Congressional systems facing cyber attacks on all fronts
With the tremendous rise in observed security events seen by security administrators for both the Senate and House of Representatives, Congressional leaders are facing the reality that they need to do more to secure systems, data, and computing devices. Senate Sergeant-at-Arms Terrance Gainer provided some insight into the magnitude of the security problem while requesting an increase in his operating budget, including an additional $1 million to strengthen security. The problems stem from the high visibility that Senate and House systems offer to attackers to a general lack of security awareness among Congressional members and staffers alike. The trend of rising security incidents is pervasive across the federal government, with the number of incidents reported to the U.S. Computer Emergency Readiness Team (US-CERT) more than tripling between 2006 and 2008 and providing some counter-evidence to any suggestions that federal information security is improving under FISMA. Still, the rise in security events reported for the Senate was 20,000 percent between 2008 and 2009. Of course, a security “event” is different than an incident, and the vast majority of the activity seen by the Senate is handled by the security measures in put place to provide just that sort of protection. However, even if you accept the premise that legislative data is more interesting or valuable as an attack target, it is hard to fathom that there aren’t some fundamental (if unknown) aspects about security of Congressional networks that makes them so attractive.
Whatever you believe about the effectiveness of federal agency security regulations, guidelines, and standards promulgated by NIST under the authority delegated to it by FISMA, it is at least interesting to note that legislative offices, systems, and data are not subject to any of the obligations imposed on executive agencies by the very laws that Congress has enacted. Even with common standards and guidelines, the specifics of federal information security management practices vary significantly among agencies, not coincidentally because each agency is responsible for making its own risk-based determinations of what threats, vulnerabilities, and risks it faces would result in an impact significant enough to demand mitigation. Congressional systems and security administrators support a group of users (members of Congress and their staffs) as demanding as any in the government, and who have shown reluctance to adopt even basic security measures if they interfere with convenience. It’s also hard to imagine another part of the federal government in which active distrust among co-workers is so pervasive, both among members of different parties, across different committees, and even between the two houses of Congress. Given this active threat environment, perhaps those in the legislative branch should follow some of the same advice they’ve put into words in the legislation they’ve written, and take a more proactive approach to risk assessment, incident response, and evaluation of the effectiveness of security controls.