The US Congress is really not taking cybersecurity seriously – Senate employees have been issued with pretend smartcards that are made to look like actual federal ID cards, but are actually completely insecure.
Senator Ron Wyden has written a letter to the Senate's Committee on Rules and Administration pointing out that Senate employees have been issued with ID cards that feature only a photo of an integrated circuit chip that is on proper smartcards issued to other government agencies, but not the actual chip (first spotted by Ars Technica). Bizarrely, Senate employees only have to type in a password when they access federal IT systems.
The US government's Accountability Office has been warning that federal information security is really bad for years, and it was proven right when the Office of Personnel Management (OPM) had a data breach back in 2015.
One of the lessons to come out of Congress hearings about the breach was the fact that federal agencies needed to be implementing two factor authentication – namely a password and government-issued smartcard ID, known as Personal Identity Verification (PIV) that has digital authentication keys programmed into a chip.
The idea is that this would make it much harder for people to gain unauthorised access to federal IT systems, and President Obama pushed for more agencies to roll out smartcards for authentication, to the extent that 80% of all federal agencies are now using the PIV technology.
However, hilariously, the US Congress never took its own advice.
"In contrast to the executive branch's widespread adoption of PIV cards with a smart chip, most Senate staff ID cards have a photo of a chip printed on them, rather than a real chip. Given the significant investment by the executive branch in smart chip based two factor authentication, we should strongly consider issuing our staff real chip-based ID cards and then using those chips as a second factor," Senator Wyden writes.
"It is critical that the legislative branch is able to secure our systems from hackers and foreign governments. This includes deploying two-factor authentication and other industry standard cybersecurity technologies. Accordingly, I urge you to direct the Senate Sergeant at Arms to require two factor authentication for all Senate IT systems."