US Senate Staff Targeted By State-Backed Hackers, Senator Says

An anonymous reader quotes a report from PBS NewsHour: Sen. Ron Wyden, an Oregon Democrat, said in a Wednesday letter to Senate leaders that his office discovered that "at least one major technology company" has warned an unspecified number of senators and aides that their personal email accounts were "targeted by foreign government hackers." Similar methods were employed by Russian military agents who leaked the contents of private email inboxes to influence the 2016 elections. Wyden did not specify the timing of the notifications, but a Senate staffer said they occurred "in the last few weeks or months." But the senator said the Office of the Sergeant at Arms, which oversees Senate security, informed legislators and staffers that it has no authority to help secure personal, rather than official, accounts. "This must change," Wyden wrote in the letter. "The November election grows ever closer, Russia continues its attacks on our democracy, and the Senate simply does not have the luxury of further delays."

Lessons not learned?

[MiniMike]

If anybody who works for a high profile hacking target like a senator still uses their personal e-mail for work related business, they're a complete idiot.

Looking forward to the next round of leaks...

Re:Lessons not learned?

[Anubis+IV]

Well, then, it strikes me that they have two options:

1) Have the integrity necessary to not engage in personal behavior that runs contrary to your public image. Good luck with that.

2) Use some balance of carrots and sticks to encourage services to better protect our data/not keep it in the first place, but also provide more teeth for going after the bad guys.

They can do both if they want, but they don’t get to institutionalize the routine violation of our right to privacy and then complain about the situation when theirs is violated.

Re:Lessons not learned?

No one said they were using their personal e-mail for work related business. The problem is that these people buy porn and organize hunting trips, and details are in their personal e-mail. Basically they have things to hide.

Even if people have nothing illegal or even unethical to hide, they have privacy, can be embarrassed, can feel threatened, have family and personal relationships that can be targeted for leverage, have financial situations that can be exploited and in the age of GPS devices movements can be targeted which can leave people open to well targeted attacks or attempts to make contacts for espionage.

I mean as a national security professional how would you feel if agents of a foreign power know that your wife picks the kids up from soccer on Tuesdays at 4pm? Or you meet your friends for a pint on Fridays at 3:30 down at the pub? Or that you really really need that equity loan to refinance your debt next Tuesday.

Treating state sponsored hacking like some personal problem or just fodder for sex scandal reporting is terribly misguided. The targeting of the personal emails of government workers and contractors is a national security threat not some shame on those individuals or the private companies that are targeted.

"Securing" (whatever that means) non governmental accounts shouldn't be the only issue... the FBI should be treating the targeting of personal emails of government employees and national security professionals by foreign governments as part of espionage investigations above and beyond the Federal crime of unauthorized access to these systems.

And the primary goal shouldn't be token convictions or criminal charges against people that live in other countries, but preventing these threats in the future by what means are proportionate and necessary.

Don't worry

All indications are that all but 15 of the Senators use their personal accounts for official business.

The 15 are confirmed to still be at Western Union sending telegrams.

Re:Don't worry

[VeryFluffyBunny]

Why is it that US senators are so reluctant to use their official email accounts for official business? Why don't they want those email exchanges to go down on public record?

Re:Don't worry

[RespekMyAthorati]

Why don't they want those email exchanges to go down on public record?

Guess.

Re:Don't worry

[VeryFluffyBunny]

The question was rhetorical.

Well...duh.

[argStyopa]

1) It's unsurprising that this was floated by a Democrat, whose party has been essentially asserting that the Russians stole the election by unspecified "hacking" (leaving furrows in the turf as the goalposts constantly shift on what THAT means).
2) Nevertheless ... the idea that Senate offices/staff may be the targets of nefarious hacking attempts (regardless of party affiliation) is really so obvious that it falls into the "don't run with scissors" category.

I know the men and women of our government are oblivious and at least 1.5 decades behind any technological curve, but do they really have to be told this?

Re:Well...duh.

[Registered+Coward+v2]

I know the men and women of our government are oblivious and at least 1.5 decades behind any technological curve, but do they really have to be told this?

While many certainly are, there are a lot of them who regularly use the latest technology and are frustrated by the government's "Yesterday's Technology Deployed Tomorrow" approach to systems. It's quicker and easier to send a text from your own phone than to find a desktop to send an Outlook Webmail email; not to mention the "so an so is a real ass" comments you don't want archived forever.

Part of the reason is also a broader cultural one; we have become so used to instant communication and using technology that the line between what is a personal and what is a business machine has become blurred.

Re:Well...duh.

[drinkypoo]

1) It's unsurprising that this was floated by a Democrat, whose party has been essentially asserting that the Russians stole the election by unspecified "hacking"

The FBI and CIA (you know, the "intelligence community"?) has been saying it, the Democrats have been repeating it.

2) Nevertheless ... the idea that Senate offices/staff may be the targets of nefarious hacking attempts (regardless of party affiliation) is really so obvious that it falls into the "don't run with scissors" category.

Yes, but the idea that it's coming from a specific nation and we're not doing anything about it falls into the "traitorous and incompetent" category.

Re:Well...duh.

