In January, the R Street Institute, Demand Progress Education Fund, and POPVOX Foundation hosted a cybersecurity training for House staff. While the House and Senate provide resources and training to protect official accounts, at this time, there’s no equivalent support for staffers’ non-official accounts.
Personal and other non-official accounts can pose a security threat to Congress if leveraged by hackers to gain access to information about Congressional operations, legislative agendas, and personnel. For example, a hacker who accesses a staffer’s personal email account could gain information about their social network and any work information — from g-chats to Google docs — shared through this non-official forum. Similarly, a hacker could use access to a staffer’s financial or other sensitive information as leverage for insider access, fraud, or other malicious purposes.
These weaknesses aren’t something civil society can fix alone. But, with the generous support of craig newmark philanthropies, civil society can share expertise on how to patch these holes and help public servants protect themselves.
At the January cybersecurity training event, we hosted a few dozen staffers in Rayburn for a hands-on exercise to address the most gaping cybersecurity vulnerabilities. Unlike most cybersecurity trainings, which are BOR-ING, this one was lively, entertaining, and hands-on — with short talks from experts and small group break-outs. Staffers were able to use the tools we shared and get their questions answered. Of course, we were careful to avoid endorsing any specific products and stayed away from discussing policy issues before Congress.
We covered:
- Why and how to use a password manager. We demonstrated 1Password and BitWarden, and explained why long passphrases are good and all the advice about using leetspeak is n0ns&n$e! You should never have to remember a password except the one to log into your password manager.
- Texting and mobile security. We talked through the various apps available for text messages — explaining that Signal is the gold standard (not just for techies!) and covering other apps like Telegram. We also explained how to scrutinize communications to ensure their authenticity and check for faked sender info.
- Phishing and email security. We covered the many social engineering techniques that are used to try to access sensitive information or get someone to take action on the hacker’s behalf — and steps that can be taken to prevent this.
- Multi-factor authentication (MFA). We illustrated how to use tools like Google Authenticator or Authy, which provide a much higher level of security than text messages for MFA. We pointed to HaveIBeenPwned — a terrifying display of how many times your logins and passwords have been leaked — for those who insist on taking the significant risk of using online tools without MFA.
The response was great! Staff got their questions answered in a friendly setting. Many downloaded and began using the tools on the spot.
In the upcoming months, we will host an in-person training for Senate staffers, a virtual one for district office staff, and one more in-person training inside Congress. We are hopeful that this pilot project will reveal some of the best ways to help teach staffers how to secure their personal information and our Congress.
With that data, we will circle back to the House and Senate and encourage them to provide additional support to Congressional staff so we can help close the “backdoor” to cyberattacks.
