Security news that informs and inspires

Senators Ask For Transparency on Attacks on Senate Computers


In response to past attacks on Senate staff and in preparation for the 2020 election season, two senators have asked the Senate Sergeant at Arms to inform members of the intelligence committee within five days of the discovery of any compromise of a Senate committee and also to provide annual reports to every senator on the total number of breaches of Senate machines.

Senators, Senate staff, and campaign staff have been frequent targets of attacks in the last decade, often in attacks attributed to foreign actors. Some of these attacks have resulted in serious compromises, while others have been fairly minor. But the thing that they all have in common is that there’s no specific mechanism in place for senators and members of their staff to be notified about a new attack. Many industries have some kind of centralized information-sharing clearinghouse that collects and distributes data on current attacks and vulnerabilities in that specific vertical.

But there’s no real method for this to happen inside the federal legislature. Sens. Ron Wyden (D-Ore) and Tom Cotton (R-AR) would like that to change and on Wednesday sent a letter to the Senate Sergeant at Arms, who is responsible for both the physical and information security of the members of the Senate and their staffs, requesting that he provide regular updates on breaches.

“During the last decade, hackers have successfully infiltrated U.S. government agencies including the Office of Personnel Management, health care firms such as Anthem, and technology giants like Google. Hackers continue to target all manner of government entities, and there is little doubt that Congress is squarely in their sights,” the letter says.

“Indeed, as your predecessor testified before the U.S. Senate Committee on Appropriations in June 2017, ‘the Senate is considered a prime target for cybersecurity breaches.’ The Sergeant at Arms must be transparent in providing members of the Senate all information about the possible existence and scale of successful hacks against the Senate.”

Wyden and Cotton ask Sergeant at Arms Michael Stenger to provide two annual updates to members of the Senate: the aggregate number of Senate computers that have been compromised, and aggregate number of other incidents in which attackers have gotten access to sensitive Senate data. The letter also asks that Stenger’s office “Commit to a policy of informing Senate leadership and all of the members of the Senate Committees on Rules and Intelligence, within 5 days of discovery, of any breach of a Senate computer.”

This is the second time in the last few months that Wyden, who focuses quite often on privacy and security issues, has asked something similar of Stenger’s office. In September 2018, Wyden sent a letter to several Senate leaders, asking them to allow the SAA’s office to provide cybersecurity services to Senate staffers and members for their personal devices. Wyden also asked the Federal Election Commission if he could use surplus campaign funds to help secure personal devices, which the FEC approved in December.

“Yes, you may use campaign funds to pay for cybersecurity protection for your personal devices and accounts. Such expenses fall within the uses defined as permissible under the Act: ordinary and necessary expenses incurred in connection with the duties of the individual as a holder of federal office,” the FEC’s answer said.