Senators press legislative IT office for data on hacks

Two Senators are looking to change the way the institution talks about its cybersecurity problems, and they want to see data on the scope of the threat.

In a March 13 letter to Senate Sergeant at Arms Michael Stenger, Sens. Ron Wyden (D-Ore.) and Tom Cotton (R-Ark.) asked how frequently Senate IT assets have been compromised over the past decade.

The letter mentioned two of the last publicly known cyber intrusions into Congress over the past 13 years -- the 2006 compromise of then-Rep. Frank Wolf's (R-Va.) email system and a series of attacks on then-Sen. Bill Nelson's (D-Fla.) office computers in 2009 -- and asks for more transparency about any other successful attempts the Sergeant at Arms knows of since then.

"Companies and executive branch agencies are required by state and federal law to report breaches," the senators wrote. "In contrast, Congress has no legal obligation to disclose breaches and other cyber incidents. We believe that the lack of data regarding successful cyberattacks against the Congress has contributed to the absence of debate regarding congressional cybersecurity -- this must change."

The senators said they aren't asking for details around specific incidents, but rather statistics for the number of Senate computers compromised and times hackers have successfully accessed sensitive Senate data. They also want the Sergeant at Arms to inform Senate leaders and the Senate Committees of Rules and Intelligence no later than five days after learning of any breach of a Senate computer.

Giving individual Senators these numbers "would enable the Senate to engage in informed debate about the security threats faced by the legislative branch and consequently, the need for the Senate to fund, prioritize and conduct aggressive oversight of its own cybersecurity," the pair wrote.

National security officials have repeatedly warned that members of Congress their staff and even their family members are at risk from hacking groups, with former NSA Director Michael Rogers calling lawmakers "prime targets for exploitation" in 2018.

It's not just official Senate computers and email that are vulnerable. Last year, after Google began alerting unnamed Senators that their personal accounts and emails were being targeted by nation-state hacking groups, Wyden wrote to the Sergeant at Arms expressing "alarm" that the office rebuffed requests from Senators seeking cybersecurity assistance.

In December 2018, Wyden successfully pushed the Federal Election Commission to allow members of Congress to reallocate leftover campaign funds to protect the personal electronic devices and accounts of members and staff.