On March 13, Arkansas Sen. Tom Cotton and Oregon Sen. Ron Wyden submitted a bipartisan letter to the Senate sergeant-at-arms asking for an annual report tallying the number of times Senate computers have been hacked. The letter also requests the SAA adopt a policy of informing Senate leadership within five days of any new data breaches that occur.
Cotton and Wyden should be lauded for requesting greater clarity regarding government cybersecurity. Yet this important and reasonable petition reveals an unfortunate reality: We expect our lawmakers to enact policy protecting our nation from cyberattacks when they don’t even know whether their own computers have been hacked. For the sake of national security, this must change.
Government agencies, in general, are legally required to disclose breaches, but Congress is under no similar obligation. According to the letter, the last time there was a publicly disclosed report of a congressional data breach was in 2009. Indeed, the two examples of cyberattacks on Senate computers that Cotton and Wyden cite (one against former Virginia representative Frank Wolf in 2006 and one against former Florida senator Bill Nelson in 2009) are both at least a decade old. But a lack of data for the years since then doesn’t mean that hackers haven’t been active. In fact, in 2018, both the Democratic National Committee and the National Republican Congressional Committee lost emails in data breaches. Moreover, the Department of Defense wards off approximately thirty-six million attempted data breaches each day.
Additionally, officials’ websites and emails accounts are not the only targets of hackers. Last September, Wyden wrote a letter to Senate leadership about the Russian hacking group Fancy Bear and its attacks on the personal accounts of both lawmakers and staffers. In that letter, he expressed concern about the SSA’s lack of authority to assist with cybersecurity protection for government officials’ personal accounts and devices. In December, the Federal Election Commission voted to permit lawmakers to reallocate leftover campaign funds toward protecting members’ and staff’s personal devices and accounts.
Hackers pose a serious risk to our national security—as Wolf succinctly stated in reference to the attack on his office: “They got everything.” Moreover, they are always looking for new vulnerabilities to exploit. With the cyber threat landscape constantly shifting, members of Congress need to stay up to date about the threats they face.
The fact that certain lawmakers take pride in avoiding email or question how the internet works does not inspire confidence in congressional technological savvy. This isn’t the first time Congress’ knowledge of cybersecurity has been questioned. A 2017 poll of cybersecurity experts found that only 13 percent believe “Congress and the White House understand cyber threats and will take steps for future defenses.”
But lawmakers can’t become knowledgeable or take such steps if the data isn’t available. Receiving annual updates on the aggregate number of cyberattacks against the Senate is a good place to start. As the letter to the SAA states, “Each U.S. Senator deserves to know, and has a responsibility to know, if and how many times Senate computers have been hacked, and whether the Senate’s existing cybersecurity measures are sufficient to protect both the integrity of this institution and the sensitive data with which it has been entrusted.”
The ability to measure cybersecurity is at the core of creating a sound policy that can keep our nation safe. While anecdotes and stories can help convey the threat from cyberattacks, well-crafted metrics are what will help lawmakers (and taxpayers) assess whether adequate security measures are in place.
Transparency about these metrics is vital to ensuring accountability. This is why Congress should receive a report on the number of cyberattacks committed against not only the Senate but the House of Representatives as well. Furthermore, this information should be reported not just to lawmakers, but to the public at large. Budgeting for security never happens in a vacuum; providing funding for one area usually pulls funding away from another. Taxpayer money can only be doled out to its best uses through careful cost-benefit analysis. And to do that, both lawmakers and the public need to be able to accurately measure the threats we’re facing.
The problem is that if lawmakers only fund security by simply taking a stab in the dark, one day we might face a cyber attack that leaves us there.
Kathryn Waldron is a research associate at the R Street Institute and a Graduate Research Fellow at George Mason University.