Following House IT staffer's arrest, experts call for more vetting, better cybersecurity

1280x960_70119P00-VDSGR (1).jpg
Questions are being asked about cybersecurity and vetting of technology aides in congressional offices. (Photo: MGN)

The arrest of a technology staffer who until recently had access to the computers and networks of several Democratic members of Congress on a bank fraud charge has elevated concerns about the security of lawmakers’ sensitive information and the thoroughness of their employee vetting efforts.

Imran Awan was arrested Monday night at Dulles Airport as he prepared to board a flight to Pakistan. Federal prosecutors allege he and his wife provided the Congressional Federal Credit Union with false information to obtain a home equity loan.

According to a criminal complaint, Awan and his wife, Hina Alvi, lied about their primary residence on their loan application and failed to disclose rental income. While they claimed the $165,000 loan was for home improvements, records show the funds were wired to individuals in Pakistan.

Court documents state that Alvi abruptly pulled the couple’s three children from school in early March and boarded a flight to Pakistan with many pieces of luggage and $12,400 in cash. Although she had a return ticket booked for September, investigators do not believe she ever intends to come back to the U.S.

Awan made his first court appearance Tuesday and has been released under a High Intensity Supervision Program, with a preliminary hearing set for August 21.

Awan and Alvi have been under intense scrutiny since it was revealed in February that they, two relatives and another person who worked as IT staffers for various House Democrats were under criminal investigation by Capitol Police for allegedly stealing equipment and committing potentially illegal violations on the House IT network.

They were barred from accessing the House networks at that point and most representatives involved fired them. Awan remained on the payroll of former Democratic National Committee Chairwoman Rep. Debbie Wasserman Schultz, whom he had worked for since 2005, as an adviser until his arrest this week.

No arrests have been made in that investigation, and the bank fraud charge does not appear to be directly related, but additional details about their finances, their businesses, and their family life have spilled out in recent months.

The Daily Caller has reported extensively on police reports and court records involving Awan and other family members, including bankruptcy filings, an alleged loan from an Iraqi fugitive with links to Hezbollah, complaints that they were not showing up for work, and reported wiretapping and threatening of other relatives.

Over the last eight years, the five staffers were paid a total of more than $4 million by Democratic lawmakers. While none had security clearance or access to classified information, their positions would have provided opportunities to view emails, calendars, and other sensitive documents.

All of this has generated wild speculation in conservative media that Awan was the source of the hacked DNC emails released by WikiLeaks last summer that led to Wasserman Schultz’s resignation as chairwoman. Those claims appear to have kicked into overdrive since his arrest.

“Here’s the corrupt IT guy standing at the shoulder of Debbie Wasserman Schultz, arrested at the airport trying to flee,” Geraldo Rivera said on Sean Hannity’s Fox News show Tuesday. “Charged with stealing hundreds of thousands, maybe million, of dollars. What if he was the source to WikiLeaks?”

President Trump picked up on the story Thursday, tweeting a link to a Townhall article about the lack of media coverage it has received.

"For months we have had utterly unsupported, outlandish, and slanderous statements targeting Mr. Awan coming not just from the ultra-right-wing 'Pizzagate' media but from sitting members of Congress,” Awan’s attorney, Charles Gowen, said in a statement to Buzzfeed. “Now we have the Justice Department showing up with a complaint about disclosures on a modest real estate matter.”

Gowen did not respond to a request for comment Thursday.

Rep. Louie Gohmert, R-Texas, has been particularly vocal with his suspicions about the case, taking to the House floor earlier this year to read from Daily Caller articles and suggest that political correctness led Democrats to endanger the security of the House’s networks out of fear of being branded Islamophobic.

“They don't want to ever be perceived as being bigoted because they are not,” he said in March. “But they have gone so far overboard in trying to show how open-minded they are, they have exposed this body to security breaches that are really unbelievable.”

Speaking to Sinclair Thursday, Gohmert said many questions remain unanswered.

