New House Cybersecurity Policies Show Ongoing Threat
In the wake of recent cyberattacks, the House has instituted new policies to strengthen cybersecurity, but some lawmakers acknowledge more must be done to address the ever-changing threat.
The Committee on House Administration sent an electronic “Dear Colleague” letter to congressional offices recently, detailing the new policies aimed at bolstering staff cybersecurity training and centralizing the security structure.
“All of us have been reading about recent cyber-attacks on private companies and government agencies,” House Administration Chairwoman Candice S. Miller, R-Mich., and ranking member Robert A. Brady, D-Pa., wrote in the Jan. 7 letter obtained by CQ Roll Call. They wrote that their committee, along with the Chief Administrative Officer’s Information Security Office, “has been continuously evaluating cybersecurity threats and risks to the House network.”
The first policy detailed in the letter involves placing a time limit on mandatory cybersecurity training for new congressional employees. Training must be completed within 60 days of employment to access the House network.
“We just thought it would be a good thing, particularly for all the new members, to know that this is something that has to happen for their new employees,” Miller said. “We haven’t had really a problem, but you do have a big tranche of new employees.”
All House staffers who have a House network user name and password must complete annual information security training. According to a notice on the internal House website, training must be completed by the end of 2015 and can be taken online or in a classroom setting.
Across the Capitol, cybersecurity training is not mandatory for Senate staff, but it is encouraged. Online and in-person training are also offered to Senate employees.
“One tenet of our security program is that IT security is everyone’s responsibility,” a source with the Senate sergeant-at-arms told CQ Roll Call in an email. “Although technical solutions … go a long way toward protecting online information, end users are still the first and most effective line of defense.”
“The Senate maintains a proactive cybersecurity awareness program that combines face-to-face training with online training that is always available on the IT Security Webster page,” the source added.
Senate Rules and Administration Chairman Roy Blunt said his committee also plans to address cybersecurity in the Capitol. “We’re going to look at our cybersecurity policy and look at what the House has done,” the Missouri Republican said on Feb. 5. “We haven’t done that yet.”
Sen. Pat Roberts, R-Kan., said the Rules Committee discussed cyber-policies during the last Congress, but did not take action.
“We talked about it. I think it, like a lot of things, did fall by the wayside,” Roberts said. “I don’t think we have addressed it to the degree that we have the threat.”
Roberts described his tenure as chairman of the Senate Intelligence Committee, at a time when cybersecurity was a top priority and his offices underwent a security sweep each week.
“We concentrate more on foreign relations, armed services, intelligence,” Roberts said. “That would be what people might think would be a natural target, but it’s almost everything. … I don’t think we’ve looked at it in a comprehensive way to protect what we have here that is classified. But I think we’re going to.”
On the House side, the mandatory training for new staffers is considered a positive step for combating the constant and ever-changing threat.
“I certainly definitely agree with the mandatory training for new staffers, and I think it’s good for even current staffers and members to have refreshers on basic security procedures,” said Rep. Jim Langevin, D-R.I., who is co-chairman of the Cybersecurity Caucus. “One of the key things we have to remember is we’re only as strong as our weakest link.”
Langevin said members of Congress should be required to participate in security training. “It’s not mandatory, but I think that it should be,” Langevin said. “It would be good for all members to go through that basic culture, at least sit down with their IT people and talk about what good cyber hygiene is all about.”
New House members did receive a “security overview” during orientation, and members of Congress can receive cybersecurity training at their request. But, mandatory training for members could be beneficial, especially for members managing their personal email accounts.
House Homeland Security Chairman Michael McCaul, R-Texas, said he’s received phishing emails, or emails from a familiar address that include infected links, from accounts of fellow members of Congress.
“I’ve received a handful over the last year. But when I do get them it is troubling,” McCaul said. “It’s usually from a colleague’s personal email.”
Others argue the Capitol must be vigilant on the technical side, as well as on user training, when combating cyber-threats.
Rep. Rodney Davis, R-Ill., a House Administration Committee member who served as district staffer for fellow Illinois Republican Rep. John Shimkus until 2012, said he did not recall participating in cybersecurity training as a staffer. Davis said while training is necessary, Congress must also keep pace with technological improvements.
“You can train every employee not to click on a phishing email, but if a cyberattack is at the server level, those employees have absolutely nothing to do with it and are all affected,” Davis said.
House Administration also sought to address the technical side with its second new policy, mandating that all systems in the House network participate in cybersecurity computer programs.
Miller said such uniformity was a “very fundamental security protocol.” With hundreds of offices on the House side, a uniform system means improvements can be applied across the board.
“The more uniform things are, you’re going to know how to identify the biggest challenges,” Langevin said. “And if there’s a security patch, for example, that has to be applied, it can be applied system wide as opposed to just in each individual office.”
Langevin and McCaul, who both said they have been briefed on the House security system, emphasized House cybersecurity is tight, but also said there is always room for improvement.
One could involve updating electronic equipment. But improving equipment can clash with spending cuts. House Intelligence Chairman Devin Nunes, R-Calif., testified before the House Administration Committee on Feb. 4 that his committee needed new equipment to protect its information.
“Due to previous budget shortfalls, the committee has delayed updating electronic equipment that is swiftly approaching obsolescence,” Nunes said. “We do not want to … be in a situation where our committee could be compromised, which is why it’s so important that we need to update our computer systems and update our software and servers.”
Langevin said updating computer systems is a challenge with constrained budgets.
“We’re definitely stretched thin up here,” he said. “But we also can’t be penny wise and pound foolish, and putting proper investments in the security realm is an important thing to remember.”