When Russian hackers targeted Sen. Claire McCaskill’s office, staffers did not take the bait.
That could mean the money Congress poured into improved training and a more robust information security posture for staff is working. But the legislative branch is still playing catch up to get ahead of threats.
McCaskill’s staff may have been better prepared than others on Capitol Hill. She has advocated improved information security fluency and, as the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, she has pushed for a more robust information security workforce.
The House mandated information security training for all employees in early 2015. All staffers who have a House network username and password must complete annual training.
In the Senate, there is no equivalent requirement. Sessions on awareness best practices are offered to member offices, committee staff and staffers working in state offices. Sergeant-at-Arms Michael Stenger said in May the SAA had hosted 52 cyber awareness seminars since the start of 2017.
Lawmakers boosted funding for Senate Sergeant-at-Arms efforts in fiscal 2018 to bolster Senate networks and protect users by $12.5 million and added $4 million for Senators’ office accounts focused on office and staff-level measures.
There are thousands of users with access to the Senate networks, but policies vary between offices. Staffers eager to use dynamic technology, like Dropbox and Google Docs, often bring network users from outside of the established security framework. That makes development and enforcement of a blanket security policy an added challenge.
“The system is only as good as the people that are using it,” said Stenger.
As chief law enforcement officer of the Senate, the Sergeant-at-Arms office is charged with maintaining security in the Capitol, including all computer and technology support services for the Senate.
At a May hearing on the SSA’s budget request for the coming year, Stenger told lawmakers technical solutions, such as firewalls, anti-spyware, and anti-virus aide in protecting Senate data, but humans are still the key.
“End-users are still the first and most effective line of defense for protecting the security of sensitive information,” Stenger said.
Staffers are the primary end users in the Senate. They comprise more than 20,000 employees, a work pool that churns with interns, short-term employees and staffers switching jobs, all of whom have access to congressional networks.
The hacking attempt on McCaskill reportedly came in the form of a phishing attack, in which the target would receive an email to change his or her password, leading them to a malicious site that mirrored the legitimate Senate login page. The Daily Beast reported the tactic was similar to one successfully implemented by Russian hackers when they hacked into the Democratic National Committee in 2016.
“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” said McCaskill in a statement. “While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated.”
Even basic steps to protect sensitive information are not yet standard practice on Capitol Hill.
Senate Appropriators in 2017 requested the SAA’s office provide a report to the panel on the cost of implementing a multifactor authentication system for Senate staff. The lack of two-factor authentication to that point is evidence the Senate has lagged behind the private sector and other federal entities in cyber protections.
The request said the Senate should meet the same standards mandated of federal agencies in Homeland Security Presidential Directive 12, which was issued by President George W. Bush in 2004 to set a standard for secure and reliable identity authentication.
Bridget Bowman contributed to this report.