Senate IT Tells Staffers They're On Their Own When It Comes To Personal Devices And State-Sponsored Hackers

from the not-the-best-way-to-handle-an-impossible-situation dept

Notification of state-sponsored hacking attempts has revealed another weak spot in the US government’s defenses. The security of the government’s systems is an ongoing concern, but the Senate has revealed it’s not doing much to ensure sensitive documents and communications don’t end up in the hands of foreign hackers.

The news of the hacking attempt was greeted with assurances that nothing of value was taken.

That gap in security was brought front and center for Senate IT staffers on Jan. 12, when cybersecurity firm Trend Micro announced findings that seven months earlier, the same Russian government hacking group responsible for hacking Democratic Party targets in 2016 had created a phishing campaign that specifically targeted Senate staffers’ emails.

There’s no indication that the attempts were successful, and Trend Micro immediately alerted the FBI and the Office of the Sergeant at Arms, the agency responsible for Senate security, the firm said. Hours after Trend Micro’s report, multiple Senate staffers told BuzzFeed News, the sergeant-at-arms called a private meeting of Senate IT personnel to assure them that there was no real threat, as it had blocked the avenues the hackers would have tried to use.

It blocked those avenues, but Senate IT left a lot of avenues wide open. According to the Buzzfeed report, those in this meeting were told the protections offered would not include personal devices or email accounts. This makes some sense, as personnel have a responsibility to ensure their devices/accounts are as secure as possible if they’re going to be using them for government work.

Laws and policies have been put in place to deter people from taking their sensitive work home with them. But they address a problem government agencies often exacerbate by treating employees as always on duty, even where they’re off the clock. Multiple top government officials have been caught storing sensitive documents on private devices or in private accounts. Hillary Clinton underwent an FBI investigation because of this. Two years ago, a teenage hacker got a hold of documents detailing US military operations by gaining access to the CIA director’s AOL account.

So, drawing a line at personal devices seems like the right thing to do, but only if you ignore the attack vectors left open by this policy. Even banning personal devices from government offices has its problems — going far beyond the fact that this policy is pretty much unenforceable when there are thousands of staffers to keep an eye on.

Reached for comment, a sergeant-at-arms representative declined to give a formal statement, but told BuzzFeed News that its cybersecurity team’s specific directive is to protect Senate email accounts and Senate-issued devices.

But that could be a problem if a Senate staff member – there are thousands – uses a Senate device to also access personal email. If the staffer downloads a malicious program from personal email on a Senate-issued computer, that program could gain access to the device.

So… I don’t know… throw the CFAA at them? [I’m joking, DOJ. Please don’t do this.] There’s no great solution to this problem. You can push the responsibility back on the person who became the attack vector but that just leaves sensitive government systems as weak as the weakest person with access. And employees should rightfully be wary of government attempts to “secure” devices and accounts, which could lead to lots of snooping into non-government communications.

It’s impossible to secure everything but Senate IT shouldn’t be so quick to wall off personal devices and accounts. Ignoring attack vectors doesn’t solve the problem. Consistent enforcement of policies governing the handling of sensitive documents and communications might reduce the chances of a breach. But the problem remains the government’s to deal with. As a former White House staffer notes in the article, the tools government employees need to do their jobs effectively aren’t all supplied by the government. Many are supplied by third parties and may only run (or run well) on personal devices. The government can’t be expected to be all things to all employees, but maybe it should consider extending its protective services to the devices and accounts it unofficially expects staffers to use.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Senate IT Tells Staffers They're On Their Own When It Comes To Personal Devices And State-Sponsored Hackers”

Subscribe: RSS Leave a comment
bob says:

This story reminds me of something my old it manager would say, “What is it you need that the company isn’t providing?” When we would reply with a software or hardware request, he afterwards would usually say “well you are just going to have to figure out how to do it without that.”

Needless to say that manager didn’t last long.

Anonymous Anonymous Coward (profile) says:

Seems like a simple binary decision

Is what I am going to do personal or professional?

If personal pick up personal device.

If professional pick up government supplied device.

If your not sure, don’t pick up anything, just sign resignation form and go home, leaving all government property, intellectual or otherwise, at work.

Anonymous Coward says:

Re: Re:

Do government-supplied devices include take-home devices, meaning all staffers would be given government smartphones, tablets, laptops AND be carrying their personal devices? Cumbersome but clearly compartmentalizable for each purpose so long as government devices let them run all the software they need and not have to grab their personal to run something.

As the post notes, a larger cultural policy problem whose solution must be codified for elected officials, management, and staffers is that they "exacerbate [the problem] by treating employees as always on duty, even where they’re off the clock."

Anonymous Coward says:

Re: Re: Re:

Germany and France passed laws against off-the-clock after-hours work communication at home not directly because of security but employee health. (See many news articles)

Jon Whittle, a researcher at Digital Brain Trust, said "The real problem is the culture (emphasis mine) of having to constantly do more and constantly do better than competitors."

Berenerd (profile) says:

I know how to fix all of this. Fire anyone using personal email/phones for work. Don’t allow email to be viewed without a government laptop and don’t let personal email be viewed by it. Same with phones. There are companies with less to protect that the government who have these rules in place. THIS INCLUDES ELECTED OFFICIALS AND THEIR STAFF!!

