Ride the Lightning

Senator Wyden: Senate Can’t Protect Itself Against Cyberattacks

September 24, 2018

As faithful RTL readers will know, I am a huge fan of Senator Ron Wyden. My favorite squeaky wheel is back in the news. As Ars Technica reported on September 20^th, Wyden has written a letter to Senate leadership decrying the lack of assistance that the Senate's own information security team can provide in protecting senators' accounts and devices from targeted attacks, even as evidence mounts that such attacks are being staged.

According to Wyden, his office had discovered that "at least one major technology company" had recently detected targeted attacks against members of the Senate and their staffers—and that these attacks had apparently been conducted by groups tied to foreign intelligence agencies.

Microsoft reported thwarting spear-phishing attacks staged by a group tied to Russia's Main Intelligence Directorate (GRU) against members of the Senate in August. And the US Senate's own systems have been targeted in the past, including a June 2017 effort by the same GRU group (known as "Fancy Bear," "Pawnstorm," and "Sofacy") that created a server spoofing the Senate's own Windows Active Directory Federation Services (ADFS), according to a report from Trend Micro.

So why do we have such a problem? Current law and Senate rules allow the Senate's Sergeant at Arms (SAA) Office—which oversees Senate computers, telecommunications, and technology support services (among other things)—to handle security only for systems specifically owned by the Senate. But the SAA does not handle security for mobile devices or other Internet-based services. The SAA team has a lot on its plate already—and has a few information security job openings at the moment. But with information security within Senate offices left largely to senators and the staffers themselves beyond their senate.gov email accounts and the Senate's physical network, there remains a significant attack surface for foreign adversaries to target. Pretty amazing leaving that attack surface so exposed.

In Wyden's letter, a copy of which was obtained by the Associated Press, Sen. Wyden told Senate Majority Leader Mitch McConnell, Minority Leader Chuck Schumer, Chairman of the Senate Committee on Rules and Administration Roy Blunt, and ranking Democratic committee member Amy Klobuchar of his "serious concern that the US Senate Sergeant at Arms apparently lacks the authority to protect US Senators and Senate staff from sophisticated cyber attacks directed at their personal devices and accounts." Wyden said he would be introducing legislation that would allow the Senate Sergeant at Arms, who oversees all Senate security, to provide cybersecurity support "on an opt-in basis" for senators and their staff.

Not sure it should be opt-in, but at least it is a step in the right direction.

You may recall that, in April, Wyden raised objections over the lax physical security measures for Senate staff—including ID badges that just have pictures of smart chips like those on other access cards used across government agencies, rather than actual chips, and therefore provide no access controls.

You simply can't make that s*** up. Pictures of smart chips. Good heavens!

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson