Cyber-savvy lawmakers urge colleagues to use encrypted messaging, better passwords
Two House lawmakers with computer-science expertise are warning their colleagues to improve their cybersecurity hygiene as hackers get smarter and increasingly target government officials.
"The ease with which foreign governments, criminal syndicates, and everyday hackers can access your smartphone, tablet, desktop, or laptop is frightening," Reps. Will Hurd (R-Texas) and Ted Lieu (D-Calif.) wrote Monday in a "Dear Colleague" letter to the entire House of Representatives, the text of which was shared with the Daily Dot.
Hurd and Lieu recommended their colleagues take several easy steps, including improving their passwords ("avoid using simple passwords such as '1234' or 'password'") and implementing two-factor authentication, which requires users to submit a temporary app-generated code in addition to their standard password to log into supported services.
Government officials face cybersecurity pressures like never before, and it's not just because of the controversy surrounding former Secretary of State Hillary Clinton's use of a private email server for sensitive government business. Hackers have breached systems belonging to the State Department, the Defense Department, and the Joint Chiefs of Staff, while other rogue actors hacked into the email accounts of the CIA director, the director of national intelligence, and President Obama's science and technology adviser.
Hurd and Lieu also recommended using encryption wherever possible, including by downloading encrypted messaging apps. Lieu recently helped bring to light a serious vulnerability in the global telephone routing system SS7 by letting hackers intercept his calls and emails for a 60 Minutes report.
"Encrypting your voice and text data will go a long way [toward] mitigating the various risks we have identified," Hurd and Lieu wrote. Encryption, they said, "constructs a huge barrier to your communications being deciphered."
Both lawmakers are no doubt hoping that the recommendation to use encryption opens some of their colleagues' eyes to the benefits of the technology, which is under attack in Congress as law-enforcement officials urge the passage of legislation banning unbreakable encryption.
Hurd and Lieu have significant experience with cybersecurity matters as members of Congress.
As chairman of the House's information-technology oversight subcommittee, Hurd has presided over hearings about everything from whether agencies used compromised firewalls to how the White House has implemented an IT spending-reform law.
Lieu, one of the House's fiercest civil-liberties advocates, has consistently backed Silicon Valley in the encryption battle, in part on cybersecurity grounds. The day after a judge ordered Apple to help the Justice Department bypass a dead terrorist's iPhone's security features, Lieu warned the ruling would set a precedent that could lead to companies being forced to write harmful code.
The letter's two authors are two of the only four members of Congress with computer-science degrees. (The others are Ohio Republican Bill Johnson and House Majority Whip Steve Scalise of Louisiana.) Hurd, who served as a CIA agent for nine years and worked undercover in Pakistan, earned a bachelor's degree in computer science from Texas A&M. Lieu, a lieutenant colonel in the Air Force Reserves, earned a bachelor's degree in computer science at Stanford University.
As the letter notes, the House computer system already requires users' passwords to meet certain requirements, but the two lawmakers' recommendations suggest those minimum standards still aren't enough.
Neither office would comment on whether the lawmakers planned to seek formal changes to the House's cybersecurity standards, but Lieu spokesman Jack D'Annibale told the Daily Dot that the congressman "has been in close contact" with the Committee on House Administration and the staff of the Chief Information Officer to discuss related issues.
The House's CIO recently warned congressional offices of a ransomware campaign targeting the chamber's computer network.