Congress is so bad at cybersecurity, two lawmakers sent advice to colleagues

The bipartisan duo said the advice comes after recent cyberattacks against Congress and a high-profile vulnerability in phone networks.
Written by Zack Whittaker, Contributor
(Image via CBSNews.com/CBS Interactive)

Here's a shocker: Congress is really bad at cybersecurity.

The political capital is constantly facing network attacks and hacks from outside hackers and nation states -- and that's before the CIA wages its own wave of targeting intelligence committee members. Most lawmakers have never heard of PGP or even SSL, let alone used it (and most lawmakers still don't). For some, it's an endemic problem that bleeds into the political world -- which might explain why some of its cybersecurity legislation is so ill-conceived and badly thought-out.

It's no wonder a bipartisan duo of computer science majors turned politicos got tired of it.

House lawmakers Ted Lieu (D-CA, 33rd) and Will Hurd (R-TX, 23rd) penned an email to their colleagues Monday warning them of some of the biggest dangers and threats to their information and operational security, amid a recent spate of cyberattacks.

"Your devices will be subject to continuing cyber attacks," the email wrote. Their advice was to, among other things, use complex passwords, two-factor authentication, and connect only to trusted networks -- tips that just about every other person is told and can benefit from.

"We need a national culture shift that puts more responsibility on each individual for their digital security, and that starts with education," Lieu told ZDNet later on Monday.

He said it's "absolutely critical" that high-value targets, such as members of Congress, recognize the threat against cyberattacks, citing the recent surge in ransomware threats targeting congressional networks.

The two House members make up half of the four computer science majors in Congress. That mindset shows in their legislative history -- they've also been behind some of the most recent legislative attempts to strengthen national and state cybersecurity, as well as Lieu's effort behind the ENCRYPT Act, which aims to prevent weakening encryption.

But it was earlier this year that Lieu realized how vulnerable both he and his colleagues were, when sister-site CBS News reported on a two-year old flaw in the international cellular brokerage network, which allowed hackers to listen in on his phone calls.

"Last year, the president called me on my cell phone, and we discussed some issues. If the hackers were listening in, they would know that full conversation," he said at the time.

Given that the phone networks are broken, the two lawmakers said in their bipartisan note to members of Congress should use encryption messaging apps, many of which "will encrypt both your voice and text messaging data."

That might raise a few eyebrows in the Senate, where two intelligence committee lawmakers are pushing for new legislation that critics argue would make encryption illegal.

Sens. Richard Burr (R-NC) and Dianne Feinstein (D-CA) introduced a draft bill last month, which pro-encryption advocates called "ludicrous," "dangerous," and "technically illiterate." The bill, if it becomes law, would require tech companies and phone makers to decrypt customer data at a court's request.

When asked by email if either senator would take heed of Lieu and Hurd's comments, spokespeople for Feinstein and Burr did not respond prior to publication.

Lieu warned that inaction on cybersecurity could endanger national security, and argued it would be "shortsighted and dangerous" not to act.

"When it comes to cybersecurity, we cannot afford to put politics ahead of national security," he said.

Update: You can read the full email here.

Editorial standards