[LazarusQLong]

Yes, they do. No, they aren't 1.5 decades behind, more like 4 decades behind. They are really only knowledgeable in how to lie and manipulate people, nothing else.

Re:Well...duh.

[LynnwoodRooster]

The FBI and CIA (you know, the "intelligence community"?) has been saying it, the Democrats have been repeating it.

Because politics NEVER entered the leadership of the FBI and the CIA, amirite?

Re: Well...duh.

[TimMD909]

Of course you don't run with scissors. Run with a knife. You'll go faster.

Re:Well...duh.

[jbmartin6]

Another DUH is that government officials in other countries can all say the say same thing, where "state-backed hackers" refers to US intelligence agencies among others.

Re:Well...duh.

The FBI and CIA (you know, the "intelligence community"?) has been saying it, the Democrats have been repeating it.

The Democrats never provided the DNC server to be inspected by the FBI or CIA. Instead, every agency in the government has been echoing the debunked report from a private firm that said exactly what the DNC wanted it to say: that their servers were hacked by a Russian spy ring. Perhaps they were and perhaps they were not, but it is apparent that the DNC hack itself was committed by an insider based on the transfer rates exceeding that of internet connections.

Similarly, the other "hack" was not a hack at all. Instead it was a spearphishing campaign that could be committed by literally anyone.

It is, and always should have been, obvious that the DNC (and RNC) are active targets of any foreign power, just as US intelligence should be actively trying to penetrate the political factions of other nations. To say or suggest otherwise is idiotic.

Yes, but the idea that it's coming from a specific nation and we're not doing anything about it falls into the "traitorous and incompetent" category.

First of all, traitorous and incompetent are two very separate issues. Second of all, there are more sanctions against Russia now than there were during the 2016 election. Finally, this fraud that Russia is the only nation attempting to hack the US -- or even the best at doing it -- is outrageously political and disgusting.

China is the most aggressive nation hacking the US (and our allies) and it has been for years, yet the Democrats (and you) are so insanely against Trump that you have finally agreed that Russia is once again our enemy. As a reminder, HRC famously rebooted our efforts with Russia in 2009 and the previous administration pretended that everything was great with Russia, including negotiating to remove our missile defense system from Poland for Russia in 2012, while drawing yet another hard line in the sand after Crimea was annexed by Russia. All the while literally laughing at Mitt Romney's idea that Russia is rising back to their cold war efforts.

China, Russia, North Korea, and Iran -- as well as multiple (most) allies! -- are all attempting to infiltrate the US in private, political, and government institutions. What Trump has done relative to Russia is far from treasonous and, at best, shows that he can be played by his ego just as well as most previous administrations. His tweets are downright stupid, but the actual policies and sanctions hitting Russia are heavier than they have seen in years. And those years include when the previous administration claimed to witness all of this going down, naturally after the fact.

Try to stop thinking of this garbage politically and try to think of it logically. If you can do that, then you will not like what you see on either side and maybe we can finally make progress rather than focusing on impeaching a President because you do not like him.

Re:Well...duh.

[RespekMyAthorati]

yet the Democrats (and you) are so insanely against Trump that you have finally agreed that Russia is once again our enemy.

The Democrats,along with the FBI and the CIA.
A China is big on stealing secrets, but Russians are the masters of social engineering.

Still using private e-mail?

[guruevi]

Off course the master-at-arms isn't going to secure your private e-mail, you shouldn't be using it.

This is pretty blatant admission of law avoidance by D-Wyden. Where is the FBI on that investigation?

Re:Still using private e-mail?

Off course the master-at-arms isn't going to secure your private e-mail, you shouldn't be using it.

This is pretty blatant admission of law avoidance by D-Wyden. Where is the FBI on that investigation?

WTF are you going on about. Of course they have personal email. There are things that are illegal for them to use a government account on, like campaigning.

Re:Still using private e-mail?

[Jahoda]

I absolutely agree. We should especially investigate these transgressions by the white house considering they campaigned on email security.

Senator Wyden, your entitlement is showing.

[MachineShedFred]

Dear Senator Wyden,

None of the other 300+ million US Citizens have their personal email "secured" by law enforcement authorities either. Maybe you shouldn't be keeping secure info in your personal email either. That's what your official @senate.gov email is for, which IS secured by law enforcement.

If you would like your personal email to be secure, you should probably self-fund that, just like everyone else. Or, get used to the idea that email isn't secure, at all.

Warm regards,
Everyone else that isn't an entitled jackass Senator.

PS if this is an attempt to set the table for more excuses for electoral losses in November, it's not a good one. Complaining about "email hacking" when bad shit comes out makes you and your compatriots look like idiots because you were using insecure systems to hide shit from your bosses - the people. By far, the best, most effective way to not have disclosures of shady shit stolen from your email, is to not have shady shit in your email.

Re:Senator Wyden, your entitlement is showing.

[Obfuscant]

None of the other 300+ million US Citizens have their personal email "secured" by law enforcement authorities either. Maybe you shouldn't be keeping secure info in your personal email either.

