Senate IT Tells Staffers They're On Their Own When It Comes To Personal Devices And State-Sponsored Hackers

from the not-the-best-way-to-handle-an-impossible-situation dept

Notification of state-sponsored hacking attempts has revealed another weak spot in the US government's defenses. The security of the government's systems is an ongoing concern, but the Senate has revealed it's not doing much to ensure sensitive documents and communications don't end up in the hands of foreign hackers.

The news of the hacking attempt was greeted with assurances that nothing of value was taken.

That gap in security was brought front and center for Senate IT staffers on Jan. 12, when cybersecurity firm Trend Micro announced findings that seven months earlier, the same Russian government hacking group responsible for hacking Democratic Party targets in 2016 had created a phishing campaign that specifically targeted Senate staffers’ emails.

There’s no indication that the attempts were successful, and Trend Micro immediately alerted the FBI and the Office of the Sergeant at Arms, the agency responsible for Senate security, the firm said. Hours after Trend Micro’s report, multiple Senate staffers told BuzzFeed News, the sergeant-at-arms called a private meeting of Senate IT personnel to assure them that there was no real threat, as it had blocked the avenues the hackers would have tried to use.

It blocked those avenues, but Senate IT left a lot of avenues wide open. According to the Buzzfeed report, those in this meeting were told the protections offered would not include personal devices or email accounts. This makes some sense, as personnel have a responsibility to ensure their devices/accounts are as secure as possible if they're going to be using them for government work.

Laws and policies have been put in place to deter people from taking their sensitive work home with them. But they address a problem government agencies often exacerbate by treating employees as always on duty, even where they're off the clock. Multiple top government officials have been caught storing sensitive documents on private devices or in private accounts. Hillary Clinton underwent an FBI investigation because of this. Two years ago, a teenage hacker got a hold of documents detailing US military operations by gaining access to the CIA director's AOL account.

So, drawing a line at personal devices seems like the right thing to do, but only if you ignore the attack vectors left open by this policy. Even banning personal devices from government offices has its problems -- going far beyond the fact that this policy is pretty much unenforceable when there are thousands of staffers to keep an eye on.

Reached for comment, a sergeant-at-arms representative declined to give a formal statement, but told BuzzFeed News that its cybersecurity team’s specific directive is to protect Senate email accounts and Senate-issued devices.

But that could be a problem if a Senate staff member – there are thousands – uses a Senate device to also access personal email. If the staffer downloads a malicious program from personal email on a Senate-issued computer, that program could gain access to the device.

So… I don't know… throw the CFAA at them? [I'm joking, DOJ. Please don't do this.] There's no great solution to this problem. You can push the responsibility back on the person who became the attack vector but that just leaves sensitive government systems as weak as the weakest person with access. And employees should rightfully be wary of government attempts to "secure" devices and accounts, which could lead to lots of snooping into non-government communications.

It's impossible to secure everything but Senate IT shouldn't be so quick to wall off personal devices and accounts. Ignoring attack vectors doesn't solve the problem. Consistent enforcement of policies governing the handling of sensitive documents and communications might reduce the chances of a breach. But the problem remains the government's to deal with. As a former White House staffer notes in the article, the tools government employees need to do their jobs effectively aren't all supplied by the government. Many are supplied by third parties and may only run (or run well) on personal devices. The government can't be expected to be all things to all employees, but maybe it should consider extending its protective services to the devices and accounts it unofficially expects staffers to use.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    bob, 26 Jan 2018 @ 11:09am

    This story reminds me of something my old it manager would say, "What is it you need that the company isn't providing?" When we would reply with a software or hardware request, he afterwards would usually say "well you are just going to have to figure out how to do it without that."

    Needless to say that manager didn't last long.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jan 2018 @ 11:55am

      Re:

      "Needless to say that manager didn't last long."

      How is that needless to say? I have seen more than enough managers with that same attitude survive in IT for many years and still kicking too.

      Good on those guys for canning that idiot, but that is hardly an easily expected outcome.

      reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 26 Jan 2018 @ 11:33am

    That phrase in bio that also applies to tech...

