An enterprising computer hacker or foreign intelligence agent would have little problem hacking into the House of Representatives’ information technology systems, an unauthorized review of the chamber’s cybersecurity found.
Vulnerabilities on the House side of the Capitol complex include exposed, unattended cables and network equipment as well as a lack of policing at security checkpoints, according to two systems administrators who work on a contract basis for multiple House members — including those who sit on sensitive committees such as the Intelligence panel.
The chamber also appears to lack sufficient authentication for contractors who call the House’s official computer “help desk” to request activation passwords for the BlackBerrys of members or staff.
“It’s a hacker’s dream,” one of the administrators said.
In an anonymous July 8 memo to House security stakeholders, that administrator wrote that he conducted the review “out of genuine regard for the safety and continued operation of the Congress.”
A congressional office that employs the administrator says the memo was hand-delivered to the two relevant House offices — House Security, part of the House Sergeant-at-Arms Office, and Information Security, part of the office of the House Chief Administrative Officer — earlier this month as a courtesy and out of concern for the issues being raised.
The memo, obtained by CQ Roll Call, indicates points around the House office buildings where individuals with sophisticated technology expertise and malicious intent could tap into the computer system and wreak havoc.
“Think of your house,” said the second administrator, in discussing his colleague’s report. “You have a front door and a back door. If someone has the keys to either door, they can get inside. If they know what they’re looking for, they can take it.”
The same goes for a hacker: Once he or she can get inside the House’s network or a member’s BlackBerry, the possibilities are limitless, because a hacker knows what to look for and how to get it.
As observed by CQ Roll Call, help desk attendants readily offer such passwords to contractors over the phone without asking any other questions to ensure the contractors’ identity or their authorization to make such requests.
“To believe that other countries don’t send intelligence agents onto this campus is beyond naive,” the memo notes.
Prime opportunities for hacking, according to the memo, exist in some secluded areas around the Capitol, where wireless access points, or WAPs, sit exposed.
The WAP is a lightweight physical device, about the size of a small dinner plate, that sends out the wireless signal. WAPs, the administrators say, should be mounted on the wall or ceiling, or somewhere generally out of reach.
With a WAP on a piece of furniture in a secluded public area — such as the first-floor atrium in the Rayburn House Office Building — anyone could come and replace it with a “state-engineered clone device” or possibly a network tap.
“A person can sit in here for long periods of time without surveillance,” the memo said of the atrium. Indeed, a CQ Roll Call reporter spent several hours in the atrium on a quiet Friday afternoon, sitting on the floor surrounded by cables and Ethernet cords and periodically fiddling with the WAP itself. The foot traffic was negligible and never once did a Capitol Police officer come by.
“This type of unattended access could be used to monitor data traffic on the wired and wireless House networks or more ominously, could be used as an entry point to launch an attack such as a worm,” according to the memo.
The memo also expresses concern that systems administrators for member offices do not have to obtain high-level security clearances to receive a congressional ID and access to sensitive information.
“Relevant stakeholders might ask themselves what would prevent a foreign intelligence agency from trying to recruit contractors who have this type of access and often earn between just $45,000-$50,000 per year,” the memo reads.
It addresses physical security gaps that fall into the jurisdiction of the Capitol Police and House Sergeant-at-Arms as well.
Staffers and credentialed persons are allowed to place their drinks on the tables next to security scanners and metal detectors and pick their beverages up on the other side without the contents being scrutinized, for example.
The administrator’s memo also points out that third-party contractors driving vehicles laden with sensitive goods are not always monitored when they arrive on Capitol Hill.
House Sergeant-at-Arms Paul Irving declined to comment for this article. A senior House security official, however, emphasized that in regard to checking beverages for smuggled items, Capitol Police officers are always vigilant. And while issues with unchecked contractor vehicles were a problem at one time, they have been resolved.
Dan Weiser, a spokesman for the House chief administrative officer, said the office “does not discuss or comment on House IT security.”
He also would not comment on whether the CAO had received a copy of the memo.
But a person familiar with House administrative issues noted that security — physical, technological or otherwise — is everyone’s responsibility. House offices are free to hire whomever they want to oversee their computer systems and chiefs of staff need to be vigilant about keeping their mobile devices guarded with strong password protections.