Hackers are continuing to break into the Senate websites, following up last weekend’s intrusion with a similar one Tuesday evening, according to the Senate Sergeant-at-Arms’s office.
Senate.gov has seen “an uptick in intrusion attempts” since the weekend hack became public, SAA information technology security staff wrote in a Tuesday night email obtained by Roll Call and addressed to high-level Senate staffers and systems administrators.
“In a manner similar to the intrusion last weekend, an attacker was able to gain limited access to senate.gov through a vulnerability in one office’s website,” the email stated. “We have notified the office and its website developer, and the vulnerable code has been removed.”
Though SAA said the hackers did not gain access to the main Senate network, the security office said it is stepping up monitoring to prevent such attacks and is urging Member offices to ensure their individual sites are secure.
The hacker group Lulz Security, which has recently attacked the websites of Sony and the Public Broadcasting Service, claimed credit for the weekend hack, posting what appears to be a long string of HTML Web programming code copied from the Senate site to its own website. Reuters first reported the incident.
It is unclear whether the same group is responsible for Tuesday’s attack, Deputy Senate-Sergeant-at-Arms Martina Bradford said in an interview Tuesday. The group has not posted another cache on its website.
Bradford said the chamber’s security team has been able to stay ahead of the hackers and keep them out of the main Senate network, but it must still work on getting offices to “be a little bit more savvy” when updating their websites.
“These folks are always out there, people trying to hack networks have been out there as long as networks have existed,” she said. “I’m sure you haven’t heard the last of them.”
In Congressional testimony last year, Senate Sergeant-at-Arms Terrance Gainer said the networks of Congress and executive branch agencies were probed or attacked an average of 1.8 billion times per month last year. But the latest incidents are unsettling Members, especially those who deal with technology and security issues.
Senate Homeland Security and Governmental Affairs ranking member Susan Collins issued a statement Tuesday morning, saying the weekend attack points to the need for comprehensive cybersecurity legislation, similar to a bill that she recently introduced.
“Cyber crime costs our national economy billions annually,” the Maine Republican said in the statement. “Congress needs to fundamentally reshape how the federal government works collaboratively with the private sector to address all cyber threats, from espionage and cyber crime to attacks on the most critical infrastructure.”
House Administration Chairman Dan Lungren said the issue underscores the fact that Members are targets and must be continually vigilant with their technology, whether it be a website or a BlackBerry.
“You’ve got to understand why it’s important for us to have protection 24 hours a day. … We’ve got a whole unit on that,” the California Republican said. “You have to disabuse Members of the notion that, ‘Look, why would anyone hack into my stuff, hack into my personal stuff?”
Rep. Phil Gingrey, chairman of the House Administration Subcommittee on Oversight, said he wants to talk to Lungren about holding hearings on the issue.
“What worries me more than anything, more than some kid in a basement that’s a computer geek, is the state-sponsored hacking, where they’re data-mining and trying to get classified information,” the Georgia Republican said. “We’re concerned about it and likely will do something.”
Similarly, Rep. Jason Chaffetz (R-Utah), appointed by Speaker John Boehner (R-Ohio) earlier this year to head a House technology modernization effort, said the hack is inexcusable and is going to be an ongoing problem.
Complicating the matter is that Members from both chambers employ scores of vendors to create their official websites, which are all hosted on house.gov or senate.gov servers.
“There are outside vendors. Members have flexibility and that’s a good thing,” Chaffetz said. “But on the other side, they’re not getting the same type of attention on the cybersecurity front.”
He said he will ask the chamber’s security officials to brief his technology group on their efforts to rebuff these kinds of attacks.
“I’d like to have people who run the websites and networks explain from their perspective where the vulnerabilities are and what they’re going to do to make sure this will be prevented in the future,” Chaffetz said. “If someone was in here busting in doors breaking into someone’s office, we’d be outraged. We should have the same kind of outrage.”