Cell phones don't belong in SCIFs, says Republican congressman

Rep. Mike Rogers says his phone was infected by Russian malware three years ago. Also, why he believes we need fewer federal cybersecurity agencies and election laws.

Russian flag overlay / mobile phone / wireless signals / data
Metamorworks / Morrison1977 / Getty Images

Representative Mike Rogers (R-AL), ranking member of the House Homeland Security Committee, had a lot of thoughts to share during and after a speech he gave at the CyberTalks conference today. Most timely among Rogers’ positions is the notion that no one should bring cell phones into a Sensitive Compartmented Information Facility (SCIF), a secure facility designed to prevent electronic eavesdropping on classified or sensitive information.

The idea of bringing cell phones into SCIFs got a lot of play in Washington yesterday after more than 30 Republicans forced their way into a SCIF in the House of Representatives where House Intelligence Committee Chairman Adam Schiff (D-CA) is holding impeachment depositions. Some of them were photographed going into the SCIF with cell phone devices and a few of them seemingly tweeted directly from the SCIF. Representative Alex Mooney (R-WV) sent audio from the SCIF via his Twitter account.

The breach of the SCIF with devices considered unsafe in highly secured settings prompted the Chairman of the Homeland Security Committee, Bennie G. Thompson (D-MS), to send a letter to the House Sergeant at Arms Paul Irving demanding that all the members who brought cell phones into the SCIF be reprimanded for the “blatant breach of security.”

Talking with reporters after his formal talk at the conference, Rogers was asked if it is problematic for lawmakers to bring phones inside the SCIF. “Absolutely. I agree with that,” he said, but couldn’t specify what punishment should befall those who do so because “I’m not in leadership.”

Regarding Thompson’s letter to the Sergeant at Arms, Rogers said, “He didn't point to any specific member that violated a SCIF requirement of bringing phones or anything. He just made this global statement that members ought to be reprimanded.”

Risk of foreign malware on legislators’ devices

One major reason for prohibiting cell phones inside SCIFs is that foreign adversaries can easily implant malware on the devices and turn them into what are essentially listening or surveillance devices. That’s why cell phones belonging to high-level legislators are prized targets for nation-states looking to gain insight into classified and other sensitive meetings.

Rogers knows well just how enticing a target the cell phones of Members of Congress can be to foreign adversaries. “When I was in Eastern Europe about three years ago, I came back and my phone had all kinds of Russian crap on it,” he told reporters. “We had to destroy that phone. Now I take burner phones over there.”

Despite the uproar over cell phones in the SCIF, it’s possible that the tweets weren’t actually coming from inside the facility. A source speaking on background maintains that the members who entered the SCIF couldn’t have actually used their devices to communicate with the outside world because the SCIF uses cell phone jamming technologies that block communications.

These jamming technologies are illegal in the U.S. but are permitted for use by law enforcement in certain circumstances. It’s possible that the House Sergeant at Arms who is responsible for the secure operations of Congress has an exemption to use these technologies. However, if the SCIF is equipped with jamming technologies, it’s not clear how the Republican members managed to communicate with anyone, staff included, from inside the SCIF.

The source speaking on background says that the members’ staff were inside a hallway outside a tight security zone and were able to see and talk with their bosses and then tweet outside the SCIF, although the logistics of how such a message hand-off would work are unclear. As for Mooney’s tweeted audio, he says in the audio itself that he was calling not from a cell phone but some sort of secure phone within the SCIF.

Neither the Sergeant at Arms nor the House Intelligence Committee responded to requests for confirmation of jamming technologies inside the SCIF or clarification of how the tweeted communications occurred.

Too many federal cybersecurity agencies

Despite the attention the SCIF breach has generated, Rogers focused on big-picture cybersecurity policy priorities in his formal talk at the conference. One of these priorities is to strengthen the newly formed Cybersecurity and Infrastructure Security Agency (CISA), an arm of the Department of Homeland Security that Rogers championed.

“At this point Congress and the executive branch should do everything we can to see CISA is a well-oiled machine,” he said.  “I will work to make sure it is the one voice for all federal government agencies.”

Toward that end, Rogers would like to see cybersecurity offices in other government departments and agencies eliminated or placed under CISA. “What does concern me is that other departments and agencies are creating their own cybersecurity offices. We can't have multiple agencies undermining each other.”

Later, in talking with reporters, Rogers indicated that the Energy Department’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) is one government cybersecurity arm that could be eliminated because its functions are duplicative to that of the National Cybersecurity and Communications Integration Center (NCCIC) at CISA. “CISA needs to be in charge. We don't need to have three different agencies or five here. They could have cybersecurity systems as long as it’s under CISA, so it's one entity.”

“No need” for election security legislation

Finally, in talking with reporters, Rogers said that he agreed with Senate Majority Leader Mitch McConnell’s (R-KY) decision this week to block the Senate’s consideration of three election security bills that have been passed by the House of Representatives. The three bills, the Honest Ads Act, the Election Security Act, and the Securing America’s Federal Elections (SAFE) Act, each address a different aspect of election security that caused problems during the 2016 presidential election.

“There has been no evidence of any election tampering in any state in recent memories. There was no need for us to start sticking our nose in there,” he said. “What we agree on is that there have been many efforts for decades, by bad actor governments to promote disinformation through media platforms. But there's been no evidence of tampering in elections. So, he [McConnell} just felt strongly that we didn't need to go there."

Copyright © 2019 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.