Skip to content

McCaskill Staff Dodges Hack but Hill Security Still Lags

Staff thwarted the hack, but training isn’t mandatory

Sen. Claire McCaskill, D-Mo., speaks at a press conference in the Capitol Thursday July 19, 2018. (Sarah Silbiger/CQ Roll Call file photo)
Sen. Claire McCaskill, D-Mo., speaks at a press conference in the Capitol Thursday July 19, 2018. (Sarah Silbiger/CQ Roll Call file photo)

When Russian hackers targeted Sen. Claire McCaskill’s office, staffers did not take the bait.

That could mean the money Congress poured into improved training and a more robust information security posture for staff is working. But the legislative branch is still playing catch up to get ahead of threats.

McCaskill’s staff may have been better prepared than others on Capitol Hill. She has advocated improved information security fluency and, as the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, she has pushed for a more robust information security workforce.

The House mandated information security training for all employees in early 2015. All staffers who have a House network username and password must complete annual training.

In the Senate, there is no equivalent requirement. Sessions on awareness best practices are offered to member offices, committee staff and staffers working in state offices. Sergeant-at-Arms Michael Stenger said in May the SAA had hosted 52 cyber awareness seminars since the start of 2017.

Lawmakers boosted funding for Senate Sergeant-at-Arms efforts in fiscal 2018 to bolster Senate networks and protect users by $12.5 million and added $4 million for Senators’ office accounts focused on office and staff-level measures.

There are thousands of users with access to the Senate networks, but policies vary between offices. Staffers eager to use dynamic technology, like Dropbox and Google Docs, often bring network users from outside of the established security framework. That makes development and enforcement of a blanket security policy an added challenge. 

“The system is only as good as the people that are using it,” said Stenger.

As chief law enforcement officer of the Senate, the Sergeant-at-Arms office is charged with maintaining security in the Capitol, including all computer and technology support services for the Senate.

At a May hearing on the SSA’s budget request for the coming year, Stenger told lawmakers technical solutions, such as firewalls, anti-spyware, and anti-virus aide in protecting Senate data, but humans are still the key.

“End-users are still the first and most effective line of defense for protecting the security of sensitive information,” Stenger said.

Staffers are the primary end users in the Senate. They comprise more than 20,000 employees, a work pool that churns with interns, short-term employees and staffers switching jobs, all of whom have access to congressional networks.

The hacking attempt on McCaskill reportedly came in the form of a phishing attack, in which the target would receive an email to change his or her password, leading them to a malicious site that mirrored the legitimate Senate login page. The Daily Beast reported the tactic was similar to one successfully implemented by Russian hackers when they hacked into the Democratic National Committee in 2016.

“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” said McCaskill in a statement. “While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated.”

Even basic steps to protect sensitive information are not yet standard practice on Capitol Hill.

Senate Appropriators in 2017 requested the SAA’s office provide a report to the panel on the cost of implementing a multifactor authentication system for Senate staff. The lack of two-factor authentication to that point is evidence the Senate has lagged behind the private sector and other federal entities in cyber protections.

The request said the Senate should meet the same standards mandated of federal agencies in Homeland Security Presidential Directive 12, which was issued by President George W. Bush in 2004 to set a standard for secure and reliable identity authentication.

Bridget Bowman contributed to this report.

Recent Stories

Latest Biden, Harris pitch to Black voters slams Trump in crucial battleground

House Ethics forms subpanel to probe Cuellar’s alleged bribery scheme

Alito rejects requests to step aside from Trump-related cases

Capitol Ink | Aerial assault

Auto parts suppliers fear a crash with shift to EVs

As summer interns descend on the Hill, this resource office is ready