Haiman Wong Senate Appropriations Committee Testimony on Enhancing Cybersecurity Support for Senate Staff and the Senate Sergeant at Arms

Written with the American Governance Institute and Demand Progress.

Dear Chair Mullin, Ranking Member Heinrich, and members of the Senate Legislative Branch Appropriations Subcommittee:

Thank you for the opportunity to provide written public witness testimony. We commend the Committee’s ongoing commitment to strengthening congressional operations and addressing critical security challenges facing the Legislative Branch. The Committee’s efforts to advance congressional modernization on a bipartisan basis are vital, and I look forward to seeing them continue.

We are submitting this testimony on behalf of three organizations that have a keen interest in Congress’s security and effectiveness. We are Daniel Schuman, Executive Director, American Governance Institute; Haiman Wong, Resident Fellow, R Street Institute; Sean Vitka, Executive Director, Demand Progress Action.

Our testimony today concerns the essential need to enhance cybersecurity support for congressional staff, particularly regarding their personal devices and accounts. The Committee has rightly recognized the significant threats posed by cyber threats to Congress’s ability to perform its constitutional duties. The Senate has directed proactive steps to protect critical Information Technology (IT) infrastructure, prevent cyberattacks, ensure secure data storage, and maintain continuity of government operations. In addition, Congress has provided funding to strengthen cyber defenses and conduct third-party cybersecurity auditing services and resiliency assessments for Senate offices.

Furthermore, the Committee has recognized the danger of cyber threats on senators and staff on their official and personal devices and accounts. You and your colleagues appropriately directed the Sergeant at Arms to improve personal cybersecurity advisories and best practice documents tailored to such devices and accounts and to educate Members and staff. Notably, the SAA has been encouraged to continue exploring ways—including options from the bipartisan Senators’ Personal Cybersecurity Working Group’s report—to provide voluntary cybersecurity support to any senator seeking assistance with their personal devices or accounts. This exploration includes evaluating potential investments in additional IT hardware and software, personnel, and guidelines. You also have directed the provision of increased training opportunities for Members and staff traveling abroad.

These efforts to secure official networks, provide training, and explore personal device support for Members are commendable and necessary steps in defending the Legislative Branch against sophisticated adversaries. However, we believe more should be done to provide dedicated, tangible personal cybersecurity support specifically for congressional staff.

While threats to Senators’ personal accounts are understandably a focus due to their prominent roles, congressional staff are also highly valuable targets for malicious actors seeking to compromise the institution. Adversaries understand that staff members possess intimate knowledge of legislative processes, constituent issues, political strategies, and sensitive communications. Moreover, the threat landscape is changing rapidly thanks to emerging technologies like AI, increasing the potency of cyber threats.

Compromises of staff in their personal capacities pose a grave danger to the actual work of Congress for several reasons:

• Access to Sensitive Information: While official work should occur on official systems, in practice, personal devices and accounts are often used for work-related communications, scheduling, or accessing documents, particularly when staff are mobile or working remotely. A compromised personal email account, for instance, can expose sensitive information.
  
• Phishing and Social Engineering Vector: Attackers frequently use personal information gathered from social media or compromised personal accounts to craft highly convincing spearphishing^[1] or whaling attacks targeting staff. These attacks can trick staff into revealing credentials for official systems, clicking malicious links, or sharing confidential information.
  
• Network Mapping and Intelligence Gathering: Information gleaned from personal devices and online activities can help adversaries build profiles of staff, understand their connections (to Members, other staff, constituents, lobbyists), identify their routines, and gain insight into office dynamics or legislative priorities. This intelligence can then be used to tailor more effective attacks against the staffer or those they support.
  
• Lateral Movement: A compromised personal device or account could potentially be used as a stepping stone to access official systems if staff use the same or similar passwords, or if the personal device connects to the official network without sufficient security hygiene. While official networks have defenses, personal security hygiene is a critical layer.
  
• Disruption and Coercion: Compromising a staffer’s personal accounts can be used for harassment, doxing, or even coercion, creating significant stress and distraction that hinders their ability to perform their official duties effectively and securely.

Essentially, the personal cybersecurity of staff is inextricably linked to the institutional security of the U.S. Senate and its ability to function securely against sophisticated threat actors. If adversaries can’t breach the fortress walls, they will look for vulnerable side doors – and personal accounts often serve this purpose.

The good news is that a handful of basic, practical steps can dramatically increase personal cybersecurity for staff. These steps are well-documented and include:

• Using strong, unique passwords managed by a password manager. While staff use Keeper for official use, many staff do not use password managers for their personal use and do not practice good password hygiene. They should be provided with free or subsidized subscriptions, plus training.
  
• Enabling Multifactor Authentication (MFA) on all possible accounts. MFA requires a second piece of information beyond the password, making it vastly harder for attackers to gain access even if the password is stolen. Staff should be trained, encouraged, and provided assistance with deploying the most secure form of MFA for their personal accounts. The Senate should provide staff assistance with installing free MFA tools (like Google Authenticator) and/or subsidize physical security keys.
  
• Using secure, encrypted communication apps when appropriate. These apps can provide a better sense of the recipient and encrypt messages. While they may not be permitted for all official uses, staff should be encouraged to deploy them for nonofficial uses.
  

While the Senate already provides some training on these topics, especially for those traveling overseas, making these practices widespread and providing necessary tools requires going further than providing advisories. Some staff members may lack the personal resources or technical expertise to implement these security measures effectively on their own – or merely need a push to do so. Providing free or low-cost access to tools like password managers, hardware security keys, or subscriptions to secure communication services would remove financial barriers and significantly enhance the security posture of the entire Senate community.

Given that the SAA is already directed to improve personal cybersecurity resources and provide voluntary support for Senators, extending similar, tailored support to staff is a logical and necessary next step to secure the Senate.^[2] This support should go beyond general advice to providing tangible tools and assistance.

Accordingly, we respectfully request the Committee:

• Direct the Sergeant at Arms to establish a program providing voluntary cybersecurity support to congressional staff for their personal devices and accounts. This program should include tailored advice, training sessions focused on personal cybersecurity best practices (drawing on resources like those outlining password managers, MFA, and secure communications), and guidance on implementing basic security measures.
  
• Appropriate a modest amount of funds, such as $500,000, for the SAA to procure and provide staff with free or heavily subsidized personal cybersecurity tools and resources. This could include licenses for reputable password managers, hardware security keys, or access to secure communication platforms. These tools are essential complements to training.
  
• Include legislative language providing clear legal authority for the SAA to offer this personal cybersecurity support and provide these resources to staff, explicitly stating that such support and resources are not for campaign purposes. This clarifies the permissible use of official resources for bolstering the overall security environment of the Senate workforce.

These steps represent a critical investment in the security and resilience of the U.S. Senate by addressing a currently underserved vulnerability—the personal cybersecurity of the dedicated staff who are essential to its operations. Protecting staff personal accounts and devices is not merely a matter of privacy; it is a matter of national security and the effective functioning of our legislative branch.

Thank you for your consideration of these important recommendations. We welcome the opportunity to discuss them further with the Committee.

[1] Phishing is a form of social engineering used by intruders to gain access to information and systems. Spearphishing targets specific individuals, while whaling targets senior officials.

[2] It goes beyond the scope of this testimony, but consideration should be given to applying these practices Legislative branch-wide.