Take a look at the security headlines, and you'll see report after report of businesses and large organisations being hacked. Sensitive databases are accessed, passwords are stolen, email archives are plundered, innocent people are put at risk and corporations get a kick up the backside that they need to take security more seriously. But what you don't tend to hear about are hacks of computer systems belonging to the US Congress. In fact, aside from the LulzSec hacking gang's defacement of the Senate's website in 2011, the last time a breach of congressional computers was publicly disclosed was in March 2009, when then-Senator Bill Nelson revealed computers in his office had been attacked three times in the previous month and that one of his office's PCs was "talking to a computer in some international arena." Federal agencies and companies are required by law to disclose breaches, but Congress is under no such obligation -- meaning that the public may have no idea that their political representatives have been hit. This is despite an admission at a hearing in 2017 that "the Senate is considered a prime target for cybersecurity breaches." Now, two senators -- Democrat Ron Wyden and Republican Tom Cotton -- think it's time for the secrecy to end. Wyden and Cotton, both members of the US Senate Intelligence Committee, make their case for transparency in an open letter:
During the last decade, hackers have successfully infiltrated U.S. government agencies including the Office of Personnel Management, health care firms such as Anthem, and technology giants like Google. Hackers continue to target all manner of government entities, and there is little doubt that Congress is squarely in their sights. We believe that the lack of data regarding successful cyber attacks against the Congress has contributed to the absence of debate regarding congressional cybersecurity - this must change. Each U.S. Senator deserves to know, and has a responsibility to know, if and how many times Senate computers have been hacked, and whether the Senate’s existing cybersecurity measures are sufficient to protect both the integrity of this institution and the sensitive data with which it has been entrusted.
The letter further calls upon the Senate to produce an annual report detailing the number of times hackers have managed to compromise Senate computers and phones and when sensitive data has been accessed. In addition, Senate Sergeant at Arms Michael Stenger is asked to inform the Senate committees on Rules and Intelligence about any cybersecurity breaches within five days of their discovery. If nothing else, more transparency about hacks involving the US Congress would help to keep cybersecurity in the minds of politicians and may better inform their understanding of the scale of the problem. The two senators acknowledge in the letter that some information about hacking attacks may need to remain confidential because of its sensitive nature or because an investigation is ongoing. Senator Ron Wyden is certainly no stranger to raising issues around computer security, having previously raised concerns about a variety of topics including federal government employees using foreign VPNs, the US government's reliance on Adobe Flash and the State Department's poor adoption of multi-factor authentication.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
