Written with the American Governance Institute and Demand Progress.


Dear Chair Mullin, Ranking Member Heinrich, and members of the Senate Legislative Branch Appropriations Subcommittee:

Thank you for the opportunity to provide written public witness testimony. We commend the Committee’s ongoing commitment to strengthening congressional operations and addressing critical security challenges facing the Legislative Branch. The Committee’s efforts to advance congressional modernization on a bipartisan basis are vital, and I look forward to seeing them continue.

We are submitting this testimony on behalf of three organizations that have a keen interest in Congress’s security and effectiveness. We are Daniel Schuman, Executive Director, American Governance Institute; Haiman Wong, Resident Fellow, R Street Institute; Sean Vitka, Executive Director, Demand Progress Action.

Our testimony today concerns the essential need to enhance cybersecurity support for congressional staff, particularly regarding their personal devices and accounts. The Committee has rightly recognized the significant threats posed by cyber threats to Congress’s ability to perform its constitutional duties. The Senate has directed proactive steps to protect critical Information Technology (IT) infrastructure, prevent cyberattacks, ensure secure data storage, and maintain continuity of government operations. In addition, Congress has provided funding to strengthen cyber defenses and conduct third-party cybersecurity auditing services and resiliency assessments for Senate offices.

Furthermore, the Committee has recognized the danger of cyber threats on senators and staff on their official and personal devices and accounts. You and your colleagues appropriately directed the Sergeant at Arms to improve personal cybersecurity advisories and best practice documents tailored to such devices and accounts and to educate Members and staff. Notably, the SAA has been encouraged to continue exploring ways—including options from the bipartisan Senators’ Personal Cybersecurity Working Group’s report—to provide voluntary cybersecurity support to any senator seeking assistance with their personal devices or accounts. This exploration includes evaluating potential investments in additional IT hardware and software, personnel, and guidelines. You also have directed the provision of increased training opportunities for Members and staff traveling abroad.

These efforts to secure official networks, provide training, and explore personal device support for Members are commendable and necessary steps in defending the Legislative Branch against sophisticated adversaries. However, we believe more should be done to provide dedicated, tangible personal cybersecurity support specifically for congressional staff.

While threats to Senators’ personal accounts are understandably a focus due to their prominent roles, congressional staff are also highly valuable targets for malicious actors seeking to compromise the institution. Adversaries understand that staff members possess intimate knowledge of legislative processes, constituent issues, political strategies, and sensitive communications. Moreover, the threat landscape is changing rapidly thanks to emerging technologies like AI, increasing the potency of cyber threats.

Compromises of staff in their personal capacities pose a grave danger to the actual work of Congress for several reasons:

Essentially, the personal cybersecurity of staff is inextricably linked to the institutional security of the U.S. Senate and its ability to function securely against sophisticated threat actors. If adversaries can’t breach the fortress walls, they will look for vulnerable side doors – and personal accounts often serve this purpose.

The good news is that a handful of basic, practical steps can dramatically increase personal cybersecurity for staff. These steps are well-documented and include:

While the Senate already provides some training on these topics, especially for those traveling overseas, making these practices widespread and providing necessary tools requires going further than providing advisories. Some staff members may lack the personal resources or technical expertise to implement these security measures effectively on their own – or merely need a push to do so. Providing free or low-cost access to tools like password managers, hardware security keys, or subscriptions to secure communication services would remove financial barriers and significantly enhance the security posture of the entire Senate community.

Given that the SAA is already directed to improve personal cybersecurity resources and provide voluntary support for Senators, extending similar, tailored support to staff is a logical and necessary next step to secure the Senate.[2] This support should go beyond general advice to providing tangible tools and assistance.

Accordingly, we respectfully request the Committee:

These steps represent a critical investment in the security and resilience of the U.S. Senate by addressing a currently underserved vulnerability—the personal cybersecurity of the dedicated staff who are essential to its operations. Protecting staff personal accounts and devices is not merely a matter of privacy; it is a matter of national security and the effective functioning of our legislative branch.

Thank you for your consideration of these important recommendations. We welcome the opportunity to discuss them further with the Committee.


 

[1] Phishing is a form of social engineering used by intruders to gain access to information and systems. Spearphishing targets specific individuals, while whaling targets senior officials.

[2] It goes beyond the scope of this testimony, but consideration should be given to applying these practices Legislative branch-wide.