Senate staffers are not required to undergo information security or cybersecurity training, even as hackers target Congress.
“The cybersecurity threat is very real, and frankly we haven’t stepped up and done what I think we should do to deal with it — which should be an all government response,” Senate Majority Whip John Cornyn of Texas said when asked Tuesday about attempted hacks of Senate networks.
But Republicans and Democrats on the Rules and Administration Committee are working with the Sergeant-at-Arms to reinstate mandatory training for all Senate staff, according to a committee spokesperson and another Senate aide.
The House mandated information security training for employees in early 2015, which all network users are required to complete annually. The Senate does not have a parallel mandate, but it once did.
In July 2016 Sen. Roy Blunt of Missouri, chairman of the Rules and Administration Committee, issued a letter requiring training. But that requirement was not maintained when he left the panel in January 2017 and Alabama Republican Richard C. Shelby took the gavel.
Staff familiar with the change said the requirement lapsed as lawmakers worked to improve the training itself and the system for tracking it.
The reasoning was that the training modules were not easily updated to address the latest concerns and new technology. The lack of a Senate-wide tracking system that monitored who had been trained and who had not also proved complicated.
Blunt, who regained the chairmanship in April 2018 when Shelby took the top slot at the Appropriations Committee, wants to see the requirement reinstated, an aide said.
The SAA’s office is in charge of many of the technology support services in the Senate and offers regular cyber awareness trainings to staff in lawmakers’ offices, on committees and back home in the states. Sergeant-at-Arms Michael Stenger said in May the SAA had hosted 52 such seminars since the start of 2017.
Sen. Amy Klobuchar, the top Democrat on the Rules panel, credited the education with preventing some recent attempted attacks.
“From what I’ve learned, they didn’t actually hack into the system,” the Minnesotan said Tuesday.
Staffers for Democratic Sen. Claire McCaskill of Missouri thwarted an attempted phishing attack last year, in which the target received an email to change a password, leading to a malicious site that mirrored the legitimate Senate login page.
Sen. Jeanne Shaheen’s office has been the target of at least one phishing attack for email and social media accounts, the New Hampshire Democrat said Sunday.
There are thousands of users with access to the Senate networks, but policies vary among offices. Turnover, including thousands of interns cycling through each year, makes enforcement of a blanket security policy a challenge.
Lawmakers boosted funding for SAA efforts to bolster Senate networks in fiscal 2018 by $12.5 million, and added $4 million for senators’ office accounts focused on staff-level measures.
The infusion of funds will allow the SAA to work toward warding off new and evolving threats to the Senate systems, according to an aide.
The Rules Committee may move to protect election infrastructure before mandating training for Senate staff. Blunt and Klobuchar said Tuesday that the panel will mark up a bill, known as the Secure Elections Act, when the Senate returns from their one-week recess.
“I think we can be confident that the things that need to be happening to secure an election are happening right now for this year,” said Blunt Tuesday.
The panel would take up the bill the week of Aug. 13.
The proposal, sponsored by Klobuchar and Oklahoma Republican James Lankford, would disburse grant money to states to harden cybersecurity protections on voting and election systems. It also has the backing of Sens. Richard Burr of North Carolina and Mark Warner of Virginia, the top Republican and Democrat, respectively, on the Senate Intelligence Committee.
“State and local officials are both answerable and responsible for what happens on election day,” Blunt said.
Griffin Connolly contributed to this report.