House Working to Shore Up Security of Congressional Websites

The House of Representatives (Rob Kunzig/Morning Consult)

In an effort to better protect congressional websites against cyberattacks and hacking, the House is in the process of converting to hypertext transfer protocol secure encryption, a digital system used by many federal agencies, according to the office of the House Chief Administrative Officer.

“The House maintains a robust cybersecurity program to counter constantly-evolving threats,” Dan Weiser, CAO’s communications director, said this week in a statement to Morning Consult, before Wednesday’s shooting that injured House Majority Whip Steve Scalise (R-La.) and four other people. “As part of that, the House is converting all of its sites to HTTPS and expects to complete the transition in the near future.”

In the commercial space, HTTPS helps protect customers’ credit card numbers and other personal information from being intercepted by someone else.

House officials say the added encryption protocols will allow for better privacy and data security between users’ servers and the congressional websites that they visit. When completed, HTTPS will authenticate digital visitors’ desired House websites and certify that they have not been intercepted or redirected while connecting.

The move comes after a March report from the Information Technology and Innovation Foundation graded popular websites across all three branches of government and found that legislative and judicial branch sites had lower security scores than their executive branch counterparts. A follow-up report in May by ITIF said legislative, judicial and independent agencies’ websites are often less secure because they are not required to follow federal government standards from places like the Office of Management and Budget and the General Services Administration.

“Executive branch websites are required, in many circumstances, by OMB, or GSA or whoever to follow these standards,” Alan McQuinn, a research analyst with ITIF who authored the report on legislative websites, said in an interview. “In the legislative branch, the House Administration Committee runs all the House websites, the Sergeant at Arms runs all the Senate ones, and then the individual commissions or the agencies take their cues from the various committees that control all of the special appropriations, but there’s no overriding body that looks at all of this.”

McQuinn’s report found that 29 percent of the legislative branch websites examined had implemented domain name system security extensions, which prevent cyberattacks that direct users to malicious third-party websites; 90 percent of the most popular federal websites examined in the March report implemented the same protocol. Neither report analyzed the security of individual lawmakers’ websites.

The Senate has already transitioned to the default use of HTTPS encryption for senator and committee websites.

In addition to ongoing encryption efforts, the House Administration Committee detailed some additional security measures being taken to safeguard member and committee websites from hackers.

“The House continues to implement website security standards and best practices, such as requiring CAPTCHA on web forms that collect email addresses for newsletter subscriptions, as well as enforcing SSL/TLS encryption for all House websites,” Erin McCracken, committee communications director, said in a statement provided to Morning Consult. “We are continually looking at the threats and risks to House information and systems, and implementing ways to minimize those threats.”

Rep. Jim Langevin, a member of the Homeland Security Committee and a co-founder of the Congressional Cybersecurity Caucus, said congressional leaders “are taking all the necessary steps to make sure the House network in particular is as robust as possible.”

But the Rhode Island Democrat added that cyberattacks are an ever-evolving threat that will require House and Senate leaders to remain on constant alert.

“Cybersecurity is always a moving target, and there never will be just one prescriptive measure that you can take that will guarantee 100 percent security,” Langevin said in an interview. “I’m pleased with the steps the House has taken so far, but you can’t just sit back and say you’ve done enough. We have to be constantly vigilant, we need to make sure that we’re staying up with the latest technology, and when there are steps that we can take that can make the Capitol more secure, we should move forward with implementing those additional strict protocols.”

Morning Consult