A group of House Republicans could have created a field day for Russian and Chinese intelligence agencies when they stormed into a secure Capitol Hill room where their colleagues were taking impeachment testimony yesterday with their cellphones in tow.
The protest, which Republicans argued was intended to bring transparency into the probe into President Trump's Ukraine policy, violated the most basic cybersecurity protections technologists try to impose on the rooms where lawmakers receive and discuss classified information – basically giving insider access to any spy agency that had compromised a single lawmaker’s cellphone and could snoop through the camera or microphone.
“They may have brought in the Russians and the Chinese with their electronics … They violated our oath to protect national security by bringing electronics into that room,” said Rep. Eric Swalwell (D-Calif.), who was inside Sensitive Comparted Information Facility, or SCIF, at the time.
Mieke Eoyang, a former House Intelligence Committee staffer who managed meetings inside the same SCIF during the Obama administration, told me: “This is the kind of thing that, for people who work in national security, makes our hair stand on end.”
The protest demonstrated how rank-and-file lawmakers can be one of government’s biggest cybersecurity vulnerabilities.
Members of Congress are high-value targets for Russian and Chinese hackers who routinely go after their personal devices and email accounts, but lawmakers don't get any special protection for those devices and often don’t have enough training or savvy to protect them themselves.
Google, for example, informed an unspecified number of senators that foreign hackers were targeting their gmail accounts last year.
“The likelihood that there has been an active campaign by foreign actors to infiltrate their devices is highly probable,” Steven VanRoekel, who was the government’s top IT official during the Obama administration, told me.
Despite that danger, efforts to mandate cybersecurity training for lawmakers or to add protections for their personal devices, pressed by Sen. Ron Wyden (D-Ore.) and others, have largely languished.
“My experience with members of Congress is unless they’re affirmatively taught how to be security conscious it doesn’t occur to them,” said Eoyang, who leads the Third Way think tank’s national security program. “They don’t realize what a target they are [for hackers].”
The approximately two dozen conservative lawmakers seemingly stormed their way into the SCIF before a guard could collect their personal devices. Once inside, the interlopers boasted about the invasion, seeming to tweet from inside the secure room, though they later said they were sending messages to staff who were doing the actual tweeting.
Here’s Rep. Matt Gaetz (R-Fla.), who led the effort:
**Tweet from Staff**— Rep. Matt Gaetz (@RepMattGaetz) October 23, 2019
And Rep. Mark Walker (R-N.C.):
Updates from staff outside the room.— Rep. Mark Walker (@RepMarkWalker) October 23, 2019
The Republicans mostly surrendered their devices once they were inside the SCIF, but some refused, Swalwell told reporters. That was contradicted, however, by Rep. Mark Meadows (R-N.C.), who was also in the room. The House Sergeant-at-Arms, who is responsible for the chamber’s cybersecurity and whose office collected the devices, declined to comment.
Swalwell serves on the House Intelligence Committee and Meadows is on the House Oversight Committee, two of three committees, along with Foreign Affairs, whose members were allowed into the closed-door session.
The Republican protesters, who don’t serve on any of those three committees, arrived at the SCIF right before testimony from Laura Cooper, a Pentagon official responsible for Ukraine policy, as my colleagues Elise Viebeck, Rachael Bade and Kayla Epstein reported. The fracas delayed Cooper’s testimony for five hours.
The dispute also shows how Trump-allied lawmakers are mimicking the president’s fast-and-loose approach to cybersecurity.
Trump has refused entreaties from cybersecurity staff to regularly swap out the cellphone he uses to tweet because he considers it too inconvenient, Politico has reported.
And his administration has devalued cybersecurity — even as intelligence agencies warn the digital threat is increasing from adversaries including Russia, China, Iran and North Korea.
The administration eliminated a White House cybersecurity coordinator position, which formerly led cross-government responses to major digital threats, and devalued a White House chief information security officer, or CISO, job.
At least a dozen top officials have fled from the CISO’s office, including highly talented career staff who date back to the Obama administration, Axios’s Alexi McCammond reported.
In many cases, those staff believe they’re being forced out, according to an exit memo from Dimitrios Vastakis, who resigned in October as branch chief of the White House computer network defense, and which Alexi obtained.
“The White House is posturing itself to be electronically compromised once again,” the memo warned.
Security experts were quick to slam the lawmakers who crashed the SCIF.
“If people in Congress who make the laws don’t follow the rules, why should anybody else?” Joel Brenner, former head of U.S. counterintelligence during the Obama administration, told me. “Foreign intelligence agencies make a living off people who think they’re too important to follow rules like this.”
Here’s John Schindler, a professor at the Naval War College and former NSA intelligence analyst:
The invasion of a SCIF by unauthorized persons isn't protest -- it's a Federal crime with serious #natsec implications. Lethal force is authorized to defend SCIFs. This isn't a joke. Next time Gaetz & his merry band of felons try this stunt, they should be ready for consequences.— John Schindler (@20committee) October 23, 2019
Former U.S. solicitor general Neal Katyal:
I’ve been in SCIFs a lot. The stupidest thing someone can do is bring an electronic device. You would lose your security clearance may even face criminal prosecution. If these reports are accurate, those remedies should be looked at.Foreign govts want to target SCIF all the time https://t.co/y8DlS9nLSl— Neal Katyal (@neal_katyal) October 23, 2019
And national security attorney Bradley P. Moss:
I had DOD security guards threaten to physically restrain me when I once forgot to take my phone out before I went into a secure facility.— Bradley P. Moss (@BradMossEsq) October 23, 2019
My wife, an FSO, once threatened WH staffers lacking proper paperwork with being removed by security when they refused to get approval.
