An enterprising computer hacker or foreign intelligence agent would have little problem hacking into the House of Representatives’ information technology systems, an unauthorized review of the chamber’s cybersecurity found.
Vulnerabilities on the House side of the Capitol complex include exposed, unattended cables and network equipment as well as a lack of policing at security checkpoints, according to two systems administrators who work on a contract basis for multiple House members — including those who sit on sensitive committees such as the Intelligence panel.
The chamber also appears to lack sufficient authentication for contractors who call the House’s official computer “help desk” to request activation passwords for the BlackBerrys of members or staff.
“It’s a hacker’s dream,” one of the administrators said.
In an anonymous July 8 memo to House security stakeholders, that administrator wrote that he conducted the review “out of genuine regard for the safety and continued operation of the Congress.”
A congressional office that employs the administrator says the memo was hand-delivered to the two relevant House offices — House Security, part of the House Sergeant-at-Arms Office, and Information Security, part of the office of the House Chief Administrative Officer — earlier this month as a courtesy and out of concern for the issues being raised.
The memo, obtained by CQ Roll Call, indicates points around the House office buildings where individuals with sophisticated technology expertise and malicious intent could tap into the computer system and wreak havoc.
“Think of your house,” said the second administrator, in discussing his colleague’s report. “You have a front door and a back door. If someone has the keys to either door, they can get inside. If they know what they’re looking for, they can take it.”
The same goes for a hacker: Once he or she can get inside the House’s network or a member’s BlackBerry, the possibilities are limitless, because a hacker knows what to look for and how to get it.
As observed by CQ Roll Call, help desk attendants readily offer such passwords to contractors over the phone without asking any other questions to ensure the contractors’ identity or their authorization to make such requests.
“To believe that other countries don’t send intelligence agents onto this campus is beyond naive,” the memo notes.
Prime opportunities for hacking, according to the memo, exist in some secluded areas around the Capitol, where wireless access points, or WAPs, sit exposed.
The WAP is a lightweight physical device, about the size of a small dinner plate, that sends out the wireless signal. WAPs, the administrators say, should be mounted on the wall or ceiling, or somewhere generally out of reach.
With a WAP on a piece of furniture in a secluded public area — such as the first-floor atrium in the Rayburn House Office Building — anyone could come and replace it with a “state-engineered clone device” or possibly a network tap.