14 March 2004. A. pointed to an unredacted copy of this report:
Cryptome has inserted redacted names and omitted footnotes in red.
6 March 2004.
Honorable Orrin Hatch.
United States Senator
Of Senate Judiciary Chairman Orrin Hatch, (R-Utah)
And Ranking Member Patrick Leahy (D-Vt.)
On the Release of the Pickle Report
"Due to an administrative error, the unredacted version of the Senate Sergeant At Arms Report was mistakenly released to the media Thursday afternoon.
"There was no intention on anyone's part to release this version at this
time. We believe this report is accurate, but the version released contains
sensitive information and we ask that any members of the media and the public
respect the privacy of individuals named in the report, who were inadvertently
"A redacted version of the report is available on the Judiciary Committee's web site."
Honorable Patrick Leahy
United States Senator
Statement of Senator Patrick Leahy
Senate Judiciary Committee
Executive Business Meeting
March 4, 2004
Just three weeks ago Members of the Committee were briefed by the Sergeant at Arms on the preliminary indications of his 3-month investigation into the theft of computer files of Democratic offices by staff working for Republican Members of this Committee. Yesterday afternoon the Sergeant at Arms briefed Senator Hatch and me, again, and provided us with a copy of his report.
I commend Sergeant at Arms William Pickle and his staff for their diligent work. He has invested tremendous effort and professionalism into this investigation into this unprecedented case of partisan spying in the Senate. This investigation was prompted by Republican staff's infiltration of Democratic staff's computer files, the stealing of those files and then the dissemination of them to sympathetic activists and columnists. We know this inquiry was an arduous undertaking that required a great deal of skill and sensitivity and commitment, and Mr. Pickle and his staff deserve credit for meeting that challenge as well as they did without having the authority to compel testimony or to prosecute.
Today we hope to work together to begin the process of public accountability by making public the overall findings of the inquiry to date. Chairman Hatch and I want to consult with the other Members of the Committee to make available to them the information we have received and with them to make available to the public information about this matter without undercutting or compromising further investigation. Senator Hatch and I hope to make information available to the public by close of business today. To do that we will need the cooperation of all Members of the Committee. I also thank the press and the public for their patience with us today.
Establishing the basic facts was the essential first step in solving this crisis of confidence. Mr. Pickle and his investigators have invested three months to do that. Other steps are ahead of us. There are still outstanding questions that demand answers. We still do not know the full extent to which these confidential files were disbursed, and to whom. We do not know how the information obtained was used, and by whom, in or outside the Senate. We do not know who at the Department of Justice or the White House benefited from this wrongdoing and worked with staff of these Republican offices or their intermediaries. We do not know whether nominees are implicated. We cannot repair the damage that has been done until we know the answers to these questions.
I have commented little on this serious and far-reaching matter. Even while right-wing activists have been spreading lies and making absurd charges, I have tried to show restraint as this investigation got underway. I repeat that those who spied and stole internal, confidential drafts and memos of their Democratic counterparts bring dishonor to this Committee and to the Senate. Taking things that do not belong to you is wrong, and there is no excusing or whitewashing it.
I commend Chairman Hatch for acknowledging that this conduct was unacceptable, improper and unethical. I have likewise commended Senator Graham and others who have acknowledged the wrongdoing by those Republican staff implicated in this matter.
By mid-February it became clear that not just dozens but thousands of computer files were involved, and that the secret surveillance of legitimate and indeed essential staff work took place from at least 2001 into 2003. It appears that those involved in this theft not only used what they found for their own partisan purposes, but also periodically passed along material to extreme, partisan, right-wing activists from outside organizations, and to hand-picked, Republican-leaning columnists and media organizations friendly to their "win-at-all-costs" crusade. The investigation itself was triggered last November when more than a dozen computer files were distributed to newspapers on the Republican right and were posted on a partisan advocacy group's website.
Much remains to be learned about this breach. We still do not know who benefited from these thefts, how these computer files were used, and how and with whom they were shared inside or outside the Committee. We do not yet know for certain if judicial nominees who have passed through this Committee were coached for their hearings based on the stolen files or on information they contained. Over the last several days we have written to the White House and the Department of Justice inquiring what they knew about these matters. We do not have responsive answers to those inquiries.