There was also quick condemnation from Democratic lawmakers on Twitter.
Here’s Rep. Robin Kelly (D-Ill.), who serves on the House Oversight Committee:
And Rep. Ted Lieu (D-Calif.):
As a former prosecutor, I know that when the facts and law are not on your side, the defense attacks the process.— Ted Lieu (@tedlieu) October 23, 2019
It's no coincidence that Republicans disregarded all rules & norms by storming the SCIF to stop interviews the day after Ambassador Taylor's devastating testimony. https://t.co/wUPopOeSJz
PINGED, PATCHED, PWNED
PINGED: Lawmakers grilled Facebook CEO Mark Zuckerberg about the company's plan to adopt warrant-proof encryption across all its services yesterday, saying the protection will lead to more content exploiting children on the site.
“If you enact end-to-end encryption, what will become of the children who will be harmed as a result?” Rep. Ann Wagner (R-Mo.) asked, echoing concerns from Attorney General William P. Barr, who has pushed to make child exploitation the face of his crusade against encryption technology. Wagner cited statistics from the National Center for Missing and Exploited Children that end-to-end encryption could reduce Facebook reporting of sexually exploitative content involving children by 70 percent.
Democrat Rep. Ben McAdams (Utah) also raised concerns about the technology, pointing out that Facebook's encrypted messaging app WhatsApp reported just a fraction as much exploitative child content as Facebook did.
Zuckerberg cited tools the site is using to identify exploitative material even when it's encrypted but acknowledged that child exploitation is “one of the risks ... among others to safety” that encryption could pose. Technologists generally say the dangers of strong encryption are outweighed by its benefits, chiefly that it prevents hacking.
The marathon six-hour hearing before the House Financial Services Committee was ostensibly about Facebook's planned digital currency Libra but frequently veered off topic.
PATCHED: The University of Southern California is launching a project to hold public election-security training conferences in all 50 states before the 2020 contest with $2.8 million in grant money from Google, The Cybersecurity 202 has learned. Some details of the program were shared in an email to school officials this week.
The project will be similar to an earlier series of trainings in six states that USC’s Annenberg Center on Communication Leadership and Policy did with the National Governor’s Association and will rely on faculty from across the six schools in the USC system as well as some outside experts.
The school’s goal is to tailor the workshops to each state’s needs and to fill in gaps left by other training programs offered by the Department of Homeland Security and state agencies. For example, the school may offer training in legal issues surrounding data protection or crisis communications after a digital attack, in addition to traditional cybersecurity training.
The workshops will all take place between January and October 2020 and the school may hold multiple workshops in some states if timing and funding allow.
PWNED: The House passed its third major election security bill yesterday in a 227-to-181 vote that basically broke along party lines. The White House has already condemned the bill, which would require campaigns to report foreign government contacts to the FBI and increase transparency guidelines for online political ads.
The bill will be particularly unpalatable for Trump, who has rejected traditional norms about not accepting campaign dirt from foreigners, saying he might look at information before deciding.
“Stopping Harmful Interference in Elections for a Lasting Democracy”/SHIELD Act would lead to over-reporting and “fruitless inquiries,” the White House said in a statement to Bloomberg News’s Jennifer Jacobs.
White House says it opposes passage of bill that would require campaigns to self-report foreign contact to FBI and FEC within a week.— Jennifer Jacobs (@JenniferJJacobs) October 23, 2019
“Stopping Harmful Interference in Elections for a Lasting Democracy”/SHIELD Act would lead to over-reporting and “fruitless inquiries,” WH says.
The bill also is unlikely to see a future in the Senate, where Majority Leader Mitch McConnell (R-Ky.) has staunchly opposed any new election security mandates. Sen. Amy Klobuchar (D-Minn.) tried to introduce a Senate version of the bill yesterday but Sen. Marsha Blackburn (R-Tenn.) blocked the attempt.
Are you tired of cybersecurity news articles with stock images of glowing keyboards and shadowy guys in hoodies? So’s the William and Flora Hewlett Foundation, which ran a contest for new cybersecurity art that publications can run without any copyright restrictions. Here are a few images from the five winning designers announced this morning.
Here's one from Abraham Pena of Doral, Fla.:
Here's another from Claudio Rousselon of Cancu, Mexio:
This is from Afsal CMK of Karnatka, India:
And here's a final one from IvanaTroselj of Canberra, Australia. (Hey, that's not a very cozy bear):
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The Cybersecurity Coalition, the Cyber Threat Alliance, and the National Security Institute at George Mason University’s Antonin Scalia School of Law will host the third annual CyberNextDC policy day in Washington on Thursday.