With just a few weeks to go before November midterms, CNN reports that a Google spokesman has confirmed an unspecified number of Senate and Senate staff have had their personal email accounts targeted by hackers from foreign governments.
Senator Ron Wyden (D-Ore) wrote a letter to Senate leadership on Wednesday, stating his concerns about the security of personal email accounts. He wrote, “at least one major technology company has informed a number of Senators and Senate staff members that their personal email accounts were targeted by foreign government hackers.”
Google would not say which Senators had been targeted or when but did confirm it is the company Wyden referred to in his letter.
Google confirmed to NPR that the message “There’s a chance this is a false alarm, but we believe we detected government-backed attackers trying to steal your password” was given. A 2017 blog post on Google’s website explains the warning.
“We send these out of an abundance of caution — the notice does not necessarily mean that the account has been compromised or that there is a widespread attack. Rather, the notice reflects our assessment that a government-backed attacker has likely attempted to access the user’s account or computer through phishing or malware, for example.”
Google Security Blog
A Senate aid told the AP, on the condition of anonymity, that the warning from Google had occurred “in the last few weeks or months” and an aid told CNN that both Democrats and Republicans were targeted.
Wyden stated in his letter that the Office of the Sergeant at Arms has informed him that it has no authority to help protect personal accounts and devices from cyber attacks and refused to help the Senators and staff who had received the notifications from Google on the grounds that funds were only to be used to protect official accounts and devices.
“This must change,” Wyden wrote in the letter. “The November election grows ever closer, Russia continues its attacks on our democracy, and the Senate simply does not have the luxury of further delays.” A spokeswoman for the security office said it would have no comment.
Wyden has proposed legislation that would allow the security office to offer digital protection for personal accounts and devices, the same way it does with official ones.
AP
Thomas Rid, a professor and cybersecurity expert from Johns Hopkins University, wrote Wyden a letter in which he stated, “The personal accounts of senators and their staff are high-value, low-hanging targets. No rules, no regulations, no funding streams, no mandatory training, no systematic security support is available to secure these resources. With no one forcing them to improve their personal cybersecurity and little expert assistance available, it’s unsurprising that many elected officials have bad personal cybersecurity.”
Matt Tait, former British intelligence official and cybersecurity expert, points out that while Russian hacking is a source of concern, it is not the only country who is interested in what lawmakers are doing. He also points out that that interest is not just for online info dumps.
In an April 12 letter released by Wyden’s office, Adm. Michael Rogers — then director of the National Security Agency — acknowledged that personal accounts of senior government officials “remain prime targets for exploitation” and said that officials at the NSA and Department for Homeland Security were discussing ways to better protect them. The NSA and DHS declined to offer further details.
AP
Rid, in his letter to Wyden, highlights that personal accounts are soft targets because the individual is in charge of security settings, not cybersecurity pros.
As a result, hackers working for foreign powers (as well as so-called ‘hacktivists’) have zeroed on the non-official accounts of current and former officials. These include: White House Chief of Staff John Kelly (personal phone), former CIA Director John Brennan (personal email), former DNI James Clapper (personal email, phone accounts), and former FBI Deputy Director Mark Giuliano (personal email).
Thomas Rid
Tait believes that providing cybersecurity for Senators and their staff could begin with some training and Yubikeys, which are small chip-based security devices used in government environments and could thwart hackers by supplementing passwords.
“In an ideal world, the Sergeant at Arms could just have a pile of YubiKeys,” said Tait. “When legislators or staff come in they can (get) a quick cybersecurity briefing and pick up a couple of these for their personal accounts and their official accounts.”
AP
Senator Wyden is introducing legislation that would allow the Sergeant At Arms to provide opt-in cybersecurity assistance to Senators and their staff and asks Senate leadership to determine how many Senators and staffers have received notifications of potential hacking by foreign governments.
