Congressional Record, Volume 165 Issue 53 (Wednesday, March 27, 2019)

[Congressional Record Volume 165, Number 53 (Wednesday, March 27, 2019)]
[Senate]
[Pages S2045-S2046]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. WYDEN (for himself and Mr. Cotton):
  S. 890. A bill to authorize the Sergeant at Arms to protect the 
personal technology devices and accounts of Senators and covered 
employees from cyber attacks and hostile information collection 
activities, and for other purposes; to the Committee on Rules and 
Administration.
  Mr. WYDEN. Mr. President, today I, along with my colleague Senator 
Cotton from Arkansas, am introducing the Senate Cybersecurity 
Protection Act to defend the integrity of American democracy by 
providing cybersecurity protection for the personal accounts and 
electronic devices of Senators and and key members of their staff.
  In 2016, hackers working for the Russian government broke into a 
range of targets, including the network of the Democratic National 
Committee and the email account of Senator Hillary Clinton's 
presidential campaign manager, John Podesta. These widely publicized 
breaches are only the tip of the iceberg. These hacks are widely known 
today because the emails stolen from these accounts were subsequently 
weaponized and used as part of a campaign to influence the outcome of 
several elections--most publicly, the presidential race between Donald 
Trump and Hillary Clinton, but also U.S. House of Representatives races 
in Illinois, New Hampshire, New Mexico, North Carolina, Ohio, and 
Pennsylvania. Senator Lindsey Graham also reported that his campaign's 
email was successfully compromised.
  While the Russian hacks in 2016 were a watershed moment, these are 
merely the most visible and disruptive examples of foreign intelligence 
services

[[Page S2046]]

using offensive cyber capabilities to target those involved in our 
political process. Senior officials from the 2008 Obama and McCain 
presidential campaigns have publicly confirmed that both organizations 
were compromised by hackers. In 2017, the media reported that then-
White House Chief of Staff John Kelly's personal cell phone had been 
compromised, possibly for as long as ten months before the malware was 
discovered. And in 2018, media reports revealed that the personal email 
accounts of senior congressional staffers had been targeted by the 
notorious Russian hacking group ``Fancy-Bear.'' These and other events 
clearly demonstrate the unique threats faced by Senators and their 
staff. Unfortunately, as I revealed in a letter to Senate leadership 
last year, the Sergeant At Arms (SAA), which is responsible for the 
Senate's cybersecurity, informed me that it currently lacks the 
authority to use official Senate resources to protect the personal 
devices and accounts of Senators and key Senate staff, even when those 
staff are being targeted by foreign governments.
  Senators Cotton and I are not alone in recognizing the seriousness of 
this national security threat.
  Last year, then-Director of the National Security Agency Admiral 
Michael Rogers acknowledged in a letter to me that personal devices and 
accounts of senior U.S. government officials ``remain prime targets for 
exploitation.'' Likewise, in written responses to post-hearing 
questions from the Senate Intelligence Committee last year, Director of 
National Intelligence Dan Coats wrote that ``[t]he personal accounts 
and devices of government officials can contain information that is 
useful for our adversaries to target, either directly or indirectly, 
these officials and the organizations with which they are affiliated.'' 
The Appropriations Committee also noted last year in its report 
accompanying the 2019 Legislative Branch Appropriations bill that it 
``continues to be concerned that Senators are being targeted for 
hacking and cyber attacks, especially via their personal devices and 
accounts.''
  Currently, Senators and staffers are expected to protect their own 
devices and accounts from foreign government hackers. This is absurd. 
Senators and the vast majority of their staff are not cybersecurity 
experts, and certainly do not have the training our resources to defend 
themselves from sophisticated foreign intelligence agencies. Eric 
Rosenbach, who was formerly Chief of Staff to Secretary of Defense Ash 
Carter, has endorsed the bill we are introducing today, observing that 
``Senators and their staff should not be expected to go toe to toe with 
some of the most sophisticated adversaries in cyberspace; authorizing 
protection of personal accounts is a critical component of our cyber 
defense efforts.'' Likewise, Bruce Schreier, a noted cybersecurity 
expert has also endorsed the bill, stating that ``[i]t is ludicrous to 
expect individual senators and their staff to to defend themselves from 
spies and hackers. Hostile foreign intelligence services do not respect 
the arbitrary line between work and personal technology. As such, the 
U.S. government must extend its defensive cyber perimeter to include 
legislators' personal devices and accounts.''
  Our bill would permit the SAA to provide voluntary, opt-in 
cybersecurity assistance to Senators and key Senate staff to secure 
their personal devices and accounts. Any Senate staffer would be 
eligible to receive assistance, provided that the Senator employing 
them determines that they are highly vulnerable to cyber attacks and 
information collection because of their position in the Senate.
  There is precedent for extending cybersecurity protection to the 
personal devices of government officials. Section 1645 of the 2017 
National Defense Authorization Act permits the Secretary of Defense to 
provide personal device cybersecurity assistance to officials whom the 
secretary ``determines to be highly vulnerable to cyber attacks and 
hostile information collection activities because of the positions 
occupied by such personnel in the Department.'' The Senate 
Cybersecurity Protection Act is also similar to provisions included in 
the intelligence authorization bill approved by the Senate Select 
Committee on Intelligence in 2018, which would permit the Director of 
National Intelligence to protect the personal devices and accounts of 
high-risk staff in the intelligence community.
  Passage of this common sense, bipartisan legislation would provide 
Senators and their staff with much-needed protection for their personal 
accounts and devices, and with them, the integrity of American 
democracy. I thank my colleague Senator Cotton for his efforts on this 
bill, and hope the Senate will promptly pass this vital legislation.
                                 ______