Lawmakers and their staffs have been aware for years that their internet communications could be prime targets for both foreign and domestic spies.

But after last year’s hacking of the Democratic National Committee by Russian operatives, many are reassessing security protocols that once seemed sufficient — even overbearing — and finding them lacking.

“Many of us on the Hill had this this sense that others might get hacked, but we were safe here,” said one chief of staff who left her House office recently and spoke on the condition of anonymity. “The more that you see, the more indication there is that that just wasn’t true.” She was one of several current and recently departed senior-level congressional staffers who discussed their offices’ cybersecurity practices with Roll Call.

Most said they were generally impressed with how well both the House and Senate have managed to keep potential attacks at bay, and that they felt their internal communications were secure. But some said the revelations from the multiple investigations into Russian hacking had led them to question common practices in their offices.

Security experts say they have seen evidence of potential areas of concern. They also acknowledged the unique challenges in Congress — slow to implement change, reluctant to spend money on itself and a beacon, perhaps, but not of technology. 

More than 20,000 employees have access to congressional networks, a work pool that churns with interns, short-term employees and staffers switching jobs. The Capitol building and its office complexes are open to a constant stream of tourists, visitors and other guests. And 535 lawmakers act as autonomous bosses in their own offices.

“I wonder at how Congress in particular is not compromised more often,” said Seamus Kraft, whose nonprofit OpenGov Foundation develops technology to support local, state and federal governments.

Unclear protocol

House and Senate officials are generally vague about security procedures, providing broad outlines in public documents and hearings. But lawmakers who wish to draw attention to specific areas of concern will sometimes lift the veil.

In April, for example, Sen. Ron Wyden’s office sent the Senate Rules and Administration Committee a letter urging the chamber to implement a basic security practice called two-factor authentication.

That procedure, widely considered one of the easiest ways to safeguard a computer network from hackers, requires users to supplement their passwords with a second layer of security, such as a USB key or a smartphone. In the executive branch, employees are issued ID cards with chips for this purpose. In the Senate, Wyden’s letter pointed out, the staff ID cards have only pictures of chips.

The Oregon Democrat followed up in May with another letter to the Senate sergeant-at-arms, thanking him for transitioning all committee and member websites to the default use of HTTPS encryption. HTTPS configured webpages protect users from third-party meddling, securing information that is entered on the page and ensuring the content is authentic. The protocol has been around since 1995 and was instituted by major companies such as Google, Wikipedia and The New York Times years ago.

Wyden also lauded the office for approving an encrypted messaging app, Signal, for staffer use.

“I’ve pushed for smarter tech policy for years, and that includes making sure the Senate takes commonsense steps to protect our systems from foreign hackers and spies,” he said last week. “There’s more work to do. I’m continuing to call for upgrades to our security, including two-factor authentication for Senate email and desktop accounts.”

Asked about Senate policies regarding two-factor authentication and other tools to safeguard accounts, a Senate sergeant-at-arms spokeswoman said the office “operates under guidance from multiple Senate sources.”

She did not explain what those sources are, what the guidance is, and how it would translate into policy or recommendations. But she did say “one of those sources mandates the use of Senate-provided communications for Senate official data.” She continued: “This includes the use of two-factor authentication when accessing the Senate network via VPN connections.”

Asked to clarify, she said in an email, “As executive officer of the Senate, the Sergeant at Arms enforces all rules of the Senate to include those set by the Committees that determine cybersecurity policy.”

Expert concerns

The slow adoption of basic protections raises flags among security experts.

“I don’t know whether anyone has hacked the U.S. Congress, however, I do know that the security is very lax,” said Toomas Hendrik Ilves, the former president of Estonia, who is an internationally recognized expert on cybersecurity. “Until you have two-factor authentication, I would be careful what you put in your emails, lest you find it on the front page of The New York Times in a few days.”

Ilves testified at a Senate hearing on Russian espionage in March and is a distinguished visiting fellow at the Hoover Institution at Stanford University.

In May, the Information Technology and Innovation Foundation, a nonprofit think tank that works to spur technological innovation through public policy, tested security and user-friendliness of legislative branch websites and found only 29 percent had successfully implemented a security feature that prevents attackers from directing users to malicious sites. The websites also performed poorly in tests of load speeds and accessibility, and worse than sites tested in the executive branch.

“It’s not hard to imagine that if you are not doing the best practices in these areas, you probably aren’t in other areas,” said Daniel Castro, the foundation’s vice president. “When Congress passes the laws that regulate how federal websites can operate, they don’t apply those rules to themselves.”

He pointed out that executive branch agencies perform annual security audits and publish their findings. Congress does not. That, he said, is a problem. “You want to see an agency say it has done an audit, it has identified a problem and taken security measures,” Castro said. “I have never seen that from Congress.”

