Joshua Marshall has the story of the investigation into the leaked Democratic memos at the Senate Judiciary Committee. Marshall repeats the San Francisco Chronicle article that leads off with a technical inaccuracy. A full read of the article reveals that the Committee has 4 servers, and no mention of separate secure data networks. This is not how systems are usually designed on Capital Hill. All four servers were likely all attached to one network. The reporting that data was obtained from “the secure computer networks of two Democratic senators” is most likely factually untrue. The data was on one or more servers reserved for the use of the Democratic senators. The Committee network would be home to all the members and staffers data. The use of the space on the servers would be allocated for use by various groups and individuals. There is a difference – The Chronicle article attempts to make the access more sinister than it was.
Kevin Drum, in the title to his post Republican Hackers, introduces more sinister language by using the term “hacking”. At this point this is baseless a leap forward in the allegations. Based on what evidence is the term “hacking” being applied? It certainly isn’t based on any information presented by Committee Chairman Orin Hatch. There is no mention of the term hacking by Hatch, in fact there is an explicit avoidance of any characterization other than that files had been “improperly accessed.”
Note to bloggers: hacking and improper access are not synonyms. Hacking typically involves defeating established security and access control mechanisms. As foreign as the concept may seem, Congress utilizes the latest in LAN technologies. All users have accounts with varying levels of access controls. There are always super user accounts that have access to all files regardless of the access controls in place.
Before rushing to conclusions, especially in the absence of facts, you must eliminate the most likely scenario before jumping to your own conclusion. No one has yet produced a shred of information that anything more than unauthorized access occurred (i.e. a user accessed a file in a location that they were not supposed to have rights to or normally access). Regardless of the access controls in place there is always at least one account with the ability to override those controls. The LAN administrator was likely a Republican staffer hence, given the lack of publicly available information to this point, the most likely suspect. No hacking required.
In addition the likelihood of internal hacking, as opposed to unauthorized access, is greatly diminished in cases where the unauthorized access is internal rather than external.
Atrios ominously includes the text of 18 U.S.C. 1030 (a)(3) concerning U.S. Government data security. He fails to note, that as with most laws, Congress is exempt***. There is a reason that most of the discipline is handled internally in Congress: A) Both parties like it that way; and B) Most laws don’t explicitly apply so Congressional rules are used instead.
None of this is intended to diminish the significance of the allegations. Staff members found responsible should be terminated and tighter security should be enforced. As someone with Capital Hill IT experience I can attest to the often conflicting demands and requirements placed on IT support staff and vendors by elected officials. Committees are the demark point where information from both sides of the aisle are available on a shared system. The system in place was put in place by both Democratic and Republican members and any lapses in security are likely well known by industrious staffers in both parties. In this case it appears staffers were caught, but it is delusional to think that this is the first occurrence or that either party has a monopoly on “hijinks” when it comes to the Committee networks. I’ve been involved with those systems and users in the past – I’ll leave it at that…
*** I do not explicitly know that Congress is exempt from this act, but it not listed here as applicable.
Update: Matthew Stinson notes that this kind of action is hardly unique. John Cole wonders how dumb are Democrats . To his credit Daily Kos is a little less expansive with the known facts in reporting the story.