The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: SCIF fight shows lawmakers can be their own biggest cybersecurity vulnerability

with Tonya Riley


A group of House Republicans could have created a field day for Russian and Chinese intelligence agencies when they stormed into a secure Capitol Hill room where their colleagues were taking impeachment testimony yesterday with their cellphones in tow.

The protest, which Republicans argued was intended to bring transparency into the probe into President Trump's Ukraine policy, violated the most basic cybersecurity protections technologists try to impose on the rooms where lawmakers receive and discuss classified information – basically giving insider access to any spy agency that had compromised a single lawmaker’s cellphone and could snoop through the camera or microphone.

“They may have brought in the Russians and the Chinese with their electronics … They violated our oath to protect national security by bringing electronics into that room,” said Rep. Eric Swalwell (D-Calif.), who was inside Sensitive Comparted Information Facility, or SCIF, at the time.

Mieke Eoyang, a former House Intelligence Committee staffer who managed meetings inside the same SCIF during the Obama administration, told me: “This is the kind of thing that, for people who work in national security, makes our hair stand on end.” 

The protest demonstrated how rank-and-file lawmakers can be one of government’s biggest cybersecurity vulnerabilities.

Members of Congress are high-value targets for Russian and Chinese hackers who routinely go after their personal devices and email accounts, but lawmakers don't get any special protection for those devices and often don’t have enough training or savvy to protect them themselves.

Google, for example, informed an unspecified number of senators that foreign hackers were targeting their gmail accounts last year.

“The likelihood that there has been an active campaign by foreign actors to infiltrate their devices is highly probable,” Steven VanRoekel, who was the government’s top IT official during the Obama administration, told me.

Despite that danger, efforts to mandate cybersecurity training for lawmakers or to add protections for their personal devices, pressed by Sen. Ron Wyden (D-Ore.) and others, have largely languished.

“My experience with members of Congress is unless they’re affirmatively taught how to be security conscious it doesn’t occur to them,” said Eoyang, who leads the Third Way think tank’s national security program. “They don’t realize what a target they are [for hackers].”

The approximately two dozen conservative lawmakers seemingly stormed their way into the SCIF before a guard could collect their personal devices. Once inside, the interlopers boasted about the invasion, seeming to tweet from inside the secure room, though they later said they were sending messages to staff who were doing the actual tweeting.

Here’s Rep. Matt Gaetz (R-Fla.), who led the effort:

And Rep. Mark Walker (R-N.C.):

The Republicans mostly surrendered their devices once they were inside the SCIF, but some refused, Swalwell told reporters. That was contradicted, however, by Rep. Mark Meadows (R-N.C.), who was also in the room. The House Sergeant-at-Arms, who is responsible for the chamber’s cybersecurity and whose office collected the devices, declined to comment.

Swalwell serves on the House Intelligence Committee and Meadows is on the House Oversight Committee, two of three committees, along with Foreign Affairs, whose members were allowed into the closed-door session.

The Republican protesters, who don’t serve on any of those three committees, arrived at the SCIF right before testimony from Laura Cooper, a Pentagon official responsible for Ukraine policy, as my colleagues Elise Viebeck, Rachael Bade and Kayla Epstein reported. The fracas delayed Cooper’s testimony for five hours.

The dispute also shows how Trump-allied lawmakers are mimicking the president’s fast-and-loose approach to cybersecurity.

Trump has refused entreaties from cybersecurity staff to regularly swap out the cellphone he uses to tweet because he considers it too inconvenient, Politico has reported.

And his administration has devalued cybersecurity — even as intelligence agencies warn the digital threat is increasing from adversaries including Russia, China, Iran and North Korea.

The administration eliminated a White House cybersecurity coordinator position, which formerly led cross-government responses to major digital threats, and devalued a White House chief information security officer, or CISO, job.

At least a dozen top officials have fled from the CISO’s office, including highly talented career staff who date back to the Obama administration, Axios’s Alexi McCammond reported.

In many cases, those staff believe they’re being forced out, according to an exit memo from Dimitrios Vastakis, who resigned in October as branch chief of the White House computer network defense, and which Alexi obtained.

“The White House is posturing itself to be electronically compromised once again,” the memo warned.

Security experts were quick to slam the lawmakers who crashed the SCIF.

“If people in Congress who make the laws don’t follow the rules, why should anybody else?” Joel Brenner, former head of U.S. counterintelligence during the Obama administration, told me. “Foreign intelligence agencies make a living off people who think they’re too important to follow rules like this.”

Here’s John Schindler, a professor at the Naval War College and former NSA intelligence analyst:

Former U.S. solicitor general Neal Katyal:

And national security attorney Bradley P. Moss:

There was also quick condemnation from Democratic lawmakers on Twitter.

Here’s Rep. Robin Kelly (D-Ill.), who serves on the House Oversight Committee:

And Rep. Ted Lieu (D-Calif.):


PINGED: Lawmakers grilled Facebook CEO Mark Zuckerberg about the company's plan to adopt warrant-proof encryption across all its services yesterday, saying the protection will lead to more content exploiting children on the site.

“If you enact end-to-end encryption, what will become of the children who will be harmed as a result?” Rep. Ann Wagner (R-Mo.) asked, echoing concerns from Attorney General William P. Barr, who has pushed to make child exploitation the face of his crusade against encryption technology. Wagner cited statistics from the National Center for Missing and Exploited Children that end-to-end encryption could reduce Facebook reporting of sexually exploitative content involving children by 70 percent.

Democrat Rep. Ben McAdams (Utah) also raised concerns about the technology, pointing out that Facebook's encrypted messaging app WhatsApp reported just a fraction as much exploitative child content as Facebook did. 

Zuckerberg cited tools the site is using to identify exploitative material even when it's encrypted but acknowledged that child exploitation is “one of the risks ... among others to safety” that encryption could pose. Technologists generally say the dangers of strong encryption are outweighed by its benefits, chiefly that it prevents hacking. 

The marathon six-hour hearing before the House Financial Services Committee was ostensibly about Facebook's planned digital currency Libra but frequently veered off topic.

PATCHED: The University of Southern California is launching a project to hold public election-security training conferences in all 50 states before the 2020 contest with $2.8 million in grant money from Google, The Cybersecurity 202 has learned. Some details of the program were shared in an email to school officials this week.

The project will be similar to an earlier series of trainings in six states that USC’s Annenberg Center on Communication Leadership and Policy did with the National Governor’s Association and will rely on faculty from across the six schools in the USC system as well as some outside experts.

The school’s goal is to tailor the workshops to each state’s needs and to fill in gaps left by other training programs offered by the Department of Homeland Security and state agencies. For example, the school may offer training in legal issues surrounding data protection or crisis communications after a digital attack, in addition to traditional cybersecurity training.

The workshops will all take place between January and October 2020 and the school may hold multiple workshops in some states if timing and funding allow.

PWNED: The House passed its third major election security bill yesterday in a 227-to-181 vote that basically broke along party lines. The White House has already condemned the bill, which would require campaigns to report foreign government contacts to the FBI and increase transparency guidelines for online political ads.

The bill will be particularly unpalatable for Trump, who has rejected traditional norms about not accepting campaign dirt from foreigners, saying he might look at information before deciding.

“Stopping Harmful Interference in Elections for a Lasting Democracy”/SHIELD Act would lead to over-reporting and “fruitless inquiries,” the White House said in a statement to Bloomberg News’s Jennifer Jacobs.

The bill also is unlikely to see a future in the Senate, where Majority Leader Mitch McConnell (R-Ky.) has staunchly opposed any new election security mandates. Sen. Amy Klobuchar (D-Minn.) tried to introduce a Senate version of the bill yesterday but Sen. Marsha Blackburn (R-Tenn.) blocked the attempt.

Here's more from The Hill's Maggie Miller.



— Cybersecurity news from the public sector:

Trump Officials Battle Over Plan to Keep Technology Out of Chinese Hands (New York Times)

WSJ News Exclusive | Senators Ask FTC to Investigate Amazon Over Capital One Hack (Wall Street Journal)

DHS is mulling an order that would force agencies to set up vulnerability disclosure programs (CyberScoop)

China Has ‘Concerning’ Leads Over U.S. in Tech, Defense Department Official Says (Wall Street Journal)

How the Air Force upgraded cyber testing for weapons systems (Federal Computer Week)

House Committee Advances Bill to Expand DHS Cyber Monitoring Program (Nextgov)


— Cybersecurity news from the private sector:

Comcast Is Lobbying Against Encryption That Could Prevent it From Learning Your Browsing History (Vice)

Global caution over 5G puts pressure on Nokia (Jari Tanner | AP)

Huawei and Sunrise co-build 5G research centre in Switzerland ( ZDNet)

Google Claims Breakthrough in Quantum Computing (Wall Street Journal)


— Cybersecurity news from abroad:

Czechs unlikely to differ from Germany on Huawei approach: minister

Swedish police cleared to deploy spyware against crime suspects (ZDNet)


— Today:

  • The Cybersecurity Coalition, the Cyber Threat Alliance, and the National Security Institute at George Mason University’s Antonin Scalia School of Law will host the third annual CyberNextDC policy day in Washington on Thursday.