In recent years we’ve discovered that even the parts of the government you’d expect to maintain the most secure computer networks—from the Office of Personnel Management to the National Security Agency—were embarrassingly vulnerable to being hacked and having highly sensitive data exfiltrated. So perhaps it shouldn’t come as much surprise that the United States Congress isn’t exactly a model of cybersecurity either: Earlier this month, we learned that the legislative branch’s Office of Compliance (OOC) had until very recently been storing its records of sexual harassment complaints and settlements on an insecure server operated by a contractor. In a blistering letter to the OOC written back in February, Sen. Ron Wyden (D-Ore.) noted that the server had never undergone a cybersecurity audit, and charged that the office had failed to implement even “rudimentary defensive network-security best practices.”
Wyden’s focus in his letter was, understandably, on the threat this posed to anonymity of those who register complaints about workplace harassment. But at a time when “kompromat” has become a commonplace part of our political lexicon, many readers will naturally think of a very different sort of risk: For the most sophisticated network infiltrators, employed by foreign intelligence agencies, the real appeal of such data would be its potential for selectively embarrassing, or exercising leverage over, members of Congress and their senior staffers.
Details of several such complaints and settlements—including supporting documentation—have recently become the subject of press reports, and amid the #MeToo wave of sexual misconduct by powerful men coming to light, it was natural enough to assume that these stories originated with newly-emboldened victims or whistleblowers. In many cases, however, we just don’t know how the relevant documents found their way into the hands of the press—and in 2018 it seems impossible to rule out data exfiltration.
You might think the Hill would be more attuned to such threats given the role high-profile hacks of the Democratic National Committee and Hillary Clinton confidante John Podesta played in the 2016 presidential election, but as an article in The Hill last year observed, a highly decentralized approach to information technology means the quality of network security varies enormously from office to office. And as anyone who watched the recent Congressional hearings on Facebook’s data exfiltration troubles will appreciate, legislators themselves are not the most tech savvy group. Which all makes it seem terribly unlikely that Congress has escaped unscathed, as some of even the world’s largest corporations have suffered embarrassing breaches.
The Hill’s own computer networks aren’t the only attack surface for a kompromat collector, of course. Earlier this month the Department of Homeland Security formally confirmed what intel and infosec geeks have long known: D.C. is positively lousy with “stingrays” or “IMSI catchers”—surveillance devices that impersonate cell phone towers in order to vacuum up data from nearby mobile devices—which most experts assume are operated by foreign governments for intelligence purposes. Routinely used by law enforcement to track the location of suspects, stingrays can also be configured to gather communications metadata or even some content. The next generation of mobile devices is expected to provide better security, but even then, the need to maintain backwards compatibility with older networks means ordinary consumer devices are likely to be vulnerable via downgrade attacks for years to come.
In 2016, the news cycle was dominated by stories about Hillary Clinton’s unwise use of a private email server to communicate about classified matters. It was newsworthy precisely because it was aberrant: Government officials with security clearances are expected to use highly secure computer networks and specialized, secure communications devices—not the ordinary insecure stuff average Joes and Janes employ. Yet foreign intelligence agencies aren’t only interested in classified information, as should be clear from one of the questions that has dominated the past year’s news cycle: Does Russia have “kompromat” on Donald Trump? The question is seen as urgent precisely because it’s so obvious that embarrassing personal information about the president of the United States might be just as valuable to a foreign power as anything marked TS/SCI. That’s one reason security experts clucked their tongues last year when it became apparent that Trump had continued using an insecure personal phone even after taking office.
That makes it odd we don’t see many folks taking the logical step of extending that concern to other political actors. Compromising information gleaned from a powerful legislator’s computer network or personal device would obviously have similar value—whether as a source of leverage, a weapon against a proponent of inconvenient policies, or a means to earn the gratitude of the legislator’s political adversaries. Given what appears to be the low level of information security on the Hill, we probably don’t need to ask whether such information has been gathered by foreign intelligence services. Instead, we should be asking what use is made of it.