By Ellen Nakashima and Carol D. Leonnig
Washington Post Staff Writer
Saturday, October 31, 2009
House leaders on Friday called for an "immediate and comprehensive assessment" of congressional cybersecurity policies, a day after an embarrassing data breach that led to the disclosure of details of confidential ethics investigations.
Speaker Nancy Pelosi (D-Calif.) and Minority Leader John A. Boehner (R-Ohio) said they had asked the chief administrative officer of the House to report back to them on the policies and procedures for handling sensitive data as a result of the breach. The inadvertent disclosure of a House ethics committee document, obtained by The Washington Post, summarized the status of investigations into lawmakers' activities on subjects such as influence peddling and defense lobbying.
"We are working diligently to provide the highest level of data security for the House in order to ensure that the operations of House offices are secure from unauthorized access," Pelosi and Boehner said in a statement.
The breach angered lawmakers who were the subject of the previously undisclosed investigations, and it raised questions about the security of other sensitive documents.
Rep. Gary Miller (R-Calif.), who was named in the document as under investigation because of his real estate dealings, said he was so upset about the breach that he complained Thursday evening about the matter to Rep. Zoe Lofgren (D-Calif.), chairman of the ethics committee, during roll-call votes.
"This is ridiculous and amateurish," he said, adding that he was unaware of any ongoing interest in the case.
Even as the House leadership sought answers -- and the ethics committee moved to review its security policies -- the newly disclosed document remained available on public file-sharing computer networks, according to security experts. As of Friday, it had been downloaded by users in Washington, New York, London and elsewhere.
The ethics committee operates in secrecy and has its own policy governing the handling of materials involving investigations. Under committee protocols, material generated by the panel is supposed to be stored in secure areas that are not accessible to anyone other than committee staff members. That goes for computer files and printouts of committee documents.
In the breach, the report was disclosed inadvertently by a junior committee staff member, who had apparently stored the file on a home computer with "peer-to-peer" software, congressional sources said. The popular software allows computer users to share music or other files and is easily available online. But it also allows anyone with the software on a computer to access documents of another user without permission, as long as the users are on a file-sharing network at the same time.
The staff member was fired this week. She told committee leaders she had saved a copy of the investigation summary to her personal computer without realizing it, a congressional source said, speaking on the condition of anonymity because of the sensitivity of the matter. The file was stored in a part of her computer files where peer-to-peer file-sharing software could operate, but she told the leaders that she did not realize that it was actively running.
The breach highlighted the risk of peer-to-peer technology. It has caused other breaches of sensitive financial, defense-related and personal data from government and commercial networks.
Over the past couple of years, documents relating to the Marine One presidential helicopter have been downloaded by at least one computer user in Iran; the personal data of thousands of Special Forces units have been downloaded by users in China and Pakistan; and documents on the Air Force's F-35 Joint Strike Fighter have been accessed by users in China and other countries, according to security experts. The latter breach was noted as early as 2005.
"There are other government files that are available on the networks," said Bernard Trest, president of ZapShares, a Toronto security firm that also helps prevent damaging peer-to-peer leaks. "Unfortunately, networks are being scoured by [computer users] in Iran, North Korea, China and Russia."
A congressional source said the ethics committee is considering prohibiting staff members from taking home particularly sensitive documents or saving them on personal computers. But the practical problem, the source said, is that many employees work long hours already and should be able to work at home.
Lofgren said the committee is mindful that human error ultimately can compromise any security procedures.
"Individual error and sloppiness is always the Trojan horse of cybersecurity," she said.
Barbara Boxer (D-Calif.), chairman of the Senate ethics panel, discussed the issue with committee staff members Friday, and "she feels comfortable that we have precautions in place to protect the committee's work," spokeswoman Natalie Ravitz said. Boxer also asked that staff members be reminded of the importance of confidentiality and security of information, Ravitz said.
File-sharing networks are made up of hundreds of millions of users who periodically log on and off, with 25 million or so being active at any moment. The typical user, when searching for files, will reach only a small portion of the users on the network -- from 30 to 3,000 people, depending on the connection strength.
A search on the word "meeting" may result in anything from a PTA meeting to an Iraqi operations meeting involving sensitive military details.
Rep. Edolphus Towns (D-N.Y.), chairman of the House Oversight and Government Reform Committee, is drafting legislation to protect sensitive government documents from public exposure through peer-to-peer technology.
"Unfortunately, this incident underscores the very urgent need to address the problems associated with peer-to-peer software," he said.
Towns was also mentioned in the disclosed document as having once been under scrutiny by the Office of Congressional Ethics for allegations he improperly received a Maryland homestead tax credit.
Staff writers Paul Kane and Ben Pershing and staff researcher Julie Tate contributed to this report.