is responsible for managing all of the computer hardware and software systems used by the office – including managing cybersecurity considerations – and trains staff members on best practices. On an institutional level, the House of Representatives’ chief administrative officer houses an information resources team, which includes a department dedicated to information security.
National Assembly of Zambia
The National Assembly of Zambia counts on its information and communications technology (ICT) Department for a variety of functions, including managing the parliament’s software, hardware, and information infrastructure, training members or parliament and staff on technology systems, and securing the parliament’s information infrastructure from internal and external cybersecurity threats.
Parliament of Malaysia
The parliament of Malaysia houses its information technology division under the parliament’s chief administrator, which allows it to serve both houses of parliament. This division includes a specific post for network security, which allows it to ensure that network systems, data centers, and ICT infrastructure are up to date and as secure as possible.
What is a security plan and why should my parliament have one?
A security plan is the set of written policies, procedures, and instructions your parliament has agreed upon to achieve the level of security you and your team think is appropriate to keep your people, partners, and information safe.
A well-crafted and updated organizational security plan can both keep you safe and make you more effective by providing the peace of mind needed to focus on your parliament’s important day-to-day work. Without thinking through a comprehensive plan, it is very easy to be blind to some types of threats, focusing too much on one risk or ignoring cybersecurity until there is a crisis.
When you start developing a security plan there are some important questions to ask yourself that form a process called a risk assessment. Answering these questions helps your parliament understand the unique threats that you face and allows you to step back and think comprehensively about what you need to protect and from whom you need to protect it. Trained assessors, aided with systems like Internews’ SAFETAG auditing framework, can help lead your parliament through such a process. If you can get access to that level of professional expertise it is well worth it, but even if you cannot undergo a full assessment, you should meet with stakeholders across parliament to thoughtfully consider these key questions:
What assets does your parliament have and what do you want to protect?
You can start answering these questions by creating a catalog of all your parliament’s assets. Information such as messages, emails, contacts, documents, calendars, and locations are all possible assets. Phones, computers and other devices can be assets. And people, connections, and relationships might be assets too. Make a list of your assets and try to catalog them by their importance to the parliament, where you keep them (perhaps multiple digital or physical places), and what prevents others from accessing, damaging, or disrupting them. Keep in mind that not everything is equally important. If some of the parliament’s data is a matter of public record, or information you already publish, they are not secrets that you need to protect.
Who are your adversaries and what are their capabilities and motivations?
“Adversary” is a term commonly used in organizational security. In simple terms, adversaries are the actors (individuals or groups) that are interested in targeting your parliament, disrupting your work, and gaining access to or destroying your information: the bad guys. Examples of potential adversaries could include financial scammers, adversarial governments, or ideologically or politically motivated hackers. It is important to make a list of your adversaries and think critically about who might want to negatively impact your parliament and staff. While it is easy to envision external actors (like a foreign government or a particular political group) as adversaries, also keep in mind that adversaries can be people that you know, such as disgruntled employees, former staff, and unsupportive family members or partners.
Different adversaries pose different threats and have different resources and capabilities to disrupt your operations and gain access to or destroy your information. For example, governments often have lots of money and powerful capabilities including shutting down the internet or using expensive surveillance technology; mobile networks and internet providers likely have access to call records and browsing histories; skilled hackers on public Wi-Fi networks have the capability to intercept poorly secured communications or financial transactions. You can even become your own adversary, for example, by accidentally deleting important files or sending private messages to the wrong person.
The motives of adversaries are likely to differ along with their capacity, interests, and strategies. Are they interested in discrediting your parliament? Perhaps they are intent on silencing your message or disrupting parliament's work? It is important to understand an adversary's motivation because doing so can help your parliament better assess the threats it might pose.
What threats does your parliament face? And how likely and high-impact are they?
As you identify possible threats, you are likely to end up with a long list which can be overwhelming. You may feel any efforts would be pointless, or not know where to begin. To help empower your parliament to take productive next steps, it is helpful to analyze each threat based upon two factors: the likelihood that the threat will take place; and the impact if it does.
To measure the likelihood of a threat (perhaps “low, medium or high,” based on if a given event is unlikely to take place, could happen, or frequently happens), you can use information you know about your adversaries’ capacity and motivation, analysis of past security incidents, other similar parliaments’ experiences, and of course the presence of any existing mitigation strategies you have put in place.
To measure the impact of a threat, think about what your world would look like if the threat actually did occur. Ask questions like “How has the threat harmed us as a parliament and as people, physically and mentally?”, “How long-lasting is the effect?”, “Does this create other harmful situations?”, and “How does it hamper our ability to achieve our goals now and in the future?” As you answer these questions, consider if the threat is low, medium, or high impact.
To help you manage this risk assessment process, consider using a worksheet, like this one developed by the Electronic Frontier Foundation. Keep in mind that the information you develop as part of this process (such as a list of your adversaries and the threats they pose) might itself be sensitive, so it is important to keep it secure.
Once you have categorized your threats by likelihood and impact, you can begin to make a more informed plan of action. By focusing on those threats that are most likely to happen AND that will have significant negative impacts, you will be channeling your limited resources in the most efficient and effective way possible. Your goal is always to mitigate as much risk as possible, but no one – not the most well-resourced government or company on earth – can ever fully eliminate risk. And that is OK: You can do a lot to protect yourself, your colleagues, and your parliament by taking care of the biggest threats.