Only one IT aide currently working directly for members of Congress has ever completed a background check, members’ data have been improperly mixed with other members’ data, and members provided almost no supervision, officials revealed Thursday in a House hearing spurred by “egregious” violations by former IT aide Imran Awan.
Members of Congress threw “$10 million” in additional funding to the [chief administrative officer (CAO)] in order to enhance their cybersecurity program” in June 2017. The move followed repeated cybersecurity threats against members of Congress, including the detection of what an IG report called “unauthorized access” by Awan. They also had the CAO and others propose how best to clamp down on vulnerabilities. But the CAO revealed Thursday that members blocked the resulting proposal, which called for eliminating Awan’s job category, that of a floating IT aide accountable only to members.
System administrators like Awan “hold the ‘keys to the kingdom,’ meaning they can create accounts, grant access, view, download, update, or delete almost any electronic information within an office,” Inspector General Michael Ptasienski said at the House hearing.
“A rogue system administrator could inflict considerable damage to an office and potentially disclose sensitive information, perform unauthorized updates, or simply export or delete files,” he continued. “A rogue system administrator could take steps to cover up his/her actions and limit the possibility that their behavior being detected or otherwise traced back to them.”
House Chief Administrative Officer Phil Kiko testified that experts found “two dozen” problems with the way the House managed cybersecurity. “Enforcement gaps range from improper vetting of the employees themselves, to unfettered access to House accounts and use of non-approved software and/or cloud services, to the use of unauthorized equipment … far too many have privileged access to the House network with little to no supervision,” he said.
The inspector general included revelations about members of Congress giving people not on their staff full access to their data, arrangements that let people secure federal benefits while otherwise acting like private contractors, and massive noncompliance rates despite the inspector general had raised issues about IT aides to the Committee on House Administration in both 2009 and 2012.
After detecting earlier vulnerabilities with IT and bookkeeping employees, Congress’s solution was to require the employees sign a form saying they agreed to follow rules. But not only did alleged rule-breaking continue (including stealing and subletting their jobs to others), 45 percent of the employees never signed the form, with “no apparent ramification,” the CAO said.
“The public is rightfully very upset about how this was handled in the past, and that this egregious example that’s now being criminally investigated was allowed to occur,” Virginia Republican Rep. Barbara Comstock, a Republican, said.
“We just can’t have this ever happen again,” said Gregg Harper, the Republican chairman of the Committee on House Administration.
CAO Kiko, IG Ptasienski and Sergeant-at-Arms Paul Irving all recommended abolishing the job of “shared employees” like Awan, and they repeatedly referenced members refusing to discipline IT aides who break rules.
Despite frequently condemning hacks, members refused the proposal, citing their desire for autonomy, multiple officials said at the hearing.
The officials didn’t specify which members opposed the proposal to reduce vulnerabilities to hacking, though many Republicans use contractors rather than “shared employees.” The primary advantage shared employees have over contractors is federal job benefits. All of the Awans’ 44 employers were Democrats.
The CAO said that a “working group” comprised of the House’s cybersecurity experts and law enforcement concluded that it was “impossible” to fix the vulnerabilities of employees like Awan because a lack of oversight was inherent in the structure where he was working for numerous different members impacted efficient systems of accountability.
“When risks and/or noncompliance with House policies have been identified,” he said, “corrective actions by House officers is greatly delayed by the required coordination with shared employees’ multiple employing authorities.”
“It is impossible to eliminate the vulnerabilities posed by the use of shared employees without making significant changes to the employment structure itself. … Replacing the shared employee management structure with an independent contractor arrangement would provide the CAO with the required authority to enforce compliance,” he said.
The proposal was nonetheless blocked because “Members expressed a strong desire to keep shared employees on as House employees instead of contract employees.”
Irving said the congressmen’s desires were at odds with the interest of the United States. “Ultimately it is the balance between the member interest and the governmental interest,” he said.