What we do know is that all Members of this Committee thought their computer files were confidential. We do know that the confidentiality of our computer files was breached. This was wrongdoing by calculation and stealth, not by inadvertence or mistake. We know this was intentional, repeated, longstanding, systematic and malicious. We know this was carried on surreptitiously because those involved knew that what they were doing was wrong.
All Members of the Senate rely on the confidential reports and advice of their staff. The Senate could not fully operate in this modern world without being able to rely on our staff's research and analysis, which is now often prepared electronically, over computer systems under the control of the Sergeant at Arms. That expectation of privacy was clearly expressed by Republican and Democratic Members of this Committee in our brief discussions over the last couple of weeks. It is reflected in the joint letter Senator Hatch and I sent to GAO and in the letter Senators Cornyn, Craig, Chambliss, Graham and Sessions sent to the Sergeant at Arms on November 22 as his investigation was beginning.
Establishing full public accountability is the first step toward restoring the basic trust that is necessary for the Senate to function and fulfill its constitutional responsibilities. Prompt public dissemination of the basic findings of the Sergeant at Arms is a step in that direction.
It is time for the Committee to fulfill Senator Durbin's request of the past
several weeks and to meet in closed session to discuss this matter and how
we should proceed.
Accordingly, I move pursuant to Rule 26.5.b. to proceed to closed session as we will be discussing matters relating to matters of committee staff personnel and internal management and that discussion may âtend to charge an individual with crime or misconduct, to disgrace or injure the professional standing of an individual, or otherwise to expose an individual to public contempt or obloquy -- and will disclose information relating to the Sergeant at Arms' investigation, which may relate to the prosecution of a criminal offense and should be kept secret in the interests of effective law enforcement, and which may divulge matters required to be kept confidential under the rules of this Committee and the Senate.
# # # # #
THE INVESTIGATION INTO IMPROPER ACCESS TO THE SENATE JUDICIARY COMMITTEE'S COMPUTER SYSTEM
Sergeant at Arms
TABLE OF CONTENTS
I. The Scope and Methodology of the Investigation 1
A. Events Preceding the Investigation 1
B. The Beginning of the Investigation 2
C. Investigative Resources 4
II. Overview of Findings 6
III. The Judiciary Committee Computer Network 13
A. Organizational Background 13
B. History of the Judiciary Committee's Network and
System Administrators 14
C. The Architecture of the Judiciary Committee Network 16
IV. The Documents Disclosed to the Press Resided on the Judiciary Committee Computer Network 19
V. A Judiciary Committee Staff Member Accessed the Computer
Files of the Documents' Authors 21
A. Jason Lundell's Initial Access 21
B. Manuel Miranda's Possession of Democratic Documents 23
C. The Scope of Access 24
VI. Forensic Verification and Analysis 27
A. Limitation of Analysis 27
B. Open Permissions 28
C. Pattern of Open Permissions 30
VII. Other Individuals Identified as Having Knowledge 32
A. Ms. Comisac and Mr. Dahl in the Fall of 2001 32
B. Nominations Unit Staff 34
C. Other Judiciary Committee Staff 38
VIII. A Possible Source of the Disclosure to the Press 40
IX. Analysis of Other Possible Methods of Access to Documents from the
Judiciary Committee Computer System 49
A. Hacking from the Outside is Unlikely 49
B. PcAnywhere Presented a Security Risk 51
C. The Anthrax Incident did not Result in Relaxed Security 52
D. Poor Physical and Computer Security Controls 53
X. Recommendations for the Future 56
A. Referrals for Sanctions 56
B. Immediate Steps to Enhance Computer Security for the Committee 62
C. Measures to Enhance the Security of Computer Networks Senate-Wide 64
XI. Conclusion 64
ATTACHMENTS [None were provided with the redacted or unredacted report.]