It is unclear whether the House has a blanket policy regarding two-factor authentication. 

“The House has set policies that govern how House-data is accessed and managed,” a House Administration Committee spokeswoman said in response to questions about that and other security policies and recommendations. “This includes using a mix of standards, industry practices, and set policies to provide the best protection of data possible.”

Staff members are required to take an annual training that includes lessons and quizzes, she said, but did not elaborate on specific security protocols.

Individual office policies

Reps. Will Hurd, R-Texas, and Ted Lieu, D-Calif., outlined concerns about “the security culture” in a letter to their colleagues last year. That letter urged lawmakers to adopt two-factor authentication, use complex passwords, install anti-virus software and use encryption messaging apps, implying that such practices were not uniform.

Several staffers said their offices had their own IT support staff who had implemented security measures beyond those required, but they were unsure how universal such practices were.

“The overarching concern in the House is the lack of consistency,” said Alex Schriver, who was chief of staff for Rep. Bradley Byrne, R-Ala., until March. “There’s not really a guidance set forth in terms of what you have to do.”

He said he was lucky in Byrne’s office to have a “highly capable” shared employee who handled information security for his and other offices. Still, others used outside vendors or relied on House IT staff.

Schriver is now a senior vice president at Targeted Victory, a public affairs, strategy and marketing agency.

He and other current and former senior staff members also said it was common for employees to use use Gchat, Google Documents and other commercial communication and data-sharing services on private accounts to conduct official businesses. Employees would also frequently email themselves documents to work from home, many said. Some said such practices were strongly discouraged, but others said they had never had any official guidance about it.

“We would share Google Docs to track amendments on bills,” said one former chief of staff. “We used Instant Messenger when that was a thing, but when Gchat took over, it just replaced picking up the phone and buzzing your colleagues.”

In the Senate, “official business should be conducted using Senate-provided services,” the sergeant-at-arms spokeswoman said.

Security experts said using outside services could expose employees, especially if they use the same password for their private and work accounts, and make it difficult for officials to manage the risk.

Recent episodes

Several potential cybersecurity breaches have reached into the highest levels of the House and Senate in recent months.

Five IT staffers who had links to Pakistan and worked for dozens of Democratic lawmakers have been caught up since February in a criminal investigation involving the theft of equipment, including that of former DNC Chairwoman Debbie Wasserman Schultz of Florida.

That investigation has been shrouded in secrecy. Charges have not been filed, though the staffers have reportedly been blocked from IT networks. Capitol Police spokeswoman Eva Malecki declined to provide additional information, citing a policy not to comment on ongoing investigations. 

Sens. Martin Heinrich, D-N.M., and Marco Rubio, R-Fla., said at a public hearing in March that they and members of their families and staffs had been targets of cyberattacks.

“I’ve certainly had staff targeted,” Heinrich said at the hearing of the Senate Intelligence Committee. “I’ve had family members who have received these very sophisticated spear phishing and other kinds of approaches. Sometimes, you know where the IP address is coming from because your provider literally tells you, ‘By the way, if you didn’t try to reset your account from Russia at 3:22 p.m., let us know.’”

In April of last year, as Russian hackers roamed undetected through the DNC’s computer system, the House temporarily blocked access to Yahoo Mail because of a ransomware attack focusing on third-party email providers. Staff members said they had periodically received notices of similar detected breaches.

One former IT staffer said the congressional system is more sophisticated than the DNC’s. “They have a whole team of people whose job is to think of every random security thing,” he said. “As far as I know, there were no big gaping doors that were left open.”

The network is compartmentalized enough that hackers would not be able to move around freely, even if they got inside, he said.

Taking action

Officials in both the House and Senate have said they are focusing on stepping up cybersecurity protections, including increased training for staff members and lawmakers.

House Administration Chairman Gregg Harper said it was a priority for his committee. 

“We want the House community to understand that cyber threats are real and the House is a major target,” the Mississippi Republican said. “We are working with House officers, members, and their staffs to make sure our systems are secure.”

A report issued in June to accompany the fiscal 2018 House legislative branch appropriations bill, the document that allocates spending for in-house security, said the House Chief Administrative Office would receive $10 million in additional funding for cybersecurity.

“Protecting mobile devices and home computing devices are areas the Committee is pleased to see the CAO is making strides in,” the report said. It also noted that the House had prevented an estimated 4.7 billion attacks in 2016. The House Administration spokeswoman did not answer a question about how that figure was calculated.

Frank J. Larkin, the Senate’s sergeant-at-arms, similarly said at a June 29 budget hearing that his office is focusing on updating its software and policies. He also said that the landscape is constantly changing.

“The fact of the matter is that we are in a constant blocking and tackling drill,” he said. “This is a knife fight that is not going to end anytime soon.”