House ethics cop ups security to halt leaks

The House’s new Office of Congressional Ethics instituted extensive computer security measures used by law enforcement and the intelligence community when it set up its office early this year.

The new ethics police’s security system was designed to prevent any information about members’ or staffers’ activities gathered during an investigation from leaking to the public.

ADVERTISEMENT
Office of Congressional Ethics (OCE) Staff Director Leo Wise consulted with House Information Resources and drew on experience in his previous position as counsel to the assistant attorney general in charge of the Justice Department’s Criminal Division to create a system to protect the identity of members under investigation and safeguard information gathered during reviews.

“The resolution that created the OCE directed us to establish procedures to prevent the unauthorized disclosure of any information received by the office,” Wise said in a statement. “As a result, that was and remains one of our top priorities.”

An ethics committee document exposing ongoing investigations into the conduct of more than two dozen members, as well as staffers, ended up in the hands of The Washington Post last week after a low-level staffer working from home on a personal laptop used a peer-to-peer file-sharing program that provided unauthorized access to the ethics document.

The unusual leak rocked Capitol Hill, despite reassurances offered on the floor Thursday evening by ethics committee Chairwoman Zoe Lofgren (D-Calif.) and ranking Republican Rep. Jo Bonner (Ala.) that computers remained secure. Panicked members named in the documents scrambled to find out how such an egregious security breach could occur.

Speaker Nancy Pelosi (D-Calif.) and Minority Leader John Boehner (R-Ohio) issued a rare joint statement Friday evening announcing that the Office of the Chief Administrative Officer’s Security Department would perform an “immediate and comprehensive assessment” of the security policies governing computers in the House.

House rules require employees to protect sensitive information from unauthorized use. Employees who telecommute must sign an agreement before starting to work from home. Telecommuting rules specifically bar House employees from using personal computers for work. They also must agree to “maintain system security.” Ironically, any alleged violation of these policies would be sent to the ethics committee for review and possible punishment.

The OCE instituted additional safeguards to prevent unauthorized or accidental information leaks. In response to a request by The Hill, Wise provided answers to questions about the OCE’s security measures in consultation with the office’s system administrator, who determined that he did not provide any information that would compromise the security of these measures.

The OCE, a quasi-independent ethics board made up mostly of former members of Congress, is the brainchild of Pelosi, who pushed for an added layer of ethics oversight after Democrats won the majority in 2006. It is charged with reviewing suspected ethics rules violations and complaints and making recommendations to the full ethics committee for further investigation and action.

ADVERTISEMENT
Some of the material exposed in the ethics committee’s accidental leak included information from OCE investigations that the ethics office had forwarded to the full committee for review.

The OCE purchased laptops for all eight board members and investigative staff and uses what is known as a terminal server to protect all sensitive material and information. The laptops have encrypted hard drives, and documents and information can only be stored on the terminal server, not on the laptop itself.

In this way, the laptops serve only as a shell and a means of accessing the terminal server, and no applications or documents can be stored on the laptops themselves. The Justice Department and other law enforcement and intelligence agencies use a similar system. Even if a laptop were stolen out of a board member’s or staffer’s house, there would be no information on it to be compromised.

For additional security, everyone issued an OCE laptop also receives a key fob that unlocks the computer. The password on the key fob changes every 30 seconds and only provides access when coupled with a personal pin. If the key fob is stolen, it cannot provide access without the user’s personal pin.

No unauthorized software, including peer-to-peer file-sharing programs, can be installed on these computers or the terminal server. The laptops also do not have the power to print. Any printing must be done in the OCE’s office.

The OCE also uses the same method as the intelligence committees to destroy documents. Board members and staff place any sensitive material into a “burn bag” available at each workstation. Each night, House Sergeant at Arms employees retrieve the papers and destroy them using a pulverizing technique, which is more secure than shredding and turns the paper into pulp.

The OCE assigns numbers instead of the names of members and staffers to the open cases. Most process-oriented OCE documents refer to the case numbers instead of names.

ADVERTISEMENT
The OCE also is extremely cautious about the use of e-mails, which are sent only for routine scheduling and procedural messages. All other work and drafts are conducted on the terminal server, over secure conference calls or in person.

Before board meetings, the OCE has the Sergeant at Arms sweep the conference room for any recording devices.

The ethics committee did not respond to an inquiry about the security safeguards it had in place before last week’s breach or any additional steps taken to ensure security afterward.

The bill creating the OCE barely passed the House last year in the face of serious opposition from Democrats and most Republicans.

Proponents argue it is needed to fix a broken, members-only ethics committee, which rarely punished members in any way unless compelled to do so by a formal complaint from another member or after intense public scrutiny.

The ethics committee has 45 days after receiving a recommendation from the OCE to review the matter before it must publicize the OCE’s report and recommendations. The ethics panel also has the option of extending that period an additional 45 days.