Congress’s IT Infrastructure Is a Disaster Waiting to Happen—Here’s How to Start Fixing It
Over a month after the insurrection, the significance of the cybersecurity-related damage remains unknown. Congress should take this moment as an opportunity to shore up the Capitol's digital systems.
Published by The Lawfare Institute
in Cooperation With
The Jan. 6 attack on the U.S. Capitol was shocking for several reasons: the effort to subvert the democratic process, its incitement by a sitting president, and the chaos and violence that ultimately left five people dead.
Although less immediately obvious, the list of cybersecurity concerns stemming from the attack is also daunting. A mob had unfettered physical access to congressional offices for several hours. Electronic devices—including at least two laptops—were stolen. Photos from the scene indicate that congressional staffers fled so quickly that at least one computer was left unlocked, with emails still visible on the screen. Any sensitive information compromised, accessed, or removed during the attack could potentially be extracted and exploited.
Over a month after the insurrection, the significance of the cybersecurity-related damage is still unknown. While at least one person has been arrested in connection with the theft of a stolen laptop, the devices still appear to be missing. Congress’s informational technology (IT) professionals have undoubtedly been working long hours to scan networks and clean computers, but it remains to be seen what remediation efforts will find. A final answer may never be made public.
Regardless, as much as the Jan. 6 attack was a wakeup call that the Capitol’s physical security systems and emergency protocols were inadequate, it’s now just as clear that its digital systems need to be shored up as well.
The simple fact is that Congress’s IT woes have been a long time coming. While members of Congress have roundly criticized federal agencies—such as the Office of Personnel Management, after that agency’s systems were breached by foreign actors—the Hill’s cybersecurity protocols have long lagged far behind. Partially contributing to this lag in congressional cybersecurity is Congress’s decentralized structure, which has been compared to 535 small businesses or even virtual “fiefdoms.” While there are some common IT standards and a shared network across the House and the Senate, many technology-related decisions are made by individual congressional offices—from procuring devices to staff structure and resource allocation, across both district and D.C.-based offices. This results in a “potpourri” of different devices and protocols, and encourages fragmented security practices. That’s not necessarily bad: Introducing network segmentation, for example, can help prevent malicious actors from moving effortlessly from one office to the next. But without adequate cybersecurity standards or external incentives, there is a great risk that congressional offices will deprioritize cybersecurity in favor of saving time or money.
However, the short-term benefits of cutting corners on cybersecurity pale in comparison to the enormous risks Congress incurs as an institution. There are numerous reasons why a digital breach of Congress is a huge concern. First is the standard fear that classified or otherwise highly sensitive national security information could be compromised. This would be most worrisome in committees that handle matters pertaining to intelligence, armed services, homeland security and the judiciary. Second is the fear that personally identifiable information of staff and constituents could be stolen, such as Social Security numbers or confidential casework information. Finally, there’s the sheer amount of information that passes through Congress’s halls. For any foreign adversary with big data-processing capabilities, this is a veritable treasure trove of information on everything from the movement of members to scheduled trips abroad, and from sensitive legislative priorities to private records of citizens and corporations obtained via subpoena.
All of this data should be secured. While taking action now won’t retroactively secure Speaker Nancy Pelosi’s missing laptop—or fix the problem of attackers having physical access to Capitol devices—starting the process of mitigating Congress’s most immediate technical vulnerabilities now can help prevent future disasters. Luckily, Congress won’t need to start from scratch to do so: Bipartisan security champions in and around Congress have long been pushing to modernize its IT infrastructure and secure its operating protocols. Congress should take this opportunity to enshrine the fundamentals of cyber hygiene, promote various enterprise-level upgrades that would help create a higher base-level of security on the Hill, and elevate the culture around cybersecurity within Congress.
Fundamental Cyber Hygiene
Ensure offices are equipped with the tools to follow cyber basics. The long-established truth is that Congress often has not institutionalized even basic practices that would improve security standards on the Hill. Some of this is because shortcuts make short-term sense in terms of saving both money and time. Sen. Ron Wyden has led a campaign for years to toughen up routine cyber hygiene practices in the Senate, from pushing the implementation of two-factor authentication measures, to calling for encryption on Senate devices, to requesting better disclosure policies when offices are breached. Despite efforts by Wyden and others, the state of basic cybersecurity measures in Congress today is inconsistent. Congress and congressional offices need to follow best practices. Setting up two-factor authentication wherever possible and using long, strong passwords that need not be changed too frequently should be a given. (Evidence shows that forcing people to change their passwords too often may incentivize users to resort to easy passwords—or, worse, to writing them down on sticky notes attached to the device.) These best practices also mean ensuring institutional access to the same type of security tools that private corporations offer their employees—things like enterprise access to encrypted conference call platforms and paid subscriptions to security tools.
