In Congress, a call to review internal cybersecurity policies

By Ellen Nakashima and Carol D. Leonnig
Washington Post Staff Writer
Saturday, October 31, 2009

House leaders on Friday called for an "immediate and comprehensive assessment" of congressional cybersecurity policies, a day after an embarrassing data breach that led to the disclosure of details of confidential ethics investigations.

Speaker Nancy Pelosi (D-Calif.) and Minority Leader John A. Boehner (R-Ohio) said they had asked the chief administrative officer of the House to report back to them on the policies and procedures for handling sensitive data as a result of the breach. The inadvertent disclosure of a House ethics committee document, obtained by The Washington Post, summarized the status of investigations into lawmakers' activities on subjects such as influence peddling and defense lobbying.

"We are working diligently to provide the highest level of data security for the House in order to ensure that the operations of House offices are secure from unauthorized access," Pelosi and Boehner said in a statement.

The breach angered lawmakers who were the subject of the previously undisclosed investigations, and it raised questions about the security of other sensitive documents.

Rep. Gary Miller (R-Calif.), who was named in the document as under investigation because of his real estate dealings, said he was so upset about the breach that he complained Thursday evening about the matter to Rep. Zoe Lofgren (D-Calif.), chairman of the ethics committee, during roll-call votes.

"This is ridiculous and amateurish," he said, adding that he was unaware of any ongoing interest in the case.

Even as the House leadership sought answers -- and the ethics committee moved to review its security policies -- the newly disclosed document remained available on public file-sharing computer networks, according to security experts. As of Friday, it had been downloaded by users in Washington, New York, London and elsewhere.

The ethics committee operates in secrecy and has its own policy governing the handling of materials involving investigations. Under committee protocols, material generated by the panel is supposed to be stored in secure areas that are not accessible to anyone other than committee staff members. That goes for computer files and printouts of committee documents.

In the breach, the report was disclosed inadvertently by a junior committee staff member, who had apparently stored the file on a home computer with "peer-to-peer" software, congressional sources said. The popular software allows computer users to share music or other files and is easily available online. But it also allows anyone with the software on a computer to access documents of another user without permission, as long as the users are on a file-sharing network at the same time.

The staff member was fired this week. She told committee leaders she had saved a copy of the investigation summary to her personal computer without realizing it, a congressional source said, speaking on the condition of anonymity because of the sensitivity of the matter. The file was stored in a part of her computer files where peer-to-peer file-sharing software could operate, but she told the leaders that she did not realize that it was actively running.

The breach highlighted the risk of peer-to-peer technology. It has caused other breaches of sensitive financial, defense-related and personal data from government and commercial networks.

Over the past couple of years, documents relating to the Marine One presidential helicopter have been downloaded by at least one computer user in Iran; the personal data of thousands of Special Forces units have been downloaded by users in China and Pakistan; and documents on the Air Force's F-35 Joint Strike Fighter have been accessed by users in China and other countries, according to security experts. The latter breach was noted as early as 2005.

CONTINUED     1        >

© 2009 The Washington Post Company