    _Herd immunity._

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jan 2018 @ 11:35am

    Our govt is pathetic. Should have a private network only accessible at facility - F that shit about working remotely.

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 26 Jan 2018 @ 11:40am

    Seems like a simple binary decision

    Is what I am going to do personal or professional?

    If personal pick up personal device.

    If professional pick up government supplied device.

    If your not sure, don't pick up anything, just sign resignation form and go home, leaving all government property, intellectual or otherwise, at work.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous, 27 Jan 2018 @ 8:40am

      Re:

      Do government-supplied devices include take-home devices, meaning all staffers would be given government smartphones, tablets, laptops AND be carrying their personal devices? Cumbersome but clearly compartmentalizable for each purpose so long as government devices let them run all the software they need and not have to grab their personal to run something.

      As the post notes, a larger cultural policy problem whose solution must be codified for elected officials, management, and staffers is that they "exacerbate [the problem] by treating employees as always on duty, even where they're off the clock."

      reply to this | link to this | view in chronology ]

  • icon
    Berenerd (profile), 26 Jan 2018 @ 11:50am

    I know how to fix all of this. Fire anyone using personal email/phones for work. Don't allow email to be viewed without a government laptop and don't let personal email be viewed by it. Same with phones. There are companies with less to protect that the government who have these rules in place. THIS INCLUDES ELECTED OFFICIALS AND THEIR STAFF!!

    FFS this is NOT rocket surgery.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jan 2018 @ 12:00pm

      Re:

      "FFS this is NOT rocket surgery."

      No, but it can be IT rocket surgery which is just as complex and involved.

      Information Technology is every bit as complex as the Medical Field. No one person knows how to do everything so people split off into specialization where their interests and expertise can have the greatest impact.

      The only difference "for now" is that when IT makes a mistake people tend not to die like they do in the medical industry, but as more systems take control of medicine that will change.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Jan 2018 @ 12:21pm

        Re: Re:

        Securing complex environments such as this one is not a solved problem in computing. I've worked in pharma, defense, government, education, finance, etc., and every one of those environments presented difficult multifaceted problems that were not and are not susceptible to "just do this" approaches.

        This one is no different. I have decades of experience and I'd struggle to tackle it in an effective manner. However, abdicating and leaving staffers on their own is NOT an acceptable approach.

        reply to this | link to this | view in chronology ]

        • identicon
          Christenson, 26 Jan 2018 @ 2:38pm

          Re: Re: Re: MORE THAN THAT, LOL

          It's *very* hard to separate the personal from the work-related, especially when the work-equipment gets used for casual personal business, not to mention establishing the personal trust that is actually essential for security. It's staff night out tonight!

          But, even if rigid separation didn't fight convenience and lose most times, my personal phone can easily turn spy...like having a drone in my pocket...meaning real security is *everyone's* problem!

          If you don't believe that, just remember Meltdown has been sitting out in the open waiting for public disclosure for about a decade.

          reply to this | link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 26 Jan 2018 @ 12:28pm

        Re: Re:

        True, but that is both an enforceable policy and also puts the onus on the government for protection of government work. There can always be failures, but the attack surface would be way smaller, and frankly, the heavy security crackers and enforcers (like from the NSA) should be advising all government IT departments on threats and mitigation. Also IT departments should be properly staffed and funded to do their jobs. (Yeah right, i know.)

        reply to this | link to this | view in chronology ]

      • identicon
        Jim, 28 Jan 2018 @ 5:48am

        Re: Re:

        Only problem is, people can die from this. Remember " Obama's blackberry", problem? Senior staff, is the problem. They have two communication networks tied to one machine. Both a secure network(supposedly) and a " Yahoo" account. Is the device still secure? No. Could the one account infiltrate the other? Yes. Is the device then considered comprised? No. Is it allowed on the secure network? Yes. Is the network really secure?

        reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 26 Jan 2018 @ 7:02pm

    Well they are smart enough to use their staffers phones to set up the hookers & blow deliveries so at least the bad guys will know where the hot spots are.

    reply to this | link to this | view in chronology ]

  • identicon
    Stosh, 27 Jan 2018 @ 12:04am

    Simple solution, if they want to use their personal devices, the devices have to operate under the same rules as the government owned ones.