FFS this is NOT rocket surgery.

Anonymous Coward says:

Re: Re:

“FFS this is NOT rocket surgery.”

No, but it can be IT rocket surgery which is just as complex and involved.

Information Technology is every bit as complex as the Medical Field. No one person knows how to do everything so people split off into specialization where their interests and expertise can have the greatest impact.

The only difference “for now” is that when IT makes a mistake people tend not to die like they do in the medical industry, but as more systems take control of medicine that will change.

Anonymous Coward says:

Re: Re: Re:

Securing complex environments such as this one is not a solved problem in computing. I’ve worked in pharma, defense, government, education, finance, etc., and every one of those environments presented difficult multifaceted problems that were not and are not susceptible to “just do this” approaches.

This one is no different. I have decades of experience and I’d struggle to tackle it in an effective manner. However, abdicating and leaving staffers on their own is NOT an acceptable approach.

Christenson says:


It’s very hard to separate the personal from the work-related, especially when the work-equipment gets used for casual personal business, not to mention establishing the personal trust that is actually essential for security. It’s staff night out tonight!

But, even if rigid separation didn’t fight convenience and lose most times, my personal phone can easily turn spy…like having a drone in my pocket…meaning real security is everyone’s problem!

If you don’t believe that, just remember Meltdown has been sitting out in the open waiting for public disclosure for about a decade.

orbitalinsertion (profile) says:

Re: Re: Re:

True, but that is both an enforceable policy and also puts the onus on the government for protection of government work. There can always be failures, but the attack surface would be way smaller, and frankly, the heavy security crackers and enforcers (like from the NSA) should be advising all government IT departments on threats and mitigation. Also IT departments should be properly staffed and funded to do their jobs. (Yeah right, i know.)

Jim says:

Re: Re: Re:

Only problem is, people can die from this. Remember ” Obama’s blackberry”, problem? Senior staff, is the problem. They have two communication networks tied to one machine. Both a secure network(supposedly) and a ” Yahoo” account. Is the device still secure? No. Could the one account infiltrate the other? Yes. Is the device then considered comprised? No. Is it allowed on the secure network? Yes. Is the network really secure?

Stosh says:

Simple solution, if they want to use their personal devices, the devices have to operate under the same rules as the government owned ones.

They will be equipped with all the proper level of government security and all correspondence, texts and email will be monitored and archived by the government.

If you use an unsecured device for government work, you go to jail, do not pass go, do not collect $200.

JoeDetroit (profile) says:

What is the technical solution to all this?

My employers just got hit with a massive spearfishing attempt. It was corporate wide, all business units, every single email address was hit. All from one email account from one business unit.

Within the last 30 days we had security training that specifically described spearfishing. It was actually very well done training. In our location, the headquarters for our unit, 12 out of 180 people still clicked on the link.

What is the technical solution for this? I haven’t the foggiest. But then I work in engineering, no one is going to ask me for a solution & if I came up with one, it would just piss off IT.

Anonymous Coward says:

Re: Re:

The solution to phishing is not entirely a technical engineering one.

Yes, technically… If the phishing infection was from an attachment to an email, the work email server (or every end-user device) could run a heuristic virus scanner in the background. If it was from a URL, advanced, manually-hardened firewalls could download dynamically updated blocklists to disallow connection to hostile URLs, and a virus scanner could scan downloads in tandem — both again either on the server or on every end-user device. (Think of cost and access. One server setup would cost less for large organizations but not protect devices that don’t connect through it.) If the hostile URL was encrypted with HTTPS, the firewall could only block the whole website which might result in collateral damage if the site is mostly benign, or the organization could install intermediate encryption certificates on all end-user devices so the firewall could decrypt all encrypted traffic, scan it, and then re-encrypt with the destination’s certificate before sending it along. If it came from an email, anti-spam software that looks for unusual origin headers or text patterns in headers or grammar could be installed on the server or devices. Chat services and phone chat apps do not generally have anti-spam but rely on the end-user to manage a blacklist or whitelist. Always update software over a secure channel with the latest security patches, and disable access and permissions requested by automatic software and to any users who shouldn’t need it.

But, not technically… One of the best defenses is educating the users. They should be taught how to recognize suspicious metadata in received messages, best practices/policies for operational security (OPSEC) and device security, and to be vigilant. Then as a herd, they could defend against phishing threats that are not yet patched or conceived of that pass through the technical defenses. Phishing boils down to socially persuading or fooling a human into trusting and opening a file ("social engineering"), not to infiltrate by finding vulnerabilities in the network’s computer code. To quote an old sysadmin joke, PEBKAC.

nasch (profile) says:

Re: Re: Re:

One of the best defenses is educating the users.

Probably true, but: "Within the last 30 days we had security training that specifically described spearfishing. It was actually very well done training. In our location, the headquarters for our unit, 12 out of 180 people still clicked on the link." So unless he’s wrong about how good the training was, education is not as easy or effective as we might like.

yoyoma (profile) says:

Yep, I always thought that installing a private email server in the basement of my home, hiring private IT personnel, and then having the same delete my entire email history with BitLocker *after* a Federal government preservation request was issued for those same emails was functionally equivalent to sending a few documents to my personal Hotmail account.


Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...