As a result, the group of experts tasked with finding a solution to IT vulnerabilities were forced to dial back their proposal. “Members would be able to hire who they wanted but as part of those employees performance standards maybe there could be something in there that said they had to comply with House policies, and then if they wouldn’t, we could deny access or tell the member about it, or elevate it the committee, and I think that’s how you could have it both ways,” CAO Kiko said.
“I would also encourage all House offices to require strict adherence to the established standards as a condition of employment,” Sergeant at Arms Paul Irving said.
“For the proposed standards to be effective, it would be imperative that House offices that employ or would like to employ a shared employee require adherence to the established standards as a strict condition of employment,” Kiko added.
Debbie Wasserman Schultz refused to fire Awan despite the inspector general’s allegation that he made “unauthorized access” to House data. After the IG made his claims public, the server that the IG said contained evidence was physically stolen, according to three senior government officials.
Wasserman Schultz kept paying Awan as her IT professional after House authorities banned him from the network. She claimed Awan didn’t need to connect to the internet to do the job. Capitol Police later found that Awan took a laptop belonging to her office and left it in a phone booth, where it was discovered late at night. The username was RepDWS. She still didn’t fire him.
“Termination, now it’s the member’s responsibility. … We can revoke everything but they could still be employed,” the CAO said. He added that his office should have the authority to override members who would want to keep a rule-breaker on the government network.
“At the end of the day you have to make sure you protect the House of Representatives, even if that upsets someone,” Harper said.
The inspector general confirmed The Daily Caller News Foundation’s story that all members exempted Awan and his relatives from background checks, missing a slew of red flags. All 44 of the Democrats who employed him had ignored TheDCNF’s request for comment on that story. “As of September 2016, however, we were only able to identify one instance where a shared employee had a background check performed by the House,” the inspector general said.
“House officers cannot compel background checks or compliance with applicable House policies,” the CAO said.
A Republican official close to the investigation has said that Democrats who employed Awan are refusing to assist in his prosecution. No one has been charged more than a year after server logs showed “unauthorized access” and computers containing evidence physically disappeared. The apparent reluctance by members to disciplining bad IT aides, and even to avoid tightening the rules, appeared to parallel the dynamic in the criminal case — and is especially odd considering Democrats’ frequent lamentations about cybersecurity in the context of the 2016 election.
GOP Georgia Rep. Barry Loudermilk highlighted that IT aides could expose constituent information and face no consequences because of the policy’s toothlessness. “Especially if they disclose information we have on constituents or information we’re working on… Does [the policy] spell out what penalties there are, i.e. you can go to jail?” Loudermilk asked.
“There aren’t any penalties,” the CAO replied.
CAO Kiko described “egregious” behavior by Awan, saying “CAO’s Office of Acquisition Management detected and flagged unusual invoices originating from five shared employees who served more than 30 House offices. The invoices, as submitted, were structured in a way to avoid the House’s $500 equipment accountability threshold. Upon further investigation into the five shared employees’ activities, the House IG discovered evidence of procurement fraud and irregularities, numerous violations of House security policies, and violations of the Committee’s Shared Employee Manual, etc.”
He did not elaborate on those violations.
“The bookend to the outside threat is the insider threat. Tremendous efforts are dedicated to protecting the House against these outside threats, however these efforts are undermined when these employees do not adhere to and thumb their nose at our information security policy, and that’s a risk in my opinion we cannot afford,” CAO Kiko said.
Chairman Harper said, “While I will not discuss details of an ongoing criminal investigation, our goal is to make sure that we secure the House for the future so that nothing like that happens again.”
The Awans filed ethics forms that failed to disclose their full finances, including an LLC with ties to an Iraqi government minister. The hearing noted that numerous other aides failed to file the forms without anyone noticing.
CAO Kiko noted that some IT employees wrongfully “perform work offsite without approved telecommuting arrangements” without the members stopping them. That includes logging in from Pakistan, Republican Rep. Louie Gohmert alleged to “Fox & Friends.”