Sen. Ron Wyden has been a squeaky wheel about the US Senate's weak security posture for a while. In April, the Oregon Democrat raised objections over the lax physical security measures for Senate staff—including ID badges that just have pictures of smart chips like those on other access cards used across government agencies, rather than actual chips, and provide no access controls. Now, as the November mid-term election approaches, Wyden has written a letter to Senate leadership decrying the lack of assistance that the Senate's own information security team can provide in protecting senators' accounts and devices from targeted attacks, even as evidence mounts that such attacks are being staged.

According to Wyden, his office had discovered that "at least one major technology company" had recently detected targeted attacks against members of the Senate and their staffers—and that these attacks had apparently been staged by groups tied to foreign intelligence agencies.

Microsoft reported thwarting spear-phishing attacks staged by a group tied to Russia's Main Intelligence Directorate (GRU) against members of the Senate in August. And the US Senate's own systems have been targeted in the past, including a June 2017 effort by the same GRU group (known as "Fancy Bear," "Pawnstorm," and "Sofacy") that created a server spoofing the Senate's own Windows Active Directory Federation Services (ADFS), according to a report from Trend Micro.

Current law and Senate rules allow the Senate's Sergeant at Arms (SAA) Office—which oversees Senate computers, telecommunications, and technology support services (among other things)—to handle security only for systems specifically owned by the Senate. But the SAA does not handle security for mobile devices or other Internet-based services. The SAA team has a lot on its plate already—and has a few information security job openings at the moment. But with information security within Senate offices left largely to senators and the staffers themselves beyond their senate.gov email accounts and the Senate's physical network, there remains a significant attack surface for foreign adversaries to target.

In his letter, a copy of which was obtained by the Associated Press, Sen. Wyden told Senate Majority Leader Mitch McConnell, Minority Leader Chuck Schumer, Chairman of the Senate Committee on Rules and Administration Roy Blunt, and ranking Democratic committee member Amy Klobuchar of his "serious concern that the US Senate Sergeant at Arms apparently lacks the authority to protect US Senators and Senate staff from sophisticated cyber attacks directed at their personal devices and accounts." Wyden said he would be introducing legislation that would allow the Senate Sergeant at Arms, who oversees all Senate security, to provide cybersecurity support "on an opt-in basis" for senators and their staff.