Top former government security officials were swift and brutal in their condemnation of ministerial security, after the news broke on Sunday that Liz Truss’s personal phone had been comprehensively hacked when she was Foreign Secretary: “Levels of education are not high enough” said Sir Alex Younger, former Head of MI6.
Ben Aung, former Director, Government Security Group, Cabinet Office (HMG’s corporate HQ) said: “Many security officials have experienced glazed over eyes or outright rudeness from ministers and spads [special advisors] when trying to explain risks around personal phones/email. It’s an open goal for our adversaries.”
Liz Truss’s phone hacked: What happened?
Former Prime Minister Liz Truss’s personal phone was severely compromised when she was Foreign Secretary, a Mail on Sunday report revealed over the weekend – with the attacker reported to have downloaded a year’s worth of private messages including “highly sensitive discussions” with fellow foreign ministers about the war in Ukraine, including, the paper alleges, arms shipments to the embattled nation, as well as political gossip.
It was not clear how Truss’s phone was breached. With access to the number – lists of ministerial numbers could be bought on the dark web for just £6.49 – it could have been anything from sending a simple malware-laden message and anticipating that a not-particularly-bright minister would click on it, all the way through to a more sophisticated “zero-click” attack that made use of a zero day, or previously unknown vulnerability.
Follow The Stack on LinkedIn
Truss's phone is now being held by for analysis. The tabloid attributed the revelation to “security sources”.
The news raises questions about why the story was leaked now. It also raises questions about whether the then-Foreign Secretary took an insecure personal phone on trips like one to Moscow against advice.
The incident comes after former Chairman of the Conservative Party, Jake Berry MP, alleged that there have been “multiple breaches of the Ministerial Code” by current Home Secretary Suella Braverman -- one resulting in an MI5 investigation -- including what are widely alleged to have been “documents on cybersecurity”.
“What is happening to government security?!”
Some senior politicians, to their credit, have been openly criticising poor operational security by ministers for some time: “What is happening to government security?," asked former Conservative Party leader Iain Duncan Smith early in 2021, after messages from then-PM Boris Johnson leaked: "There definitely now needs to be a proper review of ministerial use of private communication systems. People don't take it seriously."
The lament is not a new one. Former Defence Secretary Gavin Williamson was lambasted in 2018 after he was interrupted by his Siri voice assistant in Parliament. Iformation security entrepreneur Rodolfo Rosini was not amused at the time, telling The Stack's founder: "The guy has no OPSEC so if he sets Siri on always listening, he may [also] have shit security on his home computers, download dodgy apps etc. It’s inexcusable for someone in his position. Basically the problem is that he signalled he is an easy target with no clue.”
(That 2018 incident came after Chinese researchers discovered a way to hijack smart assistants like Apple’s Siri using sounds inaudible to the human ear, raising security concerns about the voice-activated devices. The hack was created by Guoming Zhang, Chen Yan and colleagues at Zhejiang University in China. Using ultrasound, an inaudible command can be used to wake the assistant, giving the attacker control of it as well as access to any connected systems.)
As Sir Younger told Times Radio over the weekend: “Levels of education aren’t high enough.”
“I don’t think people are focusing enough on the risks to their security and their devices. Because these hidden threats aren’t properly understood. I think that’s [as] true of ministers as anyone else.
“And there’s a premium on making sure that they’re properly educated.”
Ministers are issued standard departmental phones (which are "hardened to good commercial standards") one security expert close to government told The Stack -- adding that "to be honest most are luddites so still do almost everything through their red boxes/paper copy. Ministers communicate with their private offices through messaging apps/WhatsApp and to others in the party but most of that isn't sensitive, just potentially embarrassing.
They added: "Contrary to popular belief, GCHQ/NCSC don't get involved in stuff like this unless in exceptional circumstances and would rightly just point to their smartphone guidance and say 'do it like that'".
WhatsApp use approved after court challenge
Challengingly for those trying to do that educating, shadow IT like the use of private email and WhatsApp on personal phones is entrenched across government and efforts to tackle that in court have fallen flat.
In March 2022, for example, transparency campaigners accused British ministers of conducting “government by WhatsApp” in the UK’s third-highest court, emphasising that the widespread use by ministers and civil servants of self-destructing messages “on insecure platforms” is unlawful and undemocratic, arguing that such use spanned areas of public importance relating to the awarding of large-scale government contracts.
“Vast sums of public money pass hands following deals cooked up, in whole or in part, through these untraceable channels. They make it difficult or impossible for civil servants to act as proper stewards of public money. They pose a profound risk to national security – only last week it was revealed that private channels used in Number 10 had been hacked. And their use guts the clear public interest… in good record-keeping.”
That was according to non-profit the Good Law Project, which brought the case.
Yet despite finding that “Ministers, civil servants and unpaid Government advisors” had used WhatsApp widely, including its auto-delete function, the High Court on April 29, 2022 agreed with ministers including the Prime Minister that there was no legal duty on them to avoid the use of either WhatsApp or self-deleting messages.
Whilst there was legitimate public interest in retaining public messages, there was no legally binding requirement under the 1958 Public Records Act, the court found, saying the law left a “wide margin of discretion to the relevant body” and adding that Cabinet Office guidance explicitly urged the use of instant messaging. The Good Law Project described this at the time as “a decision with profoundly troubling consequences for those with interests in transparency, national security, and public record-keeping”.