Strengthen controls on “shadow” IT and personal devices and accounts. Cybersecurity efforts often treat humans as a bug rather than a feature. This is particularly true in Congress, which has made an art form out of blending official processes—like voting—with unofficial ones—like hotlining and handshakes. But in some cases, unofficial methods can pose a problem. Shadow IT networks often exist in parallel to approved networks—unauthorized systems, software, networks and/or personal devices used by staffers for government work. For busy staffers, it may often be easier, cheaper or more efficient in the moment to avoid official channels and approved devices (something that isn’t unique to Congress: think Donald Trump’s cellphone or Hillary Clinton’s emails). But the risk of having these unsecured, often uncounted assets transmitting or storing data is a real vulnerability. Hackers frequently access private accounts of government officials—perhaps most famously, it happened to John Podesta in 2016.
Audit the security standards of individual offices. The heart of cybersecurity is compliance with security standards. Congressional IT or independent contractors should be empowered to conduct routine, low-stakes audits of each office to ensure basic best practices are being followed and any vulnerabilities are identified. This initiative could even be handled as a “red team” exercise where government-hired pen testers check the cybersecurity of each office by attempting to break into their systems and steal data. Extra time, training and resources can then be directed toward low-performing offices. This practice could help curb unauthorized practices that invite significant risks. For example, despite having access to networked file storage, many staffers still store information on individual computers—meaning that the data is harder to safeguard and easier for criminals or foreign adversaries to extract if a device is stolen. Audits would also help ensure that Congress has an accurate list of all digital assets and networks that transmit and store sensitive data.
Enterprise-Level Upgrades
Consider implementing a system of physical log-on tokens or smart card IDs. Many employees in the federal government—and in private industry—are required to present physical tokens in addition to their passwords to log into their devices, whether or not the systems they’re accessing contain classified data. When the token—usually a smart card ID—is removed from the device, it automatically locks. This change alone would have prevented the viral image of the unlocked computer sitting in Speaker Pelosi’s office during the riot. Bizarrely, most congressional staff do not have smart cards but, rather, ID badges that feature a nonfunctioning picture of a chip. These badges should be upgraded and coupled with devices that allow for the automatic locking and unlocking of computers using the badge.
Centralize cybersecurity standards and investment. The U.S. federal government—despite its use of costly network monitoring systems and more stringent cybersecurity requirements than Congress—has been hacked repeatedly by foreign actors. It’s likely that many congressional offices have too—whether the public knows it or not. Congress needs to invest substantially more into securing and modernizing its IT infrastructure, as outlined in the final report of the Select Committee on the Modernization of Congress. Already, congressional websites are being migrated to the cloud; perhaps now is a good time to transfer the majority of other data there as well. Centralization efforts wouldn’t have to be all-encompassing, and offices could still operate their IT infrastructure independently. However, Congress must empower the offices of the House chief administrative officer and the Senate sergeant at arms with sufficient staff, authority, time and funds to make sure that critical security standards are uniform and upheld. Unfortunately, Congress has been under-resourced in this area for decades.
Yet as important as these technical recommendations are, there is one more piece to the puzzle: a culture among some members of Congress that doesn’t make cybersecurity a priority.
Reform Congressional Culture Around Cybersecurity
Instill culture change from the top down. Members frequently don’t respond well to being inconvenienced by security measures. Perhaps the single greatest technological vulnerability of Congress is its members. Some are technologically savvy, but many lack basic computer skills. It’s now time for everyone in Congress to see cybersecurity as a critical part of their job responsibilities—not an impediment. One way to do this would be to show members the stakes of noncompliance, whether by “red teaming” offices and showing members just how easy it would be for a hacker to breach their security, or even by better disclosing real-world breaches of Congress.
Today, in private industry, it is widely recognized that cybersecurity starts at the top. It’s not just the chief security officer or IT team that is responsible for digital security. The same should be true in Congress, where members themselves need to assume some of the responsibility for compliance. No one wants to interfere with the free flow of information in the halls of Congress. However, as digital information becomes a key target of foreign adversaries, the United States can no longer afford to allow congressional offices to muddle through on their own. In fact, the costs of remediation following a breach or ransomware attack might be far more than the up-front costs to harden these systems now.
In the wake of the much more devastating SolarWinds breach, it might be tempting to dismiss Congress’s security risk in favor of securing executive branch networks. Nevertheless, the Capitol attack illustrated the serious cybersecurity vulnerabilities in the heart of Congress—vulnerabilities that are now perfectly obvious to American adversaries. Without immediate changes and resources, next time might be far worse.