“This configuration is decidedly more secure than before, and will help the OOC protect the identities and information of victims,” Wyden wrote to Barbara Childs Wallace, head of the OOC’s Board of Directors.
Hacked details about sexual-harassment cases would be explosive on Capitol Hill, where the #MeToo movement has ended the careers of several lawmakers accused of misconduct by staff or others. Tasked with adjudicating employment cases in the legislative branch, the OOC releases almost no data to the public about its work, which includes facilitating taxpayer-funded settlements between lawmakers and accusers.
Though the office has been under scrutiny since last fall, its approach to cybersecurity was not previously known. OOC Deputy Executive Director Paula Sumberg declined to comment via email.
A wave of news coverage since last fall has shed some light on the OOC’s operations. Still, the identities of most lawmakers involved in workplace settlements have not been revealed publicly.
Members of Congress have spent $17.2 million in public funds to settle employment complaints in the past 20 years.
Wyden pointedly criticized the OOC’s system in his Feb. 23 letter, accusing the office of concealing its use of an insecure server and failing to implement even “rudimentary defensive network-security best practices” to protect its data.
“The OOC’s astonishingly lax security measures provide the means for hostile actors to access, modify, delete, or disseminate embarrassing and compromising information about legislative branch staff who have reported incidents of sexual harassment,” he wrote.
It is “inconceivable,” he added, that the OOC would “watch as other federal government institutions were systematically targeted by foreign intelligence agencies and decide that it did not need to take even the most rudimentary steps to protect itself and the sensitive data which has been entrusted to it.”
It was not clear whether the OOC was under pressure from other senators to improve its cybersecurity practices. The Library of Congress is technically responsible for the office’s technology, Wyden wrote; a spokeswoman for the Library, Gayle Osterberg, said that role had not included cybersecurity.
Wyden, the ranking Democrat on the Senate Finance Committee, wrote that the Library of Congress’s chief information security officer did not know about the OOC’s server issue until the office briefed his staff in mid-December. His staff told congressional leaders about the situation after the briefing, he wrote.
This story has been updated.