Senate IT Tells Staffers They're On Their Own When It Comes To Personal Devices And State-Sponsored Hackers
from the not-the-best-way-to-handle-an-impossible-situation dept
Notification of state-sponsored hacking attempts has revealed another weak spot in the US government's defenses. The security of the government's systems is an ongoing concern, but the Senate has revealed it's not doing much to ensure sensitive documents and communications don't end up in the hands of foreign hackers.
The news of the hacking attempt was greeted with assurances that nothing of value was taken.
That gap in security was brought front and center for Senate IT staffers on Jan. 12, when cybersecurity firm Trend Micro announced findings that seven months earlier, the same Russian government hacking group responsible for hacking Democratic Party targets in 2016 had created a phishing campaign that specifically targeted Senate staffers’ emails.
There’s no indication that the attempts were successful, and Trend Micro immediately alerted the FBI and the Office of the Sergeant at Arms, the agency responsible for Senate security, the firm said. Hours after Trend Micro’s report, multiple Senate staffers told BuzzFeed News, the sergeant-at-arms called a private meeting of Senate IT personnel to assure them that there was no real threat, as it had blocked the avenues the hackers would have tried to use.
It blocked those avenues, but Senate IT left a lot of avenues wide open. According to the Buzzfeed report, those in this meeting were told the protections offered would not include personal devices or email accounts. This makes some sense, as personnel have a responsibility to ensure their devices/accounts are as secure as possible if they're going to be using them for government work.
Laws and policies have been put in place to deter people from taking their sensitive work home with them. But they address a problem government agencies often exacerbate by treating employees as always on duty, even where they're off the clock. Multiple top government officials have been caught storing sensitive documents on private devices or in private accounts. Hillary Clinton underwent an FBI investigation because of this. Two years ago, a teenage hacker got a hold of documents detailing US military operations by gaining access to the CIA director's AOL account.
So, drawing a line at personal devices seems like the right thing to do, but only if you ignore the attack vectors left open by this policy. Even banning personal devices from government offices has its problems -- going far beyond the fact that this policy is pretty much unenforceable when there are thousands of staffers to keep an eye on.
Reached for comment, a sergeant-at-arms representative declined to give a formal statement, but told BuzzFeed News that its cybersecurity team’s specific directive is to protect Senate email accounts and Senate-issued devices.
But that could be a problem if a Senate staff member – there are thousands – uses a Senate device to also access personal email. If the staffer downloads a malicious program from personal email on a Senate-issued computer, that program could gain access to the device.
So… I don't know… throw the CFAA at them? [I'm joking, DOJ. Please don't do this.] There's no great solution to this problem. You can push the responsibility back on the person who became the attack vector but that just leaves sensitive government systems as weak as the weakest person with access. And employees should rightfully be wary of government attempts to "secure" devices and accounts, which could lead to lots of snooping into non-government communications.
It's impossible to secure everything but Senate IT shouldn't be so quick to wall off personal devices and accounts. Ignoring attack vectors doesn't solve the problem. Consistent enforcement of policies governing the handling of sensitive documents and communications might reduce the chances of a breach. But the problem remains the government's to deal with. As a former White House staffer notes in the article, the tools government employees need to do their jobs effectively aren't all supplied by the government. Many are supplied by third parties and may only run (or run well) on personal devices. The government can't be expected to be all things to all employees, but maybe it should consider extending its protective services to the devices and accounts it unofficially expects staffers to use.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, hackers, it, privacy, security, senate, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
Needless to say that manager didn't last long.
[ link to this | view in thread ]
That phrase in bio that also applies to tech...
[ link to this | view in thread ]
[ link to this | view in thread ]
Seems like a simple binary decision
If personal pick up personal device.
If professional pick up government supplied device.
If your not sure, don't pick up anything, just sign resignation form and go home, leaving all government property, intellectual or otherwise, at work.
[ link to this | view in thread ]
FFS this is NOT rocket surgery.
[ link to this | view in thread ]
Re:
How is that needless to say? I have seen more than enough managers with that same attitude survive in IT for many years and still kicking too.
Good on those guys for canning that idiot, but that is hardly an easily expected outcome.
[ link to this | view in thread ]
Re:
No, but it can be IT rocket surgery which is just as complex and involved.
Information Technology is every bit as complex as the Medical Field. No one person knows how to do everything so people split off into specialization where their interests and expertise can have the greatest impact.
The only difference "for now" is that when IT makes a mistake people tend not to die like they do in the medical industry, but as more systems take control of medicine that will change.
