“A person can sit in here for long periods of time without surveillance,” the memo said of the atrium. Indeed, a CQ Roll Call reporter spent several hours in the atrium on a quiet Friday afternoon, sitting on the floor surrounded by cables and Ethernet cords and periodically fiddling with the WAP itself. The foot traffic was negligible and never once did a Capitol Police officer come by.
“This type of unattended access could be used to monitor data traffic on the wired and wireless House networks or more ominously, could be used as an entry point to launch an attack such as a worm,” according to the memo.
The memo also expresses concern that systems administrators for member offices do not have to obtain high-level security clearances to receive a congressional ID and access to sensitive information.
“Relevant stakeholders might ask themselves what would prevent a foreign intelligence agency from trying to recruit contractors who have this type of access and often earn between just $45,000-$50,000 per year,” the memo reads.
It addresses physical security gaps that fall into the jurisdiction of the Capitol Police and House Sergeant-at-Arms as well.
Staffers and credentialed persons are allowed to place their drinks on the tables next to security scanners and metal detectors and pick their beverages up on the other side without the contents being scrutinized, for example.
The administrator’s memo also points out that third-party contractors driving vehicles laden with sensitive goods are not always monitored when they arrive on Capitol Hill.
House Sergeant-at-Arms Paul Irving declined to comment for this article. A senior House security official, however, emphasized that in regard to checking beverages for smuggled items, Capitol Police officers are always vigilant. And while issues with unchecked contractor vehicles were a problem at one time, they have been resolved.
Dan Weiser, a spokesman for the House chief administrative officer, said the office “does not discuss or comment on House IT security.”
He also would not comment on whether the CAO had received a copy of the memo.
But a person familiar with House administrative issues noted that security — physical, technological or otherwise — is everyone’s responsibility. House offices are free to hire whomever they want to oversee their computer systems and chiefs of staff need to be vigilant about keeping their mobile devices guarded with strong password protections.