Senators want to fix what they’re calling a “double standard” between how physical and cyber security are handled by the Senate Sergeant-at-Arms.
At a Legislative Branch Appropriations subcommittee hearing Wednesday, Sen. Christopher S. Murphy pressed Senate Sergeant-at-Arms Michael Stenger on threats to lawmakers and staff’s personal digital devices, including smartphones.
“Senator Van Hollen and I have been in a couple of briefings in the last few weeks that I think left all us more concerned and more worried than we already were about the threats to our personal devices. And has left me more befuddled as to why we don’t just simply include these devices under the umbrella of what is protected by the services that you offer,” he told Stenger, referring to himself and Maryland Democrat Chris Van Hollen.
The SAA’s office is in charge of many of the technology support services in the Senate, and it offers regular cyber awareness training to staff in lawmakers’ offices, on committees and in their home states. But the SAA is not involved in securing personal devices for lawmakers or Senate staffers.
Flashback: Quantum computing, deepfakes and machine learning, Oh my!
Stenger said that a working group on the issue has convened and came up with five options to move forward, ranging from “status quo with enhancements” to more significant changes to policy, funding and contracting.
He said the SAA is already working toward implementing the enhancements to the status quo, including proactive trainings for staff about cybersecurity awareness. One hundred percent of Senate staff completed cybersecurity training last year, according to Stenger’s testimony.
“As you take the step up, there would be incremental increases budgetary wise,” he told the panel.
Murphy said he was ready to invest in protection of personal devices.
“I simply think it’s time to apply the same standard we do to personal physical security to cyber security, understanding that that may take changes to statute, changes to rules and changes in appropriations,” he said.
He compared the experience of a lawmaker under threat to their physical security to the response from SAA when a lawmaker faces cyber threats on their personal devices.
“I think we have a double standard today. I think that when there is a threat to our personal security that is serious enough for around the clock protection, we get it. Really, no questions asked,” he said. “We don’t recognize that same standard when it comes to our cybersecurity. If there is a threat to our personal devices, we still tell members they have to deal with that on their own time with their own budget.”
Murphy’s concern echoed those raised last week by Democratic Senator Ron Wyden of Oregon, and Arkansas Republican Tom Cotton, both members of the Senate Intelligence panel. The pair introduced a bill that would allow the Senate Sergeant-at-Arms to provide “voluntary cybersecurity assistance” to lawmakers and certain Senate staff to secure accounts and personal devices. The measure would authorize the SAA to use official Senate funds to secure personal accounts.
The SAA has previously stated that it is “prohibited from using public funds to help protect non-government issued devices and accounts.” The new proposal aims to clear away statutory restrictions that have kept the SAA from assisting staff and lawmakers with securing personal devices.
“Our enemies will take advantage of every opportunity to undermine our democracy, and the personal devices of Senators and their staff are no exception. As the threat of cyber-attacks continues to grow, so must our ability to defend against them,” Cotton said in a statement.
The sponsors point to Russian interference in the 2016 elections as evidence that hackers and foreign intelligence groups are targeting both personal and official devices to influence politics.
Earlier this month Wyden and Cotton wrote to Stenger calling for an annual report on when Senate computers and smartphones have been compromised, and when hackers have otherwise gained access to sensitive Senate data.
Stenger requested $214.6 million for fiscal 2020, a 1.8 percent increase from the current enacted level.
When pressed by Hollen to estimate the number of attempted incursions into Senate networks or devices, Stenger did not.
“It’s difficult to come up with a quantification of the number, but it’s a significant amount,” he said.
Earlier this year, the House Chief Administrative Officer, who leads the office that manages the information technology infrastructure for the House, told lawmakers that “The House is undoubtedly a target of private and state-sponsored criminal cyber activity.”
He said that in just one month, the CAO blocks an estimated 1.6 billion unauthorized scans, probes and connections aimed at the House network.