Senate Judiciary Committee Investigation Reveals…
On March 5, 2004, the Washington Post reported that the three-month investigation by Senate Sergeant-At-Arms (SAA) William H. Pickle revealed that Republican staffers had downloaded thousands of Democratic computer files over the past few years. The report also revealed major flaws in the chamber’s computer security.
According to the SAA’s Report on the Investigation Into Improper Access to the Senate Judiciary Committee’s Computer System, Senate Judiciary Committee Chairman Hatch and Senators Leahy, Kennedy and Durbin of the committee asked the sergeant at arms to investigate the circumstances surrounding the theft and subsequent leak to the Wall Street Journal of Democratic documents relating to Democratic plans for judicial nominations. In addition, Leahy, Kennedy and Durbin requested the sergeant at arms ask an independent computer forensics and security expert to identify who retrieved and released these documents, as well as to determine weaknesses in the computer network and recommend fixes to help prevent unauthorized access.
The investigation revealed that one Senate staffer learned how to access the files after watching the committee’s systems administrator doing some work on his computer. This clerk was able to duplicate the sysadmin’s actions, gaining access to network’s users’ home directories. The report pointed to lax security measures on the part of this system administrator. Investigators blamed the vulnerability on the system administrator’s lack of experience, training and oversight.
The lessons learned in the investigation could apply to any company or organization. The committee required no minimum level of proficiency for the system administrator position, and several flaws in physical and computer security practices were identified as potential problems, though these flawed practices did not contribute to the compromise of documents in this case.
The report recommended several steps to improve computer security for the committee. The SAA recommended additional training, enhanced security practices and a full security audit. System administrators should enroll in additional training that emphasizes security, and there should be “mandatory and recurring” user training, emphasizing security. In addition, the SAA recommended that the committee incorporate ethics training into its orientation program for new employees. The report also recommended several security practices the Committee should implement, including reviewing permissions settings to ensure proper restrictions, establishing and enforcing strict password policies, ensuring that operating system logs are capturing the required security information, starting a security awareness campaign to educate users and developing a tracking system for inventory of computer assets.
Further, the SAA report said that due to the results of the investigation, it will ask the leadership of the Senate to establish technical skills assessment and certification for current system administrators, continuing technical education for system administrators and minimal qualification standards for newly hired system administrators.