March 27, 2019

Wyden, Cotton Introduce Bipartisan Bill to Protect Personal Devices and Accounts of Senators and Staff from Cyber Threats

Washington, D.C. – U.S. Sens. and members of the Senate Intelligence Committee Ron Wyden, D-Ore., and Tom Cotton, R-Ark., today introduced a bipartisan bill to protect the personal electronic devices and accounts of senators and their staff from cyber threats.

The Senate Cybersecurity Protection Act, S. 890, would permit the Senate Sergeant at Arms (SAA) to provide voluntary cybersecurity assistance to senators and certain Senate staff to secure their personal devices and accounts. Russia’s actions in the 2016 election laid bare how state-sponsored hackers and intelligence groups could target personal and private devices and accounts to influence American politics.  

The SAA, which is responsible for the Senate’s cybersecurity, has stated that it is prohibited from using public funds to help protect non-government issued devices and accounts. The SAA has cited the statutory restrictions on its use of official funds to justify its refusal to provide senators and staff with assistance or advice, even after Google warned them their personal accounts had been targeted by foreign government hackers.

“Cybersecurity experts agree – malicious foreign entities used targeted hacks to influence the 2016 election to their benefit, and these attacks are only going to grow more frequent and sophisticated,” Wyden said. “Hackers don’t differentiate between the official and personal devices of elected officials and their staff. The Senate doesn’t have the luxury of ignoring the changing landscape of cyber-attacks. No one should play politics when the future of U.S. democracy is on the line.” 

“Our enemies will take advantage of every opportunity to undermine our democracy, and the personal devices of Senators and their staff are no exception. As the threat of cyber-attacks continues to grow, so must our ability to defend against them,” Cotton said. “Our bill will ensure that our cyber defenses are hardened as we continue to do the work of our constituents here in the Senate.”

The bill has been endorsed by cyber and election security experts and advocates alike, including Demand Progress Action, Seminar Network Institute, R Street Institute, Public Citizen, Dragos Inc., and Lincoln Network.

“Nation state hackers are threatening our democracy and policy making process by targeting the personal devices of senators and staffers,” said Adam Segal, Director of Digital and Cyberspace Policy Program for the Council on Foreign Relations, speaking in his personal capacity. “Individuals will never be able to defend themselves against state supported hackers without help, and the Senate Cybersecurity Protection Act of 2019 recognizes the legitimate interest in protecting these devices and accounts and provides a solution that makes good use of tax dollars.”

“This is just common sense,” Paul Rosenzweig, Senior Fellow at the R Street Institute, said. “We need to protect the people engaged in our legislative functions – and it shouldn’t matter whether they are using their ‘official’ USG computer or a personal device.  It’s the person, not the thing, that matters.”

“We are well past the time when the front-lines of the online battle between the United States and our adversaries only reached large corporate and government networks,” Alex Stamos, Director of the Stanford Internet Observatory and Visiting Scholar at the Hoover Institution, said. “One of the lessons of the campaign against the 2016 election is that the personal systems and accounts of anybody involved in our democracy, whether as an elected official, staffer or political operative, is considered fair game. This bill is a good start towards protecting the weak spot in America's defenses and I'm happy to see Senator Wyden and Senator Cotton continue their leadership in this area.”

Wyden and Cotton sent a letter to the SAA earlier this month urging them to take potential hacks on Senate computers and cell phones seriously, requesting annual reports on when Senate devices have been compromised and timely notification to Senate leadership and all members of the Senate Committees on Rules and Intelligence of any breaches on Senate computers. 

Wyden also wrote to Senate leadership on September 2018 regarding concerns around the SAA’s lack of authority to defend the Senate against cyber-attacks. In December 2018, after a letter from Wyden, the Federal Election Commission greenlit the use of leftover campaign funds to secure the personal devices of members of Congress. 

The bill text can be found here. A summary of the bill can be found here.

Additional endorsements include:

Jeremy Gillula, Tech Projects Director, Electronic Frontier Foundation: "When hackers target our government, they don't just target official government accounts. They also target the personal accounts of Senators, staff, and employees, since personal accounts are often easier targets. This bill will help ensure that those targets are hardened, thus helping protect our democracy from cyber-attacks."

