Sen. Ron Wyden (D-Ore.) on April 20 urged the heads of the Senate Committee on Rules and Administration to direct the Senate Sergeant at Arms to require two-factor authentication as a basic cyber security measure for Senate information technology (IT) systems.
In a letter to Sens. Richard Shelby (R-Ala.) and Amy Klobuchar (D-Minn.), the chairman and ranking member, respectively, of the committee, Wyden noted the Senate does not implement basic industry-standard security practices like two-factor authentication. The Committee on Rules and Administration has jurisdiction over administration of the Senate office buildings and Senate wing of the Capitol, services to the Senate, and congressional office buildings.
The Senate’s standing rules state the committee shall also “make a continuing study of the organization and operation of the Congress of the United States and shall recommend improvements in such organization and operation with a view toward strengthening the Congress,” and also “develop, implement, and update as necessary a strategic planning process and a strategic plan for the functional and technical infrastructure support of the Senate.”
Wyden said executive branch employees are issued Personal Identity Verification (PIV) cards that serve as a form of photo identification and contain a chip that can be used as a second-factor to log in to their computers. He noted that by mid-2016 80 percent of all federal agencies were using these PIV cards to log in to IT systems.
However, the Senate does not offer or require this kind of authentication to log in to desktop computers or email accounts in the office. Wyden said the Senate Sergeant at Arms does require two-factor authentication for staff who want to log in to the Senate IT systems from home, using a Virtual Private Network.
“This is a good first step, but the Senate must go further and embrace two factor authentication for the weorkplace, and not just staff connecting at home,” Wyden wrote.
Wyden highlighted that most Senate staff ID cards merely have a photo of a chip printed on them, rather than a real smart chip that could be used as a PIV card.
“Given the significant investment by the executive branch in smart chip based two-factor authentication, we should strongly consider issuing our staff real chip-based ID cards and then using those chips as a second factor.”