No Congressional background check for IT contractor charged with fraud

Imran Awan was an IT contractor to members of Congress, with access to their email servers, yet not even a basic background check was conducted.

No Congressional background check for trusted insider raises concern
Matt Wade (CC BY-SA 2.0)

The ongoing case of Imran Awan, the trusted insider who used his access to the U.S. Congress to allegedly steal equipment and conduct bank fraud, continues to make news.

Two topics caused this curious case of the IT service provider and his unfettered access to the email servers of members of the House of Representatives to break through the normal Washington, D.C., noise.

The first was the rather loud and all-encompassing civil case filed in October 2017 by George Webb Sweigert (1:17-cv-02223-RC), which is a class-action lawsuit against the Democratic National Committee and others. Among those others is Imran Awan. The defendants have been making their case to be excluded from the class-action lawsuit. However, to date, I see no evidence that Awan has filed paper to be excluded.

The second was a continuation of Awan's own fraud case (1:17-cr-00161-TSC) from March 2018 to May 2018. In and of itself, it is not a thunderous issue save for the fact that the reason behind the continuance request, which the Department of Justice attorneys agreed, was shielded in “attorney client privilege” and not available to the casual court observer.

As readers will recall, Awan was brought to your attention when he was originally charged with bank fraud in the fall of 2017, and we asked the question: “Is he a white-collar criminal or something more sinister?”

That question still remains largely unanswered, and sadly, it appears the ability to dig into the past of Imran Awan has largely been forfeited.

Congressional staff fail to properly vet Imran Awan

Multiple media outlets picked up on the allegation within the Sweigert case that highlights and alleges that Awan was operating as a trusted member of the Congressional support staff without proper vetting.

Ever the skeptic, I did a bit of old-fashioned fact checking and lo’ and behold, the claim appears to hold water. The Daily Caller surfaced copies of emails from the WikiLeaks DNC-hack corpus that showed Awan was indeed the go-to person when members of the House of Representatives forgot their passwords and other routine IT admin functions. They produced, drawn from open-source congressional databases, the names, amounts and years that Awan provided these services. All told, approximately 80 members of Congress had obtained IT support from Awan.

Furthermore, the allegation that Awan and his family cadre were never required to undergo a basic background check also appears to hold water.

Basic Congressional background checks

The basic background check conducted by the Congressional administrative staff is not equal to the background check required for a national security clearance. The background check is more akin to what an applicant would be subjected to by any employer – Is this person a criminal? Does he have a lascivious past?

Congressional rules call for these types of background checks to be conducted. The Committee on House Administration guidelines (2009) has an entire section on shared staff and the need to conduct background checks. An excerpt:

Background Investigations: Due to the sensitive nature of the information to which Shared Employees may be exposed during day-to-day job functions, it is recommended that Member and Committee offices request a Capitol Police Criminal History Records Check on potential Shared Employees."

Why wasn’t a background check on Awan conducted?

The Daily Caller notes that the Privileged Account Access Form (pdf) used by the House, to garner access to IT services, allows the “authorizing official” to provide their assessment of trustworthiness via a background check in accordance with the guidance or via an attestation of trustworthiness.

pac form congress U.S. House of Representatives

U.S. House of Representatives Privileged Account Authorization Form

The Daily Caller called 44 members of Congress and found that none disputed that they had used the attestation option, but none would identify which of their colleagues provided the original attestation of trustworthiness. 

And thus, this is how the opportunity to understand more about Awan was lost, as there was no original background check conducted—one member of Congress told another that Awan was a good egg, and he was granted access. 

Perhaps the Awan case will cause the Committee on House Administration to close this loophole or risk becoming victimized by future cybersecurity issues when unvetted personnel demonstrate how to wreak havoc from their trusted insider position.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)