As a lifelong Democrat and security professional, I learned with disgust the details about the recent compromise of information on the part of Democratic members of the Senate Judiciary Committee. Basically, Republican staffers accessed files, created by the Democratic contingent, that were on a file server used by both Democrats and Republicans. While the Republicans knew the information was not intended for their eyes, they read it anyway.
But my disgust is ironically with the Democrats, whose positions I generally support, and not the Republicans. Politics should not blind us from the facts. The facts, as reported and admitted so far, are these: One young Senate staffer discovered that documents of the opposing party were freely available on his desktop from the one file server that both parties shared. He let a few of his colleagues know. Independently, yet another staffer, the Republican technology consultant, also discovered that the shared server was wide open and he informed the Democrat system administrator that each party’s documents were vulnerable to the other. The Democrats were in the majority so the Democrat systems administrator had control over the shared server and the security protocols. But it appears he did nothing. It was only months later, after documents were leaked to the press, when the Republicans regained control, that the security problems were fixed.
And this week, a third staffer, from yet another senator’s office, also came forward to admit freely that he also knew full well that the Judiciary server was open as to both parties’ folders, which suggests many more people knew.
Now the United States Senate is not like other work places that might suffer from such a pathetic situation. Senate Rule 29.5 and its legislative history states that everything is open to the American public with three exceptions, none of which apply to these documents. But to the extent that anyone claims, as Democrats do, that the unsecured documents are “confidential,” their continued availability on the shared server, before and after the Democrat systems administrator was informed of the security problem, is nothing but gross negligence, and not a crime. Anyone who read these documents, after using their own password, had a right to assume that any data still available was fair game.
In the context of the Judiciary Committee, the negligence is all the greater. Americans well know that the committee is the most adversarial place in Congress, and is the front line of the abortion debate, which causes people to take extremes such as even murder. While senators sometimes create the façade of amicable disagreement, each side should expect the other to make use of any possible advantage.
Different reports and senators have portrayed the accessing to this information as a security “glitch.” But the fact is that there was no security to have a glitch. There was no glitch in a firewall. There was no firewall. Files were on a server open to all senators and staff of the Judiciary Committee. There were no protections. This is not the electronic equivalent of physical breaking and entering, as it was portrayed by many senators and newspapers. What happened in the Senate Judiciary Committee was the electronic equivalent of leaving the files in the Capitol rotunda.
The negligence is made more evident given all that could have been done to protect the so-called confidential documents. They could have assigned passwords for accessing files, whole directories, well beyond the password to the server itself. At the very least Democrats could have put “Democrat Eyes Only” at the top of every document. Simple security mechanisms were readily and freely available to Democrats. In fact, poor security of this scale suggests that the Judiciary server could have been easily accessed by any outside hacker.
Not surprisingly, Congress has adopted laws for the private sector that it now ignores when concerning itself. The Economic Espionage Act requires information to be protected to the same extent that one seeks to classify it as a secret or claim legal protection. Given the outrage expressed by senators, it is clear they wanted the information to be secret. But if information is left as unprotected in public or healthcare-related businesses as it was by the Democrats, corporate executives could be heavily fined or go to jail under HIPAA (Health Insurance Portability and Accountability Act), Sarbanes-Oxley, or GLBA (Gramm-Leach-Bliley Act) regulations.
While concern over political ethics in the Senate is important, it is a non-issue compared to this poster child for gross negligence in computer-security. Senators want to shun basic responsibilities that they impose on the private sector by making scapegoats over borderline ethical issues, instead of taking responsibility for the negligence this story tells. The public should be outraged that the Senate has spent hundreds of hours and countless dollars deflecting blame when inexpensive measures could have been easily taken. This story isn’t Memogate. This is Memo-gateless.
–Ira Winkler, a computer security and espionage expert, is author of the forthcoming book, Spies Among Us.)