Ron Wyden Wants Federal Government To Do More To Protect Personal Devices/Accounts Used By Senators And Staffers
from the small-fix-with-bigger-potential-repercussions dept
Ron Wyden is writing letters again. This time he wants to know why the federal government isn’t protecting the personal devices and email accounts used by federal officials. Attacks by state-sponsored hackers are never going to go away, and Wyden feels this lack of protection will make personal devices easy targets. From Wyden’s letter [PDF] to Senate majority leaders:
Press reports from January of this year indicate that Fancy Bear–the notorious Russian hacking group–targeted senior congressional staff in 2015 and 2016. My office has since discovered that Fancy Bear targeted personal email accounts, not official government accounts. And the Fancy Bear attacks may be the tip of a much larger iceberg. My office has also discovered that at least one major technology company has informed a number of Senators and Senate staff members that their personal email accounts were targeted by foreign government hackers.
Given the significance of this threat, I was alarmed to learn that SAA cybersecurity personnel apparently refused to help Senators and Senate staff after these attacks The SAA informed each Senator and staff member who asked for help that it may not offer cybersecurity assistance for personal accounts. The SAA confirmed to my office that it believes it may only use appropriated funds to protect official government devices and accounts.
This seems a little odd, but there’s a good reason the SAA doesn’t extend coverage to personal devices. As Pwn All The Things pointed out on Twitter, personal devices can be used for personal things, and we don’t want our elected officials using tax dollars for personal reasons.
This is a good example of a rule constructed for laudable reasons — the strong firewall to stop legislators using govt money for campaigning and personal things is there for a reason — ending up with bad consequences on edge-cases like defending high-value accounts from hackers
To protect against hacking attempts, Wyden is introducing legislation that would eliminate the SAA silos. The bill would allow the SAA to “provide cybersecurity assistance” for personal devices on an opt-in basis. We’ll have to see how this plays out when implemented. It may make it more difficult to discern if any federal funds were misused by Senators or their staff.
On the other hand, it will help secure devices some government employees mistakenly believe aren’t prime targets for state-sponsored hacking. It takes a certain amount of obtuseness to reach this conclusion, considering how heavily some government officials rely on their personal devices for communications with other government officials. The old FOIA dodge is still a popular one, and the difficulty of separating official work from personal work — especially during election years — likely means personal devices are used far more frequently than their government-issued ones.
While it’s good the government as a whole is continually working towards more robust security, the fact is the private sector offers plenty of options for government officials to better secure their personal devices. Personal responsibility is still underutilized at the federal level, which makes them no better (or worse) than much of the general public.