A major tech company has informed “a number of senators and Senate staff members” that foreign government hackers have targeted their personal email accounts, according to Sen. Ron Wyden.
In a Sept. 19 letter to Senate leadership, Wyden, D-Ore., did not name the company or identify the foreign hackers, but he did warn that the publicly reported activity of a Russian government-linked hacking group may be just “the tip of the iceberg” when it comes to advanced cyberthreats to lawmakers.
The group, often referred to as Fancy Bear, breached the IT networks of the Democratic National Committee in 2016 as part of a coordinated hack-and-leak operation that the U.S. intelligence community attributed to Moscow.
“The November election grows ever closer, Russia continues its attacks on our democracy, and the Senate simply does not have the luxury of further delays” in shoring up its cybersecurity, Wyden wrote to Senate Majority Leader Mitch McConnell, R-Ky.; Minority Leader Chuck Schumer, D-N.Y.; and Sens. Roy Blunt, R-Mo., and Amy Klobuchar, D-Minn., the chairman and ranking member of the Senate Committee on Rules and Administration.
Wyden said he will introduce legislation to better protect the personal devices of lawmakers from malicious cyber activity.
The Oregon Democrat also asked the Senate leadership to “poll senators and staff in [their] respective caucuses” to figure out how many of them were told by tech companies that their email accounts have been in the crosshairs of foreign government hackers. In one example of that, Google recently told Sen. Pat Toomey, R-Pa., that nation-state hackers may have tried to breach old email accounts associated with his campaign.
The letter raises fresh concerns about Fancy Bear’s activity just weeks before the midterm elections. In July, the Daily Beast reported that Fancy Bear had tried to phish the staffers of Sen. Claire McCaskill, a red-state Democrat up for re-election. U.S. officials have repeatedly said that Moscow will continue to try to meddle in American democracy.
The personal devices of executive-branch officials and lawmakers are logical targets for hackers looking to extract sensitive information. The personal email account of White House Chief of Staff John Kelly, for example, has been hacked, BuzzFeed News confirmed in June.
Fancy Bear also reportedly targeted congressional staff in 2015 and 2016, and Wyden said in his letter that that probing was of personal, and not government, email accounts. Wyden also cited an April 2018 letter he received from Michael Rogers, then head of the National Security Agency, stating that the personal devices and accounts of senior U.S. officials “remain prime targets for exploitation.”
But while Congress has authorized the Pentagon to protect the personal devices of senior officials, according to Wyden, lawmakers have not taken decisive action to guard their own personal accounts from hackers. He expressed “serious concern” that the Senate Sergeant at Arms (SAA) “apparently lacks the authority” to help lawmakers defend themselves from sophisticated hacking attempts.
“Given the significance of this threat, I was alarmed to learn that SAA cybersecurity personnel apparently refused to help senators and Senate staff after these attacks,” Wyden wrote. “The SAA informed each Senator and staff member who asked for help that it may not offer cybersecurity assistance for personal accounts. The SAA confirmed to my office that it believes it may only use appropriated funds to protect official government devices and accounts.”
The Oregon Democrat said he will introduce a bill to empower the SAA to defend senators and their staff from sophisticated cyberattacks. The legislation will give lawmakers “cybersecurity assistance” on an “opt-in basis,” Wyden said.
In a statement to CyberScoop, an SAA official said the office “follows industry best practices to provide state-of-the-art cybersecurity defenses against malicious attacks. We take this protection very seriously with appliance protection on the network and assisting staff with best practice education seminars.”
The official said the SAA does not comment on “the active defense of our system, the protections we have in place and how we protect our devices.”
You can read the full letter from Wyden to Senate leadership below.
UPDATE, 6:00 pm, EDT: This story has been updated with a statement from a Senate Sergeant at Arms official.
[documentcloud url=”http://www.documentcloud.org/documents/4910705-Wyden-Member-Personal-Email-Cybersecurity-Letter.html” responsive=true height=500]