A Wall Street Journal, November 14, 2003, and Washington Times, November 15, 2003
B Material from Coalition for a Fair Judiciary website
C Letter from Senator Durbin, November 17, 2003
D Letter from Senators Leahy, Kennedy, and Durbin, November 17, 2003
E Letter from Chairman Hatch, November 20, 3003
F List of interviews
G System Administrator Time Line
H Diagram of the Judiciary Committee's Local Area Network
I Detailed Explanation of Network Drives
J Memos in Question Analysis Chart
K Screen Printout from ______
L Folder Permissions Analysis Chart
M H: Drive Permissions Analysis Including Start/Creation Dates
N Diagram of Senate's Layered Security Approach
I. The Scope and Methodology of the Investigation
A. Events Preceding the Investigation
On Friday, November 14, 2003, a Wall Street Journal editorial set forth excerpts of five documents that the Journal described as Democratic "staff strategy memos." The following day the Washington Times reported that it had obtained 14 internal Democratic staff memoranda. The article specifically states the 14 documents "did not come from a Senate staffer." (The two articles are attached to this report as Attachment "A.") On Tuesday, November 18, 2003, 28 pages of material represented to be "the Democrat [sic] memos on judicial nominations," including those referenced in the Wall Street Journal and Washington Times articles over the weekend, were posted on the Coalition for a Fair Judiciary's website at www.fairjudiciary.com. (The 19 relevant documents from the website are attached to this report at Attachment "B.")1
1 One of the documents posted was an e-mail that included the directory path of Manuel Miranda, a former Judiciary Committee employee who at the time worked for the office of Majority Leader Frist. This document will be discussed later in the report.
On Saturday, November 15, 2003, the Deputy Sergeant at Arms was first notified by Senator Kennedy's Chief Counsel for the Subcommittee on Immigration, Border Security and Citizenship, Jim Flug, that there was a potential security problem with the Judiciary Committee computer system. At the request of Mr. Flug, the Deputy Sergeant at Arms arranged for a member of the Assistant Sergeant at Arms - Chief Information Officer's staff to meet Mr. Flug at his office to provide him technical assistance in assessing the situation.
Later that weekend, in consultation with the Deputy Sergeant at Arms, the Majority and Minority Staff Directors for the Committee agreed to place the Committee's server backup tapes in the custody of the United States Capitol Police (USCP) for preservation. The Committee's System Administrator gathered the backup tapes and just after midnight on Sunday, November 16, 2003, the USCP took into custody a box containing 20 tapes, two access cards that allow users to remotely access the network, and an envelope containing 3 pieces of paper with what appeared system administrator passwords noted. At this time, the door to the Committee's computer room, SD 222, was sealed with police tape.2
2 Despite press reports to the contrary, the USCP did not initiate an investigation into this matter. They did, in the early stages of the investigation, take custody of computer evidence, secure the computer room, and assist in some interviews.
B. The Beginning of the Investigation
The Sergeant at Arms initiated this investigation after receiving requests to do so from Senate Judiciary Committee Chairman Hatch and Senators Leahy, Kennedy, and Durbin of the Committee. Specifically, a letter dated November 17, 2003, from Senator Durbin asked that the Sergeant at Arms, as the Senate's "chief law enforcement officer and also the principal administrative manager for most support services in the Senate, including oversight of computer systems" investigate the "circumstances surrounding the theft of these documents and their distribution" beyond members of his staff. (Attachment "C.") A subsequent letter that same date from Senators Leahy, Kennedy, and Durbin asked the Sergeant at Arms to have an independent computer forensics and security expert help identify who retrieved and released the Democratic documents, assess weaknesses in the Committee's computer network, and make recommendations to help prevent unauthorized access from occurring in the future. (Attachment "D.")
On November 20, 2003, a letter from Chairman Hatch authorized the investigation into whether there was any unauthorized access to the Committee documents referenced in the Wall Street Journal and Washington Times. Chairman Hatch also specifically requested: (1) the continued safekeeping of daily backup tapes; (2) a description of the accounts on the system and of the privileges these accounts and security groups have - or had - to network resources from January 1, 2001, to the present; (3) the retrieval of the old hard drives of the servers that were recently replaced; and, (4) replacement of the hard drives of the current servers and establishment of separate local area networks for majority and minority staffs.
Chairman Hatch also indicated that he had directed his staff to interview all majority staff, "to determine whether they have any knowledge of actual or potential transgressions related to these documents." (Attachment "E.") The Sergeant at Arms, having consulted with Majority Leader Frist and Democratic Leader Daschle and receiving their approval, immediately commenced an investigation. The USCP continued to take custody of the Committee's daily backup tapes for safekeeping. Additionally, SAA staff determined that the "old hard drives" of the servers were still being used and could not be taken into custody without shutting down the Committee's computer system.
On Friday, November 21, 2003, staff for Chairman Hatch who had been conducting