Congress vulnerable to cyberattacks

Security experts warn Congress is vulnerable to cyberattacks from digital intruders like hacker group Anonymous and China, which was named in a report this week as having successfully breached the security of some U.S. firms.

The digital networks that run the backbone of the information systems and networks of congressional staff and lawmakers are treasure troves of sensitive data for foreign intelligence services and independent hacker groups alike. Experts warn that Congress isn’t using the types of technology and security methods that could prevent sophisticated hacker attacks.

{mosads}A successful security breach on a congressional committee or lawmaker’s office network could yield information about U.S. military operations and the budget, draft legislation and policy memos, or upcoming hearing testimony from top government officials, according to security experts. By cracking into these networks, hackers could get a peek into future U.S. policymaking and the thinking of some of the country’s top decision-makers.

Foreign hackers would aim to use this valuable intelligence to get an economic, political or security advantage over the U.S., experts say.

Over the years, hackers have learned to bypass traditional security tools, like firewalls and network encryption, to gain access to sensitive networks by unleashing targeted cyberattacks on an employee’s laptop or another device, said Tom Kellermann, vice president of cybersecurity for security software firm Trend Micro.

Congress is “overly reliant on perimeter defenses that are ineffective in today’s targeted environment,” he warned.

“They lack their own appropriate levels of funding for technologies and manpower to deal with this properly,” Kellermann said. “A major corporation has more resources than they do.”

Top-ranking lawmakers and influential congressional committees, such as the Intelligence and Armed Services committees, are likely at the top of hackers’ target lists, security experts say.

Tapping into the computer systems and communications of the House and Senate Intelligence, Foreign Relations, Finance and Armed Services committees would be of particular interest to hackers because they handle critical data on the military, and ask agencies for highly sensitive information that is typically locked away from public view.

“I would be shocked if there wasn’t deep penetration of multiple committees and the FBI hadn’t already told them about it,” said Alan Paller, research director of the SANS Institute.

Even unclassified discussions about upcoming hearings and witness testimony from defense officials would provide valuable insight for cyber adversaries on the hunt for intelligence, Paller added.
 
In recent weeks, major U.S. companies like Facebook, Apple, Twitter, The New York Times and other media organizations have reported breaches on their computer networks. Computer security firm Mandiant on Tuesday revealed that an elite military unit of Chinese hackers based in Shanghai are likely behind a spate of successful cyberattacks against U.S. companies and the government.

The revelation about the elite Chinese hacker unit represents a broad shift in the way countries are waging war against one another and moving the battlefield to cyberspace.

“We used to do it with bombers and artillery shells, now they’re doing it with cyber warfare,” House Intelligence Committee Chairman Mike Rogers (R-Mich.) said at a conference earlier this month. Rogers has sounded alarm about the cyberattack capabilities of China, Russia, Iran and others.

The Senate Sergeant at Arms oversees the computer security of the upper chamber’s networks and Senate.gov email systems, while the House Information Resources unit for the Chief Administrative Officer provides cybersecurity for the lower chamber. Both offices declined to comment about the security measures they have in place or whether they’ve stepped up those measures in the wake of the recent hacker reports, presumably to keep hackers in the dark about the safeguards used to protect Congress’s computer networks.

“While many security measures are taken, we do not comment on what those are,” a spokesman for the Senate Sergeant at Arms said in an email.

Dan Weiser, a spokesman for the Chief Administrative Officer of the House, also declined to comment on the cybersecurity measures it has in place, but said House employees are trained on proper cyber hygiene annually.

“House employees take information security training on an annual basis,” said Weiser. “Other training and information is available to them as needed.”

Congressional committees take extra steps to secure sensitive data. A spokesman for the Senate Armed Services Committee, which handles classified information, said none of that critical data is stored on a computer system that’s hooked up to the Web.

“None of the classified information held by the committee is available on a computer that is connected to the Internet,” said the committee spokesman. “There is a way to send classified documents to the committee, but that system is managed by special arrangements as an extension of the classified network of the executive branch.”

Meanwhile, the Senate Homeland Security and Governmental Affairs Committee works with the Senate Sergeant at Arms when it comes to handling classified information.

Few hacker attacks on Congress have come to light in recent years.

LulzSec, a hacker group that is considered an offshoot of Anonymous, claimed it publicly posted internal data from the Senate’s public website in June 2011. Following that claim, the Senate Sergeant at Arms said an intruder gained unauthorized access to a public server that supports the Senate.gov website and that the information stored on that server is intended to be public. The Sergeant at Arms spokesman said the office took the opportunity to review its security posture after the incident.

Last May it was revealed that hackers had gained access to the personal information — including Social Security numbers and addresses — of roughly 123,000 federal employees who participate in the Thrift Savings retirement program. At a hearing this summer, then-Sen. Daniel Akaka (D-Hawaii) said 43 current and former members of Congress, himself included, were affected by the attack on the Federal Retirement Thrift Investment Board.

Additionally, Rep. Frank Wolf (R-Va.) reported that four computers in his personal office were compromised by an outside intruder in August 2006. Wolf said the attack stemmed from China and he believed his office was a target because of his ongoing criticism of the country’s human rights record.

Both the House and Senate networks have suffered breaches in the past, but the chambers’ cybersecurity professionals have notably stepped up their efforts to beef up Congress’s network security in the last couple years, according to James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.

He said the security professionals on the Hill have paid closer attention to suspicious activity on the House and Senate networks, and worked on improving its authentication system so hackers impersonating congressional staffers are locked out.

“In the last year, they’ve put more effort into tightening things up,” Lewis said. “Once you get hacked, you get religion.”

“They have a lot of resources up there and they’re willing to spend,” he added.

Lewis said senators have previously told him about their office networks suffering security breaches. He noted that probing for Tibetan human rights activities has been another popular hacker activity spotted on congressional networks.

Despite these previous cyber incidents, Congress has failed to pass cybersecurity legislation. A comprehensive cybersecurity bill failed twice in the Senate last year after GOP members said it would apply burdensome new regulations on businesses.

President Obama issued a cybersecurity executive order last week amid the gridlock in Congress. The executive order intends to improve information sharing about cyber threats between government and industry and establish a framework of cybersecurity best practices that industry would elect to follow.

“[Lawmakers] know what the problem is. They just can’t get their act together politically,” Lewis said. “No one disputes there’s a problem, but the politics of the Hill get in the way of there being any solution.”

— Brendan Sasso contributed to this report.