Heather Adkins, Senior Director, Information Security, Google LLC: "As the threat of state-sponsored attacks in cyberspace continues, hackers are targeting both the professional and personal accounts of elected officials and public servants to exploit sensitive information. The Senate Cybersecurity Protection Act would enable the Senate Sergeant at Arms to provide Senators and their staff critical cybersecurity assistance so they can protect their personal accounts and devices from malign threats. We commend Senators Wyden and Cotton for introducing this legislation and look forward to supporting its passage."   

Bruce Schneier, Fellow and lecturer, Harvard Kennedy School: “It is ludicrous to expect individual senators and their staff to to defend themselves from spies and hackers. Hostile foreign intelligence services do not respect the arbitrary line between work and personal technology. As such, the U.S. government must extend its defensive cyber perimeter to include legislators' personal devices and accounts. This bill is a great first step.”

Riana Pfefferkorn, Center for Internet and Society, Stanford Law School, speaking in her personal capacity: “When it comes to our elected representatives’ accounts and devices, hackers don’t draw a line between official and personal, so why should the office charged with protecting them? This bill would close an important gap in the cybersecurity assistance available to Senators and their staff.”

Dr. Lorrie Faith Cranor, Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab, Carnegie Mellon University, speaking in her personal capacity: “Individuals often do not protect their personal accounts and devices adequately, and may inadvertently leak information that may be used to attack government resources. By allowing Senators and their staff to seek cybersecurity assistance from the Senate Sergeant at Arms for their personal devices and accounts, we can reduce the risk to government resources.”

Eric Rosenbach, Co-Director, Belfer Center for Science and International Affairs, Harvard Kennedy School: “I enthusiastically support the proposed bipartisan ‘Senate Cybersecurity Protection Act.’ Allowing the Sergeant at Arms to provide training and support for personal accounts is an important step in mitigating foreign adversaries’ ongoing attempts to conduct cyber-attacks and espionage against Senators’ and staffers’ personal devices. Senators and their staff should not be expected to go toe to toe with some of the most sophisticated adversaries in cyberspace; authorizing protection of personal accounts is a critical component of our cyber defense efforts.”

Lesley Carhart, Principal Threat Analyst, Dragos, Inc: “Personally-owned devices and accounts pose a well-known cybersecurity risk in commercial business - providing adversaries a simpler vector to access sensitive data by bypassing egress filtering, intrusion prevention appliances, or malware protection. It is a foregone conclusion that adversaries are considering or actively exploiting personal devices and accounts as a means to target elected officials and their staff. It is therefore crucial that members of Congress be provided tools, education, and resources to defend their personal accounts and devices from compromise.”

Daniel Schuman, Policy Director, Demand Progress Action: “Members of Congress and their staff are obvious targets for malign hackers and our current system of protecting only their official accounts creates systematic vulnerabilities that we can ill afford. Sen. Wyden's legislation adopts a 360 degree approach to addressing cyber-threats to Congress and will help close a gaping hole in our security.”

Neil Chilson, Senior Research Fellow, Technology & Innovation, The Seminar Network Institute: “This bill shows that there is broad, bipartisan agreement on strengthening data security protections, even among people who disagree on how to protect privacy more generally. We support this bill and believe its focus on an area of broad agreement demonstrates a path forward for any future federal privacy legislation.”

Craig Holman, Ph.D, Government affairs lobbyist, Public Citizen: “The federal government is under a growing wave of cyberattacks. The Russian and Chinese governments have honed their cyber technologies to eavesdrop and even disrupt our Internet communications networks. And now there is evidence that Iran and other nations are joining the fray. This legislation is a commonsense response to protect members and staff of the senate from these threats, all the while safeguarding our national interest. The cost is minimal and the benefits are great.”

Zach Graves, Head of Policy, Lincoln Network: “It’s more important than ever that Congress take proactive steps to protect itself from cyber threats, which each year are growing increasingly numerous and severe. This legislation would be a wise investment for taxpayers, and would go a long way to protect the integrity of our democratic system of government from malicious actors."