Capitol Evaluates Own Cybersecurity After OPM Hack
As news broke that data breaches at the Office of Personnel Management affected more than 22 million people, Senate staffers received a notice from the Senate Sergeant-at-Arms about the chamber’s own cybersecurity.
“As a result of recent data breaches in other areas of government, a reassessment of our cybersecurity posture was implemented,” read the Thursday email obtained by CQ Roll Call. The message then described updates to logging into the Senate’s Web VPN service, or workers’ remote access to their Senate accounts.
The missive reflected that campus administrators are looking inward at the Capitol’s cybersecurity systems following the massive data breach at the OPM, which affected congressional staffers and some members of Congress, since staffer and member data is transferred to the OPM when they leave service. The breach led to intense criticism of the agency, culminating in OPM Director Katherine Archuleta’s resignation on Friday.
“Cybersecurity of the Senate network is a never-ending process requiring constant vigilance,” said a source with the Senate Sergeant-at-Arms. “We continuously review tactics, techniques and procedures to protect, defend, detect and remediate if necessary. Learning from other attacks/breaches helps us identify potential gaps and opportunities for improvement in all Senate systems.”
The office of House Chief Administrative Officer Ed Cassidy deals with cybersecurity on the other side of the Capitol, but a spokesperson declined to say whether the the House underwent a similar assessment. “Cybersecurity is a top priority for the House but for security reasons we don’t talk specifics,” CAO spokesperson Emily Goodin wrote in an email.
But some lawmakers said Friday the OPM incidents called for a reevaluation of cybersecurity across the federal government, including the legislative branch.
“Certainly,” said Rep. Barbara Comstock, R-Va., when asked if the OPM breach caused her to rethink cybersecurity at the Capitol. “We’re asking how we can be beefing up the systems everywhere, including here.”
As a former congressional staffer, Comstock received a notice that her own information was compromised in the breach, and her Northern Virginia district is home to scores of federal workers who were affected. Comstock also sits on the House Administration Committee, which has jurisdiction over the CAO.
On June 3, the day before OPM announced its first breach of federal employee data, Cassidy testified in front of House Administration that “there’s no higher priority for us than cybersecurity.”
House Administration Chairwoman Candice S. Miller, R-Mich., said the House has been proactive on cybersecurity and committee staff has regular discussions with the CAO on the issue. “We haven’t had data compromised,” Miller said. “But we are a target, of course. And so, yes, I do have concerns about that.”
The committee’s Democratic side agreed cybersecurity is a top priority. “We are constantly and vigorously examining and improving our information security systems, policies and procedures to protect important information and House operations,” said Jamie Fleet, the House Administration Committee’s Democratic staff director.
Miller said she believed the cybersecurity posture was strong in the House, though she noted the Senate likely lags behind. “I think we were ahead of the Senate. … I think the Senate was looking at some of the things that we’d done here,” Miller said, though she declined to provide specifics.”
But the OPM breach apparently prompted Senate administrators to evaluate their own systems. Executive officials revealed Thursday that the OPM breaches occurred when the perpetrators, who have still not been identified, accessed the OPM networks through a contractor’s compromised username and password.
The Senate upgrade in the memo involves altering how users remotely access the “resources assigned to their individual network account,” according to a Sergeant-at-Arms source. Users could previously access their accounts through a “Passfaces” login, which involved being assigned a series of pictures of faces, and correctly choosing those faces in order to log in. The Passfaces login will be decommissioned as of July 31, and users will be able to log in by acquiring secure “tokens.”
Despite the assessment, lawmakers said the Capitol must remain vigilant on the cybersecurity front.
“There’s always more on cybersecurity issues,” said House Administration Committee member Rodney Davis, R-Ill., “because you’re constantly fighting an enemy that continues to evolve in the practices that they’re using to create havoc in the cybersecurity realm.”
Hannah Hess contributed to this report.