Congressional staffers are the gateway to all lawmaking on the Hill, but they also may be unwittingly opening the door to hackers.
The Hill’s networks are under constant attack. In 2013 alone, the Senate Sergeant at Arms’ office said it investigated 500 potential examples of malicious software, some from sophisticated attackers and others from low-level scammers. And that’s just the serious cases — in a different measurement, the House IT security office said in 2012 it blocked 16.5 million “intrusion attempts” on its networks.
But the thousands of men and women who keep Congress running every day are committing the basic cybersecurity mistakes that attackers can exploit to do harm — like in the CENTCOM social media hack or crippling breach of Sony Pictures Entertainment.
POLITICO interviews with nearly a dozen current and former staffers, as well as congressional IT security staff, reveal a typical array of poor cyber habits.
Most of the staffers interviewed had emailed security passwords to a colleague or to themselves for convenience. Plenty of offices stored a list of passwords for communal accounts like social media in a shared drive or Google doc. Most said they individually didn’t think about cybersecurity on a regular basis, despite each one working in an office that dealt with cyber or technology issues. Most kept their personal email open throughout the day. Some were able to download software from the Internet onto their computers. Few could remember any kind of IT security training, and if they did, it wasn’t taken seriously.
“It’s amazing we weren’t terribly hacked, now that I’m thinking back on it,” said one staffer who departed the Senate late this fall. “It’s amazing that we have the same password for everything [like social media.]”
“This is a problem waiting to happen, not even just on the institutional security side but in terms of mischievous hackers trying to break into social media sites or dropboxes of senators or any of that stuff.”
While the House and Senate IT security staffs work to ensure that human mistakes are backstopped by technology, experts and lawmakers say they’re hampered by the unique challenge of securing an enterprise divided into hundreds of networks each overseen by an empowered elected official.
“I think people would be shocked to know how little people know about these things and care about things,” said one former longtime Senate staffer who left the Hill this fall. She noted offices have access to a lot of constituents’ personal information just like banks and businesses.
“I don’t think the Senate as a whole does a very good job of teaching people what matters as to how to do cyber hygiene and advice on how to come up with good passwords, because when you think about it, some of the lowest-level staff have the most access, and this is their first job and isn’t self-explanatory. It needs to be taught to staff,” the former aide said.
Another former staffer who worked for years in both chambers but left in recent months said that people who work on the Hill can easily feel a false sense of security.
“You feel very secure up there in terms of the IT services that are provided, and I think the reasoning behind that is twofold, you fall into the trap that you’re on the Hill and you’re in a bubble up there, and it’s also the fact that the House and Senate IT folks bring up that fact a lot that you should be safe online and there are firewalls to prevent any breaches,” the former staffer said. “Looking back, I would say that it’s a false sense.”
Even the best security techniques and technologies are undermined by poor user practices like password reuse and sharing. Part of the problem is that even if the House and Senate staff that secure their respective networks do a great job, there’s still a lot of autonomy in every office, and they may have different levels of interest and expertise in security.
“The House administration, they’re doing everything they can to keep the House network as secure as possible, given the constraints that they operate under,” said Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus.
“Managing risk in the House is particularly difficult because its organizational structure is unusual. In most organizations, you have a very hierarchical structure,” he said.
“No [other] organization has 435 CEOs each responsible for a completely independent division.”
Langevin said a huge number of individuals and “perhaps” nation-states try to breach the House network every day — as former Rep. Frank Wolf (R-Va.) learned in 2006 when he says the Chinese hacked four computers in his office used by staffers working on human rights issues.
Wolf and Rep. Chris Smith (R-N.J.) — two longtime China critics — revealed their office computers had been breached by Chinese sources in 2008, and Wolf said the FBI told him to keep the attack quiet for some time.
Wolf said he believes the House IT security team works very hard, but there’s more to be done.
“I don’t think any federal agency, and probably including the Hill, is doing a very good job,” Wolf said, citing his own hacking experience. Wolf, a high-profile China critic with staffers investigating human rights abuses, was an obvious target. And for foreign hackers more generally, congressional computer systems represent a cornucopia of intelligence about the thoughts and intentions of lawmakers.
The problem, said Wolf, is a lack of understanding and a lack of will.
