The government agency responsible for policing the Senate’s cybersecurity doesn’t actually protect staffers’ personal devices or accounts, creating what one former congressional staffer called “a major threat vector” for foreign hackers.
“If I were a foreign intelligence service, I would be looking at every single congressional staffer, then I’d look at their personal email accounts because they’re all using Gchat,” said Daniel Schuman, a former House of Representatives staffer and the current chair of the Congressional Data Coalition, a nonprofit group that urges Congress to become more transparent and tech-savvy. “The Senate is not doing anything, nor is the House, to protect that,” Schuman told BuzzFeed News.
That gap in security was brought front and center for Senate IT staffers on Jan. 12, when cybersecurity firm Trend Micro announced findings that seven months earlier, the same Russian government hacking group responsible for hacking Democratic Party targets in 2016 had created a phishing campaign that specifically targeted Senate staffers’ emails.
There’s no indication that the attempts were successful, and Trend Micro immediately alerted the FBI and the Office of the Sergeant at Arms, the agency responsible for Senate security, the firm said. Hours after Trend Micro’s report, multiple Senate staffers told BuzzFeed News, the sergeant-at-arms called a private meeting of Senate IT personnel to assure them that there was no real threat, as it had blocked the avenues the hackers would have tried to use. It also sent them the following email:
CYBERSECURITY ALERT: Potential Russia-Related Activity
Media outlets recently reported attempts to target the U.S. Senate via spear phishing using suspicious domains that mimic U.S. Senate domains.
The Sergeant at Arms, CIO Cybersecurity Department, continues to provide proactive Cybersecurity defenses against sophisticated, socially engineered traps, by identifying and defending against potentially malicious domains and working with Cybersecurity researchers to detect and defend against malicious spear phishing attempts.
But in that meeting, the agency spelled out what it would and would not cover. “The SAA believes that they are not allowed to use their government resources to secure the personal accounts of members or staff,” a source familiar with the meeting told BuzzFeed News. “They believe that there is a strict line in the sand.”
Reached for comment, a sergeant-at-arms representative declined to give a formal statement, but told BuzzFeed News that its cybersecurity team’s specific directive is to protect Senate email accounts and Senate-issued devices.
But that could be a problem if a Senate staff member – there are thousands – uses a Senate device to also access personal email. If the staffer downloads a malicious program from personal email on a Senate-issued computer, that program could gain access to the device.
Intelligence services have for years demonstrated the ability to turn a hacked phone into a secret microphone, and congressional staffers rarely store their phones before attending a meeting.
“What foreign actors are looking for is insight into the legislative process — what people are saying, what’s moving, what’s not moving — and then ways of influencing that process,” Schuman said.
In March 2016, the same Russian hacking group suspected of trying to hack the Senate email system pulled off one of the most successful phishing attempts in history, when Charles Delavan, an aide to Democratic presidential candidate Hillary Clinton, told her campaign chair, John Podesta, that a suspicious link to his personal Gmail account was actually safe. He clicked the link and gave it his Gmail password, allowing the hackers to download years of his correspondence with Clinton. WikiLeaks soon began posting those emails, which became campaign ammunition for her opponent, Donald Trump.
Most Senate offices have one dedicated IT professional, meaning the responsibility of ensuring that personal devices and personal email accounts are secure falls on those individuals.
“It’s not uncommon for staff to use their personal account for work business, like Gchat, which is something that most folks use all the time. When I was a staffer we used AOL Instant Messenger, but the idea is the same,” Schuman said.
“The Houses and Senate don’t make available tools that allow them to do the work they need to do, so it’s inevitable and inescapable that they're going to find tools that will work for them,” Schuman said. “They become miniature vectors for doing the official work of Congress, which is a problem.”
Emma Loop contributed additional reporting to this story.
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at firstname.lastname@example.org.
Got a confidential tip? Submit it here.