Hill staffers should take this week’s hacker attack against an email newsletter service commonly used by congressional offices seriously, experts say.
Although the leaked log-in information is outdated, cybersecurity experts contend that hackers could use the expired passwords to try to crack into Hill staffers’ personal email, online banking and social media accounts.
“The problem here is there are very few people who have a different user name and password for every service they use,” said Stewart Baker, a former Homeland Security Department official and partner at law firm Steptoe & Johnson. “The risk I see here is that some of those passwords may be the passwords they’re using for more sensitive systems.”
The iConstituent log-in information posted to a website by the hacker was taken down on Friday.
Jacob Olcott, a former Hill staffer and principal at cybersecurity consulting firm Good Harbor, said the exposure of the email addresses could be used to target spearphishing attacks against congressional aides. Spearphishing is a method commonly used by hackers to obtain people’s passwords and other information for their email and social media accounts.
The hacker carries out the attack by sending a person a malware-laced email message that appears to be from someone they know. The email message prompts them to click on a poisonous link or attachment, which allows the hacker to siphon their account data.
Experts say staffers should consider the breach a warning and take steps to beef up their online hygiene.
The Senate sergeant at arms and the House chief administrative officer, who oversee the security of Congress’s networks, told staffers on Thursday that the security breach didn’t affect their House and Senate email accounts. The two offices encouraged staffers to change their passwords on Facebook, Twitter and other web services if they matched the ones used for iConstituent.
House staffers that use the iConstituent e-newsletter service will have to change their passwords for the House network.
Senate Sergeant at Arms Terry Gainer said the U.S. Capitol Police and FBI are investigating the breach.
This attack shows Congress needs to do a better job of monitoring the cybersecurity practices of the third-party technology companies with whom they contract, experts say.
“You don't just have to worry about what you're doing to protect yourself. You have to worry about the third parties you're doing business with,” said Brian Finch, the head of law firm Dickstein Shapiro’s global security practice. “They can be an avenue of an attack just as much as a direct attack on Congress.”
Congress is a key target for hackers because of the sheer amount of information that House and Senate offices have, information that offers a peek into U.S. policymaking and the thinking of top U.S. decision-makers. Foreign countries and intelligence services could snoop into a committee or lawmaker’s office network to find information on U.S. military operations and the budget, draft legislation or upcoming hearing testimony from top officials.
There’s also enticing information for Anonymous and other hacker groups, which have exposed data to publicly embarrass their victims and show off their hacking skills. These renegade hacker groups have also launched attacks to protest a policy issue or promote a cause.
In this week’s attack against the iConstituent servers, the hackers said they wanted to warn Congress that they’re closely watching how lawmakers respond to the revelations over two National Security Agency surveillance programs.
“I think our experience over the last decade has [shown] the things you used to worry about Russians spies doing, you have to worry about kids with strong views on issues doing today,” Baker said.
Because of its high profile and wealth of data, Congress faces the same cybersecurity challenges and risks as federal agencies and critical infrastructure like banks and the electric grid, according to Finch.
“They're going to attract the attention of some of the more sophisticated attackers in the world, and at a certain point if someone wants to get in, they will,” Finch said.
“If you do enough sophisticated attacks with enough resources behind it, one of them is going to get through,” he added.