Langevin also said more could be done on outreach, saying a positive step was a change recently for the House to require regular password changes. Not all members and staffs are focused on cybersecurity like his office, he added.
“It goes back to constant education and reeducation,” Langevin said. “People are people, and if you’re not focused on something or constantly reminded, it’s easy to let things fall through the cracks.”
A study released last week found that IT security professionals identify negligent employees as the No. 1 threat they deal with.
The offices tasked with securing Hill networks are well-aware of the threat. In an interview, an official for the Senate Sergeant at Arms said along with constant research and innovation, training and education is a core focus of the office as they try to keep bad guys out of the Senate network.
That means contacting new members as soon as they’re elected and offering briefings for full staff. The Senate-wide team coordinates with each office’s system administrator or point person, sending out advisories and recommendations, offering support and conducting monthly vulnerability assessments of every office that are shared with staff.
While some controls are managed at the office level, including downloading permissions on computers, the SAA monitors the entire network for Web traffic (without seeing the content) and anything out of the ordinary coming in or out. They also control software updates, testing all software patches before deploying them to check they work on Senate software and network configuration, and they scan mobile devices used by members and staff overseas.
The office of the House Chief Administrative Officer would not speak with POLITICO about its practices, but said in a statement the office takes a “dynamic approach” to security and recently hired a full-time trainer. In congressional testimony, CAO has said it provides firewall protection and intrusion detection as well as services for individual offices like training and foreign travel mobile device scanning.
In testimony submitted to the Senate Appropriations subcommittee this spring, then-Senate Sergeant at Arms Terrance Gainer said in the previous year, 2013, his office analyzed more than 500 potential malicious software incidents and shared their analysis with other federal agencies. In some cases, his team discovered previously unidentified zero-day vulnerabilities — a clear sign of advanced intruders at work. In separate testimony before its committee of jurisdiction, the House CAO budget request measured the challenge differently, saying the House IT security office in 2012 blocked 16.5 million intrusion attempts, 11.4 million efforts at spyware and 17,763 viruses.
Attackers in the Senate primarily used spearphishing — targeted emails designed to trick a specific person into clicking a bad link or opening a weaponized attachment — and watering holes — otherwise innocent sites known to be frequented by Senate staffers that could be hacked and used to distribute malicious software to visitors. In one recent example of a watering hole-style attack, advertisements on the AOL ad network were configured to distribute malicious software, meaning unsuspecting visitors to The Huffington Post could be hit.
The example shows that even seemingly safe and important uses of the Internet, like surfing news websites and opening email attachments, can be turned into the pathway for an attack by a skilled adversary. Without constant vigilance, even the lowest-level staffer can unwittingly invite bad guys into Hill computers.
The SAA official, like all security experts, acknowledges no network can be made 100 percent secure, and any network has to be workable for the employees.
“I think our biggest issue really is finding the balance between the protections that we want to have in place to keep the Senate secure and balancing that against the business needs of the Senate community,” the official said in the interview. “Being able to find that middle ground, where we still are doing what we need to do to keep our Senate safe, but yet allowing the staff and the senators to do the job that they were elected to do.”
Simple security measures can seem like major hurdles for staffers just trying to get their work done. A recent change to House password change rules — requiring changes every three months instead of six months — meant staffers had to change their email and computer login passwords at different times, one former staffer who left at the end of the 113th said. And having to call an IT person every time you need to update Firefox, say, can be a hassle.
Asked if that meant that there are times when security measures face pushback from members or staffs that aren’t thinking about security first and foremost, the official said that’s “true,” but they try to engage the community to work on solutions.
Even the most technically secure network needs the buy-in of every employee to be as safe as possible, experts say. Tony Cole, vice president and global government chief technology officer at major security firm FireEye, said having every staff member see themselves as part of cybersecurity is “extremely critical.”
“In the federal government and many other allied nations as well, cybersecurity is not part of the culture, very clearly it’s not,” Cole said. Most attackers are highly sophisticated at researching potential targets, like Hill staffers, and using information on social media to craft emails that they are likely to click on.
“Even with a robust architecture, having all of the best practices laid out across the board and the latest tools, you really need the security culture in place as well if you’re going to be successful at identifying attacks,” Cole said, “and even then, a place like the Hill, attackers are going to get in.