[ link to this | view in thread ]
Re: Re:
This one is no different. I have decades of experience and I'd struggle to tackle it in an effective manner. However, abdicating and leaving staffers on their own is NOT an acceptable approach.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: MORE THAN THAT, LOL
But, even if rigid separation didn't fight convenience and lose most times, my personal phone can easily turn spy...like having a drone in my pocket...meaning real security is *everyone's* problem!
If you don't believe that, just remember Meltdown has been sitting out in the open waiting for public disclosure for about a decade.
[ link to this | view in thread ]
[ link to this | view in thread ]
They will be equipped with all the proper level of government security and all correspondence, texts and email will be monitored and archived by the government.
If you use an unsecured device for government work, you go to jail, do not pass go, do not collect $200.
[ link to this | view in thread ]
What is the technical solution to all this?
Within the last 30 days we had security training that specifically described spearfishing. It was actually very well done training. In our location, the headquarters for our unit, 12 out of 180 people still clicked on the link.
What is the technical solution for this? I haven't the foggiest. But then I work in engineering, no one is going to ask me for a solution & if I came up with one, it would just piss off IT.
[ link to this | view in thread ]
Re:
Do government-supplied devices include take-home devices, meaning all staffers would be given government smartphones, tablets, laptops AND be carrying their personal devices? Cumbersome but clearly compartmentalizable for each purpose so long as government devices let them run all the software they need and not have to grab their personal to run something.
As the post notes, a larger cultural policy problem whose solution must be codified for elected officials, management, and staffers is that they "exacerbate [the problem] by treating employees as always on duty, even where they're off the clock."
[ link to this | view in thread ]
Re: Re:
Germany and France passed laws against off-the-clock after-hours work communication at home not directly because of security but employee health. (See many news articles)
Jon Whittle, a researcher at Digital Brain Trust, said "The real problem is the culture (emphasis mine) of having to constantly do more and constantly do better than competitors." https://www.washingtonpost.com/news/the-switch/wp/2016/05/12/france-might-pass-a- law-that-makes-it-illegal-to-send-after-hours-work-emails/
[ link to this | view in thread ]
Re:
The solution to phishing is not entirely a technical engineering one.
Yes, technically... If the phishing infection was from an attachment to an email, the work email server (or every end-user device) could run a heuristic virus scanner in the background. If it was from a URL, advanced, manually-hardened firewalls could download dynamically updated blocklists to disallow connection to hostile URLs, and a virus scanner could scan downloads in tandem -- both again either on the server or on every end-user device. (Think of cost and access. One server setup would cost less for large organizations but not protect devices that don't connect through it.) If the hostile URL was encrypted with HTTPS, the firewall could only block the whole website which might result in collateral damage if the site is mostly benign, or the organization could install intermediate encryption certificates on all end-user devices so the firewall could decrypt all encrypted traffic, scan it, and then re-encrypt with the destination's certificate before sending it along. If it came from an email, anti-spam software that looks for unusual origin headers or text patterns in headers or grammar could be installed on the server or devices. Chat services and phone chat apps do not generally have anti-spam but rely on the end-user to manage a blacklist or whitelist. Always update software over a secure channel with the latest security patches, and disable access and permissions requested by automatic software and to any users who shouldn't need it.
But, not technically... One of the best defenses is educating the users. They should be taught how to recognize suspicious metadata in received messages, best practices/policies for operational security (OPSEC) and device security, and to be vigilant. Then as a herd, they could defend against phishing threats that are not yet patched or conceived of that pass through the technical defenses. Phishing boils down to socially persuading or fooling a human into trusting and opening a file ("social engineering"), not to infiltrate by finding vulnerabilities in the network's computer code. To quote an old sysadmin joke, PEBKAC.
[ link to this | view in thread ]
Re: Re:
Correction:
...disable access and permissions requested by automatic software that shouldn't need certain things except for updates and to...
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
I'm guess the vice president has a myspace and the Joint Chiefs of Staff have a yahoo homepage?
Jesus Christ, these people are in power but they're dinosaur retards.
[ link to this | view in thread ]
By law, you can't have classified information on personal devices that are not secured.
Have info on a personal device and you should go to jail. Some do (those that are not politically favored) but some don't (Hillary.)
[ link to this | view in thread ]
Re: Re:
Probably true, but: "Within the last 30 days we had security training that specifically described spearfishing. It was actually very well done training. In our location, the headquarters for our unit, 12 out of 180 people still clicked on the link." So unless he's wrong about how good the training was, education is not as easy or effective as we might like.
[ link to this | view in thread ]
Please.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]