“We don’t know what they did,” he said. “We don’t know if they got information that could be used to blackmail.”

Congressional IT staffers do undergo background checks, but if another member wants to hire the same employee—as was the case with Awan and his relatives—they can just sign a form accepting the first member’s screening.

“Somebody has got to do a background check and not have everybody sign a form saying they already had one when no one got them,” Gohmert said.

Two House Democrats who did not employ Awan or his relatives acknowledged Thursday that no hiring system is infallible, but each member is responsible for screening their own staff in their own way.

“It’s like 535 separate princely courts, so everyone has their own system,” said Rep. Gerry Connolly, D-Va. “There’s no central system for vetting staff and over the years it’s by and large mostly worked well.”

Even the most thorough background check cannot eliminate all possible risks.

“Hiring anyone in any profession is an act of faith,” Connolly said. “There’s an intuitive quality that I think I can trust this person. You do the best you can in vetting and references and looking at past history, but ultimately you’ve got to trust the people that work for you and sometimes that trust is betrayed.”

According to Rep. Bill Keating, D-Mass., House staffs are small enough that there is an opportunity to closely review hiring decisions.

“Is it a perfect system?” he said. “No. It isn’t in the private sector either.”

According to Mark Strand, president of the Congressional Institute and a former longtime Capitol Hill staffer, there are no examinations, qualifications, or certifications required to ensure that technology aides are properly trained.

“A member of Congress can hire someone because they like them or they have a good feeling about them,” he said.

By design, each member is independent and operates their own staff. They also decide for themselves how strictly they secure data.

“The security of information starts with the member themselves and how seriously they take protection of information,” Strand said.

According to cybersecurity expert Morgan Wright, the allegations in this investigation highlight the need to ensure the integrity of people who are provided access to the network. Even without clearance to view classified information, one can piece together quite a bit from emails and schedules.

“I don’t need to have access to classified information to figure out what’s going on…. You can do traffic analysis,” Wright said.

James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, said the potential for damage to national security and access to compromising information is high with poorly-vetted IT staff.

“Any contractor, staffer, IT technician, remote administrator, or anyone else with prolonged and/or unrestricted access to Congressional systems can: install malicious programs (custom malware, RATs, keyloggers, etc.); alter sensitive security settings such as remote access or firewall rules; connect unapproved devices or drives; laterally access confidential systems or networks; or exfiltrate valuable data such as emails, schedules, notes, etc.,” he explained in an email.

Reports that smashed hard drives were found in Awan’s home and that data may have been placed on off-site servers set off more alarms for experts.

“That should never be allowed inside the government,” Wright said.

Any unapproved offsite storage or removal of sensitive information poses a security threat, according to Scott.

“The confidentiality, integrity, and availability of data must be secured according to its value, wherever that information is stored, whenever it is transmitted, and however it is processed,” he said. “Any lesser precaution is dangerously irresponsible and could be criminally negligent.”

While Awan has so far faced no official accusation of wrongdoing with regard to his IT work, Wright said his arrest for an alleged crime of dishonesty “is a glaring neon red sign that says, ‘Investigate me now.’”

“Most likely, he was doing this at the same time he had access to all this information,” he said.

Experts agree that any staffer with access to the House network should undergo a thorough background check, even if they are ostensibly not handling classified information.

“Anyone accessing Congressional systems, networks, or data, should be thoroughly vetted and reviewed with a focus on their integrity, reliability, and competence,” Scott said. “Background checks, reviews of communications, financial disclosures, psychological evaluations, credible references, sustained and reputable job histories, and other metric should be mandatory when determining whether an individual can be trusted with even minimal access to Congressional systems.”

He added that robust cybersecurity and cyber-hygiene training may be required to ensure that all staff handle data appropriately.

Convincing members to understand these risks and implement such safeguards could prove difficult, even if understanding of cybersecurity and threats has grown significantly in recent years.

“It’s new to them,” Strand said. “It’s a dramatically different world than it was even ten years ago. The question is whether they can keep up with it.”