Congress’s IT Infrastructure Is a Disaster Waiting to Happen—Here’s How to Start Fixing It

The Jan. 6 attack on the U.S. Capitol was shocking for several reasons: the effort to subvert the democratic process, its incitement by a sitting president, and the chaos and violence that ultimately left five people dead.

Although less immediately obvious, the list of cybersecurity concerns stemming from the attack is also daunting. A mob had unfettered physical access to congressional offices for several hours. Electronic devices—including at least two laptops—were stolen. Photos from the scene indicate that congressional staffers fled so quickly that at least one computer was left unlocked, with emails still visible on the screen. Any sensitive information compromised, accessed, or removed during the attack could potentially be extracted and exploited.

Over a month after the insurrection, the significance of the cybersecurity-related damage is still unknown. While at least one person has been arrested in connection with the theft of a stolen laptop, the devices still appear to be missing. Congress’s informational technology (IT) professionals have undoubtedly been working long hours to scan networks and clean computers, but it remains to be seen what remediation efforts will find. A final answer may never be made public.

Regardless, as much as the Jan. 6 attack was a wakeup call that the Capitol’s physical security systems and emergency protocols were inadequate, it’s now just as clear that its digital systems need to be shored up as well.

The simple fact is that Congress’s IT woes have been a long time coming. While members of Congress have roundly criticized federal agencies—such as the Office of Personnel Management, after that agency’s systems were breached by foreign actors—the Hill’s cybersecurity protocols have long lagged far behind. Partially contributing to this lag in congressional cybersecurity is Congress’s decentralized structure, which has been compared to 535 small businesses or even virtual “fiefdoms.” While there are some common IT standards and a shared network across the House and the Senate, many technology-related decisions are made by individual congressional offices—from procuring devices to staff structure and resource allocation, across both district and D.C.-based offices. This results in a “potpourri” of different devices and protocols, and encourages fragmented security practices. That’s not necessarily bad: Introducing network segmentation, for example, can help prevent malicious actors from moving effortlessly from one office to the next. But without adequate cybersecurity standards or external incentives, there is a great risk that congressional offices will deprioritize cybersecurity in favor of saving time or money. 

However, the short-term benefits of cutting corners on cybersecurity pale in comparison to the enormous risks Congress incurs as an institution. There are numerous reasons why a digital breach of Congress is a huge concern. First is the standard fear that classified or otherwise highly sensitive national security information could be compromised. This would be most worrisome in committees that handle matters pertaining to intelligence, armed services, homeland security and the judiciary. Second is the fear that personally identifiable information of staff and constituents could be stolen, such as Social Security numbers or confidential casework information. Finally, there’s the sheer amount of information that passes through Congress’s halls. For any foreign adversary with big data-processing capabilities, this is a veritable treasure trove of information on everything from the movement of members to scheduled trips abroad, and from sensitive legislative priorities to private records of citizens and corporations obtained via subpoena.

All of this data should be secured. While taking action now won’t retroactively secure Speaker Nancy Pelosi’s missing laptop—or fix the problem of attackers having physical access to Capitol devices—starting the process of mitigating Congress’s most immediate technical vulnerabilities now can help prevent future disasters. Luckily, Congress won’t need to start from scratch to do so: Bipartisan security champions in and around Congress have long been pushing to modernize its IT infrastructure and secure its operating protocols. Congress should take this opportunity to enshrine the fundamentals of cyber hygiene, promote various enterprise-level upgrades that would help create a higher base-level of security on the Hill, and elevate the culture around cybersecurity within Congress. 

Fundamental Cyber Hygiene

Ensure offices are equipped with the tools to follow cyber basics. The long-established truth is that Congress often has not institutionalized even basic practices that would improve security standards on the Hill. Some of this is because shortcuts make short-term sense in terms of saving both money and time. Sen. Ron Wyden has led a campaign for years to toughen up routine cyber hygiene practices in the Senate, from pushing the implementation of two-factor authentication measures, to calling for encryption on Senate devices, to requesting better disclosure policies when offices are breached. Despite efforts by Wyden and others, the state of basic cybersecurity measures in Congress today is Become a supporter of IT Security News and help us remove the ads.