    They will be equipped with all the proper level of government security and all correspondence, texts and email will be monitored and archived by the government.

    If you use an unsecured device for government work, you go to jail, do not pass go, do not collect $200.

    reply to this | link to this | view in chronology ]

  • icon
    JoeDetroit (profile), 27 Jan 2018 @ 3:44am

    What is the technical solution to all this?

    My employers just got hit with a massive spearfishing attempt. It was corporate wide, all business units, every single email address was hit. All from one email account from one business unit.

    Within the last 30 days we had security training that specifically described spearfishing. It was actually very well done training. In our location, the headquarters for our unit, 12 out of 180 people still clicked on the link.

    What is the technical solution for this? I haven't the foggiest. But then I work in engineering, no one is going to ask me for a solution & if I came up with one, it would just piss off IT.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Jan 2018 @ 11:37am

      Re:

      The solution to phishing is not entirely a technical engineering one.

      Yes, technically... If the phishing infection was from an attachment to an email, the work email server (or every end-user device) could run a heuristic virus scanner in the background. If it was from a URL, advanced, manually-hardened firewalls could download dynamically updated blocklists to disallow connection to hostile URLs, and a virus scanner could scan downloads in tandem -- both again either on the server or on every end-user device. (Think of cost and access. One server setup would cost less for large organizations but not protect devices that don't connect through it.) If the hostile URL was encrypted with HTTPS, the firewall could only block the whole website which might result in collateral damage if the site is mostly benign, or the organization could install intermediate encryption certificates on all end-user devices so the firewall could decrypt all encrypted traffic, scan it, and then re-encrypt with the destination's certificate before sending it along. If it came from an email, anti-spam software that looks for unusual origin headers or text patterns in headers or grammar could be installed on the server or devices. Chat services and phone chat apps do not generally have anti-spam but rely on the end-user to manage a blacklist or whitelist. Always update software over a secure channel with the latest security patches, and disable access and permissions requested by automatic software and to any users who shouldn't need it.

      But, not technically... One of the best defenses is educating the users. They should be taught how to recognize suspicious metadata in received messages, best practices/policies for operational security (OPSEC) and device security, and to be vigilant. Then as a herd, they could defend against phishing threats that are not yet patched or conceived of that pass through the technical defenses. Phishing boils down to socially persuading or fooling a human into trusting and opening a file ("social engineering"), not to infiltrate by finding vulnerabilities in the network's computer code. To quote an old sysadmin joke, PEBKAC.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Jan 2018 @ 11:55am

        Re: Re:

        Correction:

        ...disable access and permissions requested by automatic software that shouldn't need certain things except for updates and to...

        reply to this | link to this | view in chronology ]

      • icon
        nasch (profile), 30 Jan 2018 @ 7:36am

        Re: Re:

        One of the best defenses is educating the users.

        Probably true, but: "Within the last 30 days we had security training that specifically described spearfishing. It was actually very well done training. In our location, the headquarters for our unit, 12 out of 180 people still clicked on the link." So unless he's wrong about how good the training was, education is not as easy or effective as we might like.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Jan 2018 @ 10:26am

    The CIA director has an AOL account?

    I'm guess the vice president has a myspace and the Joint Chiefs of Staff have a yahoo homepage?

    Jesus Christ, these people are in power but they're dinosaur retards.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Jan 2018 @ 10:21am

    You are looking for a solution that already has an answer.

    By law, you can't have classified information on personal devices that are not secured.

    Have info on a personal device and you should go to jail. Some do (those that are not politically favored) but some don't (Hillary.)

    reply to this | link to this | view in chronology ]

  • icon
    yoyoma (profile), 4 Feb 2018 @ 8:40pm

    Yep, I always thought that installing a private email server in the basement of my home, hiring private IT personnel, and then having the same delete my entire email history with BitLocker *after* a Federal government preservation request was issued for those same emails was functionally equivalent to sending a few documents to my personal Hotmail account.

    Please.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.