Senate IT Tells Staffers They're On Their Own When It Comes To Personal Devices And State-Sponsored Hackers

Notification of state-sponsored hacking attempts has revealed another weak spot in the US government's defenses. The security of the government's systems is an ongoing concern, but the Senate has revealed it's not doing much to ensure sensitive documents and communications don't end up in the hands of foreign hackers.

The news of the hacking attempt was greeted with assurances that nothing of value was taken.

That gap in security was brought front and center for Senate IT staffers on Jan. 12, when cybersecurity firm Trend Micro announced findings that seven months earlier, the same Russian government hacking group responsible for hacking Democratic Party targets in 2016 had created a phishing campaign that specifically targeted Senate staffers' emails.

There's no indication that the attempts were successful, and Trend Micro immediately alerted the FBI and the Office of the Sergeant at Arms, the agency responsible for Senate security, the firm said. Hours after Trend Micro's report, multiple Senate staffers told BuzzFeed News, the sergeant-at-arms called a private meeting of Senate IT personnel to assure them that there was no real threat, as it had blocked the avenues the hackers would have tried to use.

It blocked those avenues, but Senate IT left a lot of avenues wide open. According to the Buzzfeed report, those in this meeting were told the protections offered would not include personal devices or email accounts. This makes some sense, as personnel have a responsibility to ensure their devices/accounts are as secure as possible if they're going to be using them for government work.

Laws and policies have been put in place to deter people from taking their sensitive work home with them. But they address a problem government agencies often exacerbate by treating employees as always on duty, even where they're off the clock. Multiple top government officials have been caught storing sensitive documents on private devices or in private accounts. Hillary Clinton underwent an FBI investigation because of this. Two years ago, a teenage hacker got a hold of documents detailing US military operations by gaining access to the CIA director's AOL account.

So, drawing a line at personal devices seems like the right thing to do, but only if you ignore the attack vectors left open by this policy. Even banning personal devices from government offices has its problems -- going far beyond the fact that this policy is pretty much unenforceable when there are thousands of staffers to keep an eye on.

Reached for comment, a sergeant-at-arms representative declined to give a formal statement, but told BuzzFeed News that its cybersecurity team's specific directive is to protect Senate email accounts and Senate-issued devices.

But that could be a problem if a Senate staff member - there are thousands - uses a Senate device to also access personal email. If the staffer downloads a malicious program from personal email on a Senate-issued computer, that program could gain access to the device.

So" I don't know" throw the CFAA at them? [I'm joking, DOJ. Please don't do this.] There's no great solution to this problem. You can push the responsibility back on the person who became the attack vector but that just leaves sensitive government systems as weak as the weakest person with access. And employees should rightfully be wary of government attempts to "secure" devices and accounts, which could lead to lots of snooping into non-government communications.

It's impossible to secure everything but Senate IT shouldn't be so quick to wall off personal devices and accounts. Ignoring attack vectors doesn't solve the problem. Consistent enforcement of policies governing the handling of sensitive documents and communications might reduce the chances of a breach. But the problem remains the government's to deal with. As a former White House staffer notes in the article, the tools government employees need to do their jobs effectively aren't all supplied by the government. Many are supplied by third parties and may only run (or run well) on personal devices. The government can't be expected to be all things to all employees, but maybe it should consider extending its protective services to the devices and accounts it unofficially expects staffers to use.