Ron Wyden Wants Federal Government To Do More To Protect Personal Devices/Accounts Used By Senators And Staffers
from the small-fix-with-bigger-potential-repercussions dept
Ron Wyden is writing letters again. This time he wants to know why the federal government isn't protecting the personal devices and email accounts used by federal officials. Attacks by state-sponsored hackers are never going to go away, and Wyden feels this lack of protection will make personal devices easy targets. From Wyden's letter [PDF] to Senate majority leaders:
Press reports from January of this year indicate that Fancy Bear--the notorious Russian hacking group--targeted senior congressional staff in 2015 and 2016. My office has since discovered that Fancy Bear targeted personal email accounts, not official government accounts. And the Fancy Bear attacks may be the tip of a much larger iceberg. My office has also discovered that at least one major technology company has informed a number of Senators and Senate staff members that their personal email accounts were targeted by foreign government hackers.
Given the significance of this threat, I was alarmed to learn that SAA cybersecurity personnel apparently refused to help Senators and Senate staff after these attacks The SAA informed each Senator and staff member who asked for help that it may not offer cybersecurity assistance for personal accounts. The SAA confirmed to my office that it believes it may only use appropriated funds to protect official government devices and accounts.
This seems a little odd, but there's a good reason the SAA doesn't extend coverage to personal devices. As Pwn All The Things pointed out on Twitter, personal devices can be used for personal things, and we don't want our elected officials using tax dollars for personal reasons.
This is a good example of a rule constructed for laudable reasons -- the strong firewall to stop legislators using govt money for campaigning and personal things is there for a reason -- ending up with bad consequences on edge-cases like defending high-value accounts from hackers
To protect against hacking attempts, Wyden is introducing legislation that would eliminate the SAA silos. The bill would allow the SAA to "provide cybersecurity assistance" for personal devices on an opt-in basis. We'll have to see how this plays out when implemented. It may make it more difficult to discern if any federal funds were misused by Senators or their staff.
On the other hand, it will help secure devices some government employees mistakenly believe aren't prime targets for state-sponsored hacking. It takes a certain amount of obtuseness to reach this conclusion, considering how heavily some government officials rely on their personal devices for communications with other government officials. The old FOIA dodge is still a popular one, and the difficulty of separating official work from personal work -- especially during election years -- likely means personal devices are used far more frequently than their government-issued ones.
While it's good the government as a whole is continually working towards more robust security, the fact is the private sector offers plenty of options for government officials to better secure their personal devices. Personal responsibility is still underutilized at the federal level, which makes them no better (or worse) than much of the general public.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: congress, cybersecurity, federal government, nation state attackers, ron wyden, senate
Reader Comments
Subscribe: RSS
View by: Time | Thread
no need.
If people aren't securing their devices it's because they don't care or don't believe the threat reports, of which there are many publicly available ones not including the Senate specific ones they all have access to.
If staffers and members get their info exposed, well welcome to the world the reat of us live in. We don't have funds from the government to assign an IT group to protecting ourselves. And if the Senate people's devices have government sensitive data on them, then the owners are breaking both policy and possibly laws and shouldn't be allowed to work in that environment any more.
[ link to this | view in chronology ]
Whaaa? Why so hard? I've never sent and email expressing my love for my wive via work email, nor have I ever replied to a user using my personal email.
Its a cut and dry situation. Your business people should never get the email you talk to friends and family with.
Sorry but there needs to be a hard line drawn. Gov business needs to be performed on Gov equipment. Period.
BYOD shouldn't even be an option.
"personal devices are used far more frequently"
MDM? I never hear of MDM mentioned.
I've seen better MDM from orgs with 1/10 of the budget.
"he wants to know why the federal government isn't protecting the personal devices and email accounts used by federal officials."
He needs to be asking why federal officials are using personal devices in the first place.
I like Ron but this will only handle issues once there is a problem and the user gets to the point where they finally reach out for help. Usually too late. They need to be proactive.
[ link to this | view in chronology ]
Re: Ron again
Ron's letters are so very effective in problem solving(?)
Writing letters is why we elect Senators.
Ron and his Congressional co-workers have masterfully solved all the big issues facing the Federal Government and nation -- so there's ample time now to deal with this trivia of "personal devices".
[ link to this | view in chronology ]
Re: Re: Ron again
[ link to this | view in chronology ]
Re:
During a campaign year, for instance, delineating between government business and personal business becomes harder because the campaign requires heavy management, and is properly not managed on government hardware. Most people will confuse the devices at times, or more likely, send instructions or information using whatever device is at hand.
Having worked for both small and medium businesses, unless hounded by the CFO, or forced to pay fines by some agency, most business leaders will use whatever card comes out of their wallet when they reach the register, and I regularly have to go through and settle up. Even with that hounding, most will continue to use their personal credit/debit cards and have to be reimbursed by the company. Its easy. Similarly with devices. In fact, most of these congressmen come from business where this practice is common.
Its not to say that Gov Business is done on Government hardware shouldn't be the standard. But to not be prepared for the human nature to use a personal device on hand to send a memo is stupid. A security system that assumes the user will always operate in accordance with best practices is not a good security system.
Moreover, that personal device still represents a security risk even if no government data is handled on it due to the wealth of data that could be gathered.
Mobile Device Management would be unlikely to resolve issues with the use of devices outside the MDM scheme (government work on personal devices), so I am unsure why you brought it up in this context.
[ link to this | view in chronology ]
Re: Re:
That said, I do think you make a good point that even purely personal data can be of use to hackers targeting politicians!
[ link to this | view in chronology ]
Re: delineating between government business and personal busines
[ link to this | view in chronology ]
Solution
[ link to this | view in chronology ]
would be a good start.
Hard to get too concerned about security when the basic business model of far too many companies(campaign contributors) includes being able to monitor, track and data mine the personalized tracking devices most folks carry.
[ link to this | view in chronology ]
How about protecting the rest of us?
Our devices are subject to attack by state sponsored hackers.
The US government needs to protect us from certain governments that want to take away our crypto and security by requiring back doors. (Oh, wait...)
But maybe I'm paranoid. Maybe there is No Such Agency that would want to spy on US citizens.
[ link to this | view in chronology ]
Re: How about protecting the rest of us?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
'Passw0rd' perhaps, but not 'passw0rd'. Gotta have an upper-case letter in there after all, makes it much more secure.
[ link to this | view in chronology ]
Be Afraid..
OPEN up everyone else with Backdoor encryption, but Protect our HIGH RANKING Gov. employees...
From having their emails raided and Displayed for everyone to see..
shouldnt we be doing this anyway??
[ link to this | view in chronology ]
All animals are equal, but some animals are more equal than others.
[ link to this | view in chronology ]