Foreign government hackers are continuing their assault on the personal email accounts used by lawmakers and congressional staff — and cybersecurity experts are warning that Congress is ill-equipped to deal with the problem.
The issue got fresh attention last week, when Sen. Ron Wyden (D-Ore.) revealed — and Google later confirmed — that an unspecified number of senators’ and Senate staff members’ private email accounts were targeted by foreign hackers, as my colleague Karoun Demirjian reported. In a letter to Senate leadership, Wyden said the Senate sergeant-at-arms, the chamber’s main cybersecurity authority, wouldn’t assist them because the cyberattacks didn’t involve official accounts or devices.
The threats against personal accounts are well known. The major hacks of Democratic officials during the 2016 election involved nonofficial emails, and officials as high-ranking as White House Chief of Staff John F. Kelly have had their personal accounts hacked. But Congress hasn't taken action to safeguard their own despite intelligence officials' warnings that foreign adversaries are still trying to disrupt U.S. politics.
The risks hackers will steal or leak information only increase the longer lawmakers wait to secure their personal accounts, said Daniel Schuman, co-founder of the Congressional Data Coalition, which seeks to improve the way Congress stores and shares information online.
“As long as congressional information remains insecure, people will continue to use it to try to influence the political process,” said Schuman, a former congressional staffer who also serves as policy director at the left-leaning group Demand Progress, where he focuses on technology issues. “It undermines the ability of Congress to function and it makes all the committees and all the work of lawmakers and staff vulnerable to people who use it for bad purposes.”
Hacks of personal accounts could glean valuable bounties such as contact lists or access to private conversations. That kind of information is especially appetizing for a foreign government, Schuman told me. “If you want to understand what’s happening in American politics and you want to have influence, you want to understand the formal and informal networks in which the officials engage,” he said. “The line between ‘Come over for a dinner party’ and ‘Let’s talk business’ isn’t all that great.”
And it extends beyond just email, Schuman added. Other accounts on services such as LinkedIn, Facebook, Instagram or Amazon all contain “treasure troves” of information that hackers can exploit.
Congress is underestimating the threat, experts warn. Hackers may have a greater incentive to go after personal accounts than official accounts because people treat them as if they’re not targets — reusing passwords, for example, or neglecting to install two-factor authentication, said Thomas Rid, a security studies professor at Johns Hopkins University. That makes them “high-value, low-hanging” prizes for foreign hackers, he wrote in a letter to Wyden last week.
“No rules, no regulations, no funding streams, no mandatory training, no systematic security support is available to secure these resources,” Rid told Wyden, saying there’s an “urgent” need to increase the security of lawmakers’ personal accounts and devices. “With no one forcing them to improve their personal cybersecurity and little expert assistance available, it’s unsurprising that many elected officials have bad personal cybersecurity.”
Wyden says he wants to introduce legislation that would allow the sergeant-at-arms to provide assistance to senators and staffers for their personal devices and accounts “to keep up with changing world realities."
And there are other ways to address the problem that stop short of legislation. Formal training could go a long way to help lawmakers and staff lock down their personal accounts, Schuman said. He also proposed a “gold standard” that ranked congressional offices' cyber hygiene. Another solution: Congress could outfit itself with security devices such as YubiKeys, which support unique passwords each time a person logs into an account.
“In an ideal world, the Sergeant at Arms could just have a pile of YubiKeys,” security researcher Matt Tait told the Associated Press. “When legislators or staff come in they can (get) a quick cybersecurity briefing and pick up a couple of these for their personal accounts and their official accounts.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “A Latvian computer programmer was sentenced to 14 years in prison for designing a program that helped hackers improve malware — including some used in the 2013 Target breach,” The Washington Post's Rachel Weiner reported Friday. “Ruslan Bondars, a 37-year-old Latvian citizen, was found guilty at a May trial in Alexandria federal court, during which a co-conspirator revealed the pair had worked with Russian law enforcement. Hackers used their ‘Scan4You’ program to see if anti-virus programs would identify their software as malicious; it could be adapted into malware kits sold to cybercriminals. Bondars argued there are legal uses for the product and he was not responsible for when it was used illegally.”
A user of Scan4You carried out the 2013 Target breach in which credit card information from about 40 million customers was stolen, Rachel reported. “Bondars’s product was not actually used to help get into Target’s system or steal the information, according to court testimony,” my colleague wrote. “An expert from Verizon who helped investigate the hack said the files tested in Scan4You were likely used to figure out where payment information was stored.” According to court documents, Bondars used malware to get people to buy anti-virus that they didn't need. However, he was not charged with direct involvement in hacking, my colleague reported.
PATCHED: Kathy Rogers, vice president of the election equipment vendor Election Systems & Software, said about voting 300 jurisdictions received remote-access software for their election-management systems to help the company provide technical support, NPR's Miles Parks reported Friday. Experts have warned that such software could be vulnerable to hacking, according to NPR. Rogers “added that it wasn't installed by the company after 2007, and stressed that it was never installed on machines that voters used to cast their ballots,” Parks wrote. “The software was instead used on election-management systems, which are housed in county offices. While the systems don't record voters' votes, they are sometimes used to program voting machines and to aggregate and report final results.”
Amid concerns about election security and mounting scrutiny over voting equipment vendors, the company seeks to strengthen the security of its systems. “The company's new security chief, Chris Wlaschin, says ES&S will soon become the first election vendor to install an Albert sensor, which many governments use to monitor cyber threats and share information with the Department of Homeland Security,” Parks wrote. “The company now also requires two-factor authentication for elections officials who access the company's systems. Wlaschin also directly said the company has not been successfully attacked at any point in the past.”
PWNED: While many hackers continue to use aliases to maintain privacy, others increasingly use their real names as they reach prominent positions or for professional reasons, the New York Times's Stephen Hiltner reported Saturday. Among the hackers that the Times spoke with at the Def Con conference in Las Vegas are Neil Wyler, whose alias is Grifter, and Nico Sell — the Times notes that it is not known whether Nico Sell's real name is actually Nico Sell.
“Many longtime hackers, like Ms. Sell and Mr. Wyler, have been drawn into the open by corporate demands, or have traded their anonymity for public roles as high-level cybersecurity experts,” Hiltner wrote. “Others alluded to the ways in which a widespread professionalization and gamification of the hacking world — as evidenced by so-called bug bounty programs offered by companies like Facebook and Google, which pay (often handsomely) for hackers to hunt for and disclose cybersecurity gaps on their many platforms — have legitimized certain elements of the culture.”
Another hacker, 30-year-old Philippe Harewood, uses his real name as part of his activity but still maintains an alias. “He is currently ranked second on Facebook’s public list of individuals who have responsibly disclosed security vulnerabilities for the site in 2018,” Hiltner wrote. “And while he maintains an alias on Twitter (phwd), a vast majority of his hacking work is done under his real name — which is publicized on and by Facebook. He also maintains a blog (again, under his real name) where he analyzes and discusses his exploits.”
— Most county and municipal jurisdictions are not taking advantage of a range of free cybersecurity tools to help them secure elections, BuzzFeed News's Kevin Collier reported Sunday. “The Department of Homeland Security offers an election-specific version of its threat-sharing program, called EI-ISAC, to anyone who wants it, and has done a number of outreach events around the country in recent months to promote it,” Collier wrote. “All 50 state governments have joined, but county and local governments participating only number about 1,100.”
— “Half of private companies are poaching top cyber talent from the government as federal employees look for higher pay and stronger leadership, according to a new survey from cybersecurity professional association (ISC)2,” Nextgov's Aaron Boyd reported Friday. “The survey of 250 U.S. cyber professionals showed that 50 percent were able to lure federal employees to the private sector, with the biggest factor being pay. A previous (ISC) 2 study released in January showed private-sector cybersecurity professionals tend to be motivated more by mission and leadership buy-in than salary, while the opposite holds true in the public sector.”
— More cybersecurity news from the public sector:
— “Twitter said Friday it has patched a bug that could have shared users' private messages with software developers outside of the company,” CNBC's Salvador Rodriguez and Sara Salinas reported. “The issue is estimated to have impacted less than 1 percent of Twitter's total user base, which includes 335 million monthly active users as of July. The company has hundreds of partner developers.”
- Two Senate Armed Services subcommittees hold a hearing on the Defense Department's “cyber operational readiness” on Wednesday.
- House Energy subcommittee hearing on the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response on Thursday.
Fox News hosts give Trump conflicting advice on Rosenstein:
“The sun will rise again”: Life in Yemen after al-Qaeda
HBO's John Oliver looks at Facebook's expansion abroad: