Bill Seeks to Aid Senators in Protecting Personal DevicesSergeant at Arms Would Offer Assistance With Mitigating Risks
Legislation introduced last week would give the U.S. Senate's sergeant at arms responsibility to help secure the personal devices and online accounts used by senators and their staff to help ward off cyberattacks and other threats.
The bill, known as the "Senate Cybersecurity Protection Act of 2019," was introduced by senators Ron Wyden, D-Ore., and Tom Cotton, R-Ark., who both serve on the Intelligence Committee.
While there is not yet a similar bill pending in the House to provide members with similar services, backers of the Senate bill are urging the House to take up a similar measure.
The Senate bill would allow the sergeant at arms, who is already responsible for cybersecurity within the Senate, to provide voluntary cybersecurity assistance for personal accounts and devices to senators and certain staff members. This could include assistance with security for personal hardware, such as laptops, desktops, cell phones, tablets and other internet-connected devices, as well as personal accounts, including email, text messaging, cloud computing and social media as well as residential internet, healthcare and financial services, according to a summary.
The office of the sergeant at arms has argued that under current law, it cannot use public funds to protect and secure private, nongovernmental devices used by senators and their staffs. The office has also stated that it cannot offer advice or assistance about securing those devices, Wyden says.
"Hackers don't differentiate between the official and personal devices of elected officials and their staff," Wyden says in a statement. "The Senate doesn't have the luxury of ignoring the changing landscape of cyberattacks. No one should play politics when the future of U.S. democracy is on the line."
Wyden's office points to a warning from Google in 2018 that some senators and their staff were targets of foreign governments and that their devices and accounts were susceptible to hacking.
This warning prompted Wyden to write his own letter to Congressional leaders warning about hacking attempts. Additionally, the senator notes that his office determined the Russian-backed group Fancy Bear had targeted the personal accounts of Senate staffers.
Fancy Bear, which is also known by several other names, including APT28, is a group believed to have attempted to interfere with the 2016 presidential election. Special Counsel Robert Mueller recently submitted his report about Russian interference to the attorney general's office. The specifics of the Mueller report have not yet been released, but a summary of the findings confirms that a Russian-backed group attempted to hack the 2016 election and could try to do so again.
The new legislation is already drawing support from government watchdogs and the security industry.
The letters that Wyden has written show that the federal government needs to do more to secure devices and accounts, especially for staffers, as threats evolve, says Craig Holman, Ph.D., a government affairs lobbyist with Public Citizen, a nonprofit consumer advocacy group based in Washington.
Holman and Public Citizen are backing the Senate measure.
"Federal enforcement authorities have begun enhancing security measures around social media, but one glaring window of opportunity for foreign interference that remains wide open today are personal communication devices of members of Congress and their staff," Holman tells Information Security Media Group. "Senator Wyden has asked the Senate sergeant at arms if the office would be willing to spend some resources on training members and staff on how to protect their personal devices and to provide software and other technologies that could help ensure security, but the sergeant at arms felt it had no authority from Congress to do so for personal devices."
Because personal devices are prone to hacking, the proposed law would help with risk management, says Jake Williams, founder of Rendition Infosec, a security consultancy based in Augusta, Georgia.
The office of the sergeant at arms, he says, could recommend and provide mobile device management software for devices used by senators and their staffs.
"MDM won't necessarily prevent an attack, but it can minimize the impact," Williams tells ISMG. "The SSA [Senate sergeant at arms] would also likely be able to provide advice on which models of privately owned devices to purchase (and which to avoid)."
In addition to the proposed bill, Wyden and Cotton have sent a letter to the sergeant at arms asking for annual reports that would offer details about any Senate or staff devices that have been compromised.
The two senators also asked the sergeant at arms to send alerts about possible attacks and breaches to the Senate leadership as well as the committees on rules and intelligence within five days of discovering an incident.