RD WYDE COMMITTEES: OREGON COMMITTEE ON FINANCE COMMITTEE ON BUDGET COMMITTEE ON ENERGY NATURAL RESOURCES RANKING 0N ?ani $tgt?5 [ngt? SELECT comma: ON INTELLIGENCE JOINT COMMITTEE ON TAXATION WASHINGTON, DC 20510?3703 221 DIRKSEN SENATE OFFICE BUILDING WASHINGTON. DC 20510 (202) 224?5244 April 20, 2017 Honorable Richard Shelby Chairman, Committee on Rules and Administration United States Senate Washington, DC 20510 Honorable Amy Klobuchar Ranking Member, Committee on Rules and Administration United States Senate Washington, DC 20510 Dear Senators Shelby and Klobuchar: As you know, the cybersecurity and foreign intelligence threats directed at Congress are signi?cant. However, the Senate is far behind when it comes to implementing basic cybersecurity practices like two-factor authentication. Two?factor means in addition to requiring a password to log in to a computer system (?something you know?), a user can be required to have a second form of authentication (?something you have?). Often, this second factor is a physical object, such as an ID card, a USB key, or a smartphone. In the executive branch, employees are issued Personal Identity Veri?cation (PIV) cards, which, in addition to serving as a form of photo identi?cation, also contain a smart chip which they can use as a second-factor to log in to their computers. By mid-2016, eighty percent of all agencies were using PIV cards to log in to federal IT systems. Today, the Senate neither requires nor offers two-factor authentication as an additional protection for desktop computers and email accounts. The Senate Sergeant at Arms does require two-factor authentication for staff who wish to log in to Senate IT systems from home, using a Virtual Private Network. This is a good ?rst step, but the Senate must go further and embrace two-factor authentication for the workplace, and not just for staff connecting from home. Moreover, in contrast to the executive branch?s widespread adoption of PIV cards with a smart chip, most Senate staff ID cards have a photo of a chip printed on them, rather than a real chip. Given the signi?cant investment by the executive branch in smart chip based two-factor authentication, we should strongly consider issuing our staff real chip-based ID cards and then using those chips as a second factor. It is critical that the legislative branch is able to secure our systems from hackers and foreign governments. This includes deploying two-factor authentication and other industry-standard 911 NE 11TH AVENUE 405 EAST 8TH AVE SAC ANNEX BUILDING US. COURTHOUSE THE JAMISON BUILDING 707 13TH ST, SE SUITE 630 SUITE 2020 105 FIR ST 310 WEST 6TH ST 131 NW HAWTHORNE AVE SUITE 285 PORTLAND, OR 97232 EUGENE, OR 97401 SUITE 201 ROOM 118 SUITE 107 SALEM, OR 97301 (503) 32677525 (541) 431?0229 LA GRANDE, OR 97850 MEDFORD, OR 97501 BEND. OR 97701 (503) 589?4555 (541) 962?7691 (541) 858?5122 (541) 33029142 PRINTED ON RECYCLED PAPER cybersecurity technologies. Accordingly, I urge you to direct the Senate Sergeant at Arms to require two?factor authentication for all Senate IT systems. Sincerely, Ron Wyden United States Senator