Members of Congress are vulnerable to hacking, and lawmakers fear they could be next on the Russian target list.
“Any senior government official who has been critical of their active measures campaign, supportive of sanctions over their invasion of Ukraine or condemning of their bombing of civilians in Aleppo may be a prime target for hacking, a travel ban or other retaliatory steps by the Kremlin,” said Rep. Adam Schiff of California, the top Democrat on the House Permanent Select Committee on Intelligence.
Congressional offices are increasingly aware of cyber threats and are upgrading security, said Meg King, who teaches Capitol Hill staffers about cybersecurity.
“A lot of people say, ‘It’s not the if, it’s the when,’ ” said King, a digital security expert at the Wilson Center think tank in Washington.
The Government Accountability Office reports that information security “incidents” affecting federal government computer systems are on the rise. The number skyrocketed from 5,503 in 2006 to 77,183 last year.
“We’re hacked here every day,” said Rep. Devin Nunes, the California Republican who chairs the House Intelligence Committee. “The adversaries are real.”
Sen. Marco Rubio, a Republican from Florida, used a public hearing of the normally closed-door Senate Intelligence Committee to float the possibility that Russia would use cyber intrusions to discredit U.S. politicians.
“They don’t limit this to elections,” Rubio said. “They target individual policy makers throughout many countries in Europe, particularly those in the former Soviet sphere. . . . And isn’t it true that that could very well happen here in the United States?”
Rubio described what he called a hypothetical scenario in which the Kremlin uses hackers to target a U.S. politician and frame him for a crime.
“Imagine there’s a U.S. senator or congressman who adopts a policy position that the Kremlin does not agree with,” Rubio said. “Somehow through a phishing expedition they gain access to your personal computer network. And once they gain access to your personal computer network, they use it to fabricate and/or actually conduct . . . child pornography . . . (or) let’s say money laundering activity. And then they call law enforcement and tip them off.”
Sen. Ben Cardin, a Democrat from Maryland, has experience with Kremlin retaliation. In 2012 Cardin introduced a bill, later signed into law, that barred U.S. entry to Russian officials implicated in the death of a Russian lawyer who died in jail after exposing alleged government fraud.
“Sen. Cardin has been banned from traveling to Russia for years now,” said his spokeswoman, Sue Walitsky.
Rep. Eric Swalwell, a California Democrat on the House Intelligence Committee, said that if Congress didn’t respond vigorously to alleged foreign hacking then it “not only tells Russia we’re open to further hacking, but it also gives a green light to other foreign adversaries.”
Lawmakers have a valid concern that Russian hackers could target anti-Kremlin politicians in America, said Ed Cabrera, former chief information security officer for the Secret Service.
“It’s not limited to Russian hacking activities. There are other nation-state hacking activities being done at similar levels from China and elsewhere,” said Cabrera, chief cybersecurity officer for security firm Trend Micro. “Politicians should always assume, and even more so as they take a political position on a country, or call for some kind of sanctions against any country, that they would be the targets of cyber espionage or hacking activity.”
Political figures are easy targets and need to be vigilant with security, he said, whether the attackers are intelligence services, cybercriminals or hacktivist groups with social or political causes.
“If there’s anything we learned from the past year’s hacking activity, it’s that really nobody is immune,” Cabrera said.
King, the cybersecurity specialist at the Wilson Center, said there were many ways that members of Congress could be targeted. Their staffers are sent “spearphishing” emails that appear legitimate, for example, or private email accounts used for campaigns can be targeted, or electronic devices used when traveling can be open to attack if they are not secure.
“This is all about user error. It’s user error if somebody clicks on a spearphishing email, it’s user error if somebody’s private email is accessed on a device that may be connected in some way to official email,” King said. “Obviously there are a lot of checks put in place to make sure those kinds of gaps don’t exist, but you can’t always protect everything.”