House investigators concluded that Democratic IT aides made unauthorized access to congressional servers in 2016, allegedly accessing the data of members for whom they did not work, logging in as members of Congress themselves, and covering their tracks, according to a presentation summarizing the findings of a four-month internal probe.
Their behavior mirrored a “classic method for insiders to exfiltrate data from an organization,” and they continued even after orders to stop, the briefing materials allege. There are indications that numerous members’ data may have been secretly residing not on their designated servers, but instead aggregated onto one server, according to the briefing and other sources. Authorities said that the entire server was then physically stolen.
The presentation, written by the House’s Office of the Inspector General, reported under the bold heading “UNAUTHORIZED ACCESS” that “5 shared employee system administrators have collectively logged into 15 member offices and the Democratic Caucus although they were not employed by the offices they accessed.”
It found indications that a House “server is being used for nefarious purposes and elevated the risk that individuals could be reading and/or removing information” and “could be used to store documents taken from other offices.” The server was that of the House Democratic Caucus, a sister group of the DNC that was run at the time by then-Rep. Xavier Becerra.
One systems administrator “logged into a member’s office two months after he was terminated from that office,” the investigative summary says.
While the rules could have been violated for some innocuous purpose, the presentation indicates that is unlikely: “This pattern of login activity suggests steps are being taken to conceal their activity.”
- Logged onto laptop as system administrator
- Changed identity and logged onto Democratic Caucus server using 17 other user account credentials
- Some credentials belonged to Members
- The shared employee did not work for 9 of the 17 offices to which these user accounts belonged.”
The statements of numerous Democrats indicate that the Democratic staff of the House Administration Committee and other House officials may have withheld information about cybersecurity breaches from members who employed the suspects, and appear to have misled them about the basic nature of the investigation.
“This is the first I’ve heard about that,” said Missouri Democratic Rep. Emmanuel Cleaver—who employed almost every member of the Awan group—of cybersecurity issues.
“The only thing I’m aware of is that he’s being charged with bank fraud,” Democratic Rep. Joaquin Castro, who employed Jamal and is a member of the intelligence committee, told TheDCNF. “Do you have evidence that there’s anything more than a bank investigation? If someone’s given you a document to that effect, please give it to me.”
In early February, House Sergeant-At-Arms Paul Irving, Chief Administrative Officer Phil Kiko, and Jamie Fleet, the Democratic staff director of the Committee on House Administration, summoned affected chiefs of staff to a meeting to announce that the family was being banned from the network. Republican staff was not present, and the briefers omitted all mention of the cybersecurity component that appears to comprise the most dangerous part of the findings, according to numerous Democrats’ accounts.
“House Officials became aware of suspicious activity and alleged theft committed by certain House IT support staff,” the statement read. “An internal investigation determined that a number of House policies and procedures had been violated. This information was turned over to the United States Capitol Police and their investigation is ongoing. These employees have also been blocked from accessing House systems. All offices impacted have been contacted. No further comment will be issued until the investigation is complete.”
But that internal investigation’s most notable findings—in fact, the second presentation didn’t even mention theft—concerned credible evidence of a cyber-breach, and at the time of the announcement, the most recent incident of theft consisted of the disappearance of a server that was evidence in a cybersecurity probe, several authorities said.
There is no scenario where the access was appropriate because House members are not allowed to accept services from people not on their payroll and employees are not permitted to log in to servers of members for whom they do not work. The presentation notes that such House polices are codified in law.
But nearly a year later, there have been no criminal charges related to House IT. Two of the suspects were indicted for bank fraud in July after prosecutors said they transferred money from the House bank to Pakistan and tried to flee the country.
An IT aide told TheDCNF that colleagues deployed to clean up after the Awans’ firing discovered that in many offices, computers were set up to be nothing more than “thin clients” that were portals to an outside computer. “They were using terminal servers, your desktop is projected to you” from a computer in a different location.
The presentation—though its language is at times opaquely technical—found remote sessions that remained active for months at a time. The House commonly uses Citrix remote sessions that allow someone’s computer screen to show the contents of a different computer, but its security precautions ordinarily cause them to disconnect after just a few minutes. Virtual Private Networks can also make a server’s hard drive appear to be local to a computer.
A House committee staffer close to the probe told TheDCNF that “the data was always out of [the members’] possession. It was a breach. They were using the House Democratic Caucus as their central service warehouse.”
“All 5 of the shared employee system administrators collectively logged onto the Caucus system 5,735 times, an average of 27 times per day… This is considered unusual since computers in other offices managed by these shared employees were accessed in total less than 60 times,” the presentation reads.
That, too, may imply that dozens of members’ data was all in one place—on the Caucus’s server instead of in members’ possession. The apparently constant access by the entire crew, even their friend Rao Abbas, also doesn’t jive with The Washington Post’s claim that they were using it as a family computer for homework and photos.
With the basics of the probe hidden from members, Democrats appear to have vocally painted an inaccurate picture of what the report alleges occurred, pointing to the current criminal charges instead of the House’s investigation while not taking any steps to protect potentially compromised data.
Prosecutors contend in court filings that they committed bank fraud and tried to flee because they found out about the already-existing investigation into their House activities.
Becerra’s House Democratic Caucus knew about problems and tried to stop them, according to the presentation, but the suspect defied him. Based on other members’ accounts, Becerra does not appear to have warned other offices that might have been affected.