This is what I was thinking of saying, but don't bother. He isn't listening. I could send him megabytes (at least) of logs of failed ssh login attempts on the servers I run, most of which are originating in China. But Russia "hacking email" (which for Podesta was "please send us your email password") is bad bad bad bad.

This is the senator who proudly said:

"I want to deliver a warning this afternoon: When the American people find out how their government has secretly interpreted the Patriot Act, they will be stunned and they will be angry," he said.

but then did nothing to stop it. He is a Senator. He has the authority to write laws. Now he's warning us that people are trying to hack lawmaker's email, when anyone involved in computer admin already knows and is tired of it.

Re:Senator Wyden, your entitlement is showing.

[Jahoda]

I know, damn that evil Ron Wyden. He should follow the example of the white hosue who campaigned on email security.

Re:Senator Wyden, your entitlement is showing.

[Obfuscant]

I know, damn that evil Ron Wyden. He should follow the example

He should act on things he knows are wrong instead of just saying the equivalent of "if you knew what I know you'd be mad." What other people do with their problems is irrelevant.

It's really hard to forget his example of leadership in campaigning, where he came out one day saying he was going to run the most ethical and honest campaign for Senate, and then the next day we got to see the ads claiming his opponent had killed a teenager. (The teenager had been killed in a farming accident on a farm run by the family of the candidate that even the parents admitted was not the opponent's fault and they bore no ill will at all towards him.) When you understand history, you can see it repeating.

Re:Senator Wyden, your entitlement is showing.

[pots]

I expect better, this is pathetic. The issue at hand is elections, and politicians are required to keep personal business (e.g.: getting elected) separate from official business. It's illegal for a senator to use a senate.gov email account for campaigning, and probably a very bad idea to be using it for anything else personal. Like, for example, making vacation plans with his family. Which would expose exactly where he's going to be and when, what he likes to do while on vacation, when he will and will not be working / campaigning / considering some large bill which a foreign actor might like to influence.

Second: I don't have terribly high expectations of the people here, but I do expect them to at least recognize that any vulnerability is a potential attack vector. You wouldn't think that an SQL injection for some website could lead to penetration of a company's internal development servers, but I expect you to know that it can and does.

Third: who says that he doesn't pay to secure his email? And the email for his staff? And his family? And his friends? Maybe he doesn't for all of those people. Maybe he does. That would make targeting him harder... and? So? Would that make these attacks okay? Would that mean that we could just ignore attacks on our congressional representatives, because paying some security company is totally foolproof?

Re:Senator Wyden, your entitlement is showing.

[MachineShedFred]

Senator Wyden sits on the US Senate Select Committee on Intelligence. He knows damn well that the NSA is doing the exact same shit to the countries that are doing this to us, and I'm sure he's perfectly fine with that.

What goes around, comes around. Plus, he married a rich New Yorker and spends most of his "not-in-Washington" time in Manhattan. He's only a senator from Oregon by name, and comes back to visit Oregon every 6 years or so to get re-elected; not that Oregon would ever vote for any of the stiffs that the Republican party puts up.

He has the resources to hire to do this correctly, and not bitch and whine that the government isn't doing it for him. As for the campaigning, I'm pretty sure that he gets plenty of donations that can help to secure campaign communications.

Still not going to show any sympathy for an entitled jackass hypocrite.

Prepared excuses

They're just preparing their excuses if the midterms don't go their way.

Hacking e-mail? Amateur!

[LynnwoodRooster]

REAL Senators know that you simply hire foreign spies to work for you for a few decades. E-mail hacks are for those shiftless layabouts in Oregon, in California we go straight to putting spies on the payroll!

Russia boogie man

[p51d007]

The Russians did it the Russians did it. Just more crap by the socialist liberals that want to take away your rights. If elections can't be trusted, we'll just "self appoint" ourselves to run the government. THAT is their ultimate goal. Most democrats & most republicans want it that way.

Re:Russia boogie man

[RespekMyAthorati]

The Russians did it the Russians did it. Just more crap by the socialist liberals that want to take away your rights.

Dah, Comrade! You is right!

Re:Hacking e-mail? Amateur!

[MachineShedFred]

Better yet, Wyden is on the US Senate Select Committee on Intelligence. He probably knows about, if not voted to authorize, CIA / NSA hacking of other countries leaders' email accounts.

The stench of hypocrisy is a bit too much to take on this one.

Re:using my email for work

[arexu]

You want it to change, put up a list of everyone who uses their personal email for work so that the population can vote against them.

I have NEVER and i mean NEVER worked for any company that allows me to use my personal email for work related things. I would like anyone to show me a company that allows for such things.

Here's one data point - I use my Gmail account for work all the time. Yes, my company knows and allows it. But I'm just a contract archaeologist, I'm not doing anything political, classified, or liable to shake the wall of decorum. If I were involved in something that might turn political, or that involved classified or government monitored operations, or that would scare the horses, I'd take the time to use company email. No, I'm not gonna give you my RL name, who the fuck are you, voices on the internet?

What he actually said...

[ole_timer]

was...why is the senate not protected? because no one is. that bears repeating. NO ONE IS. doh.

Re:Hacking e-mail? Amateur!

[ole_timer]

saves a lot of work to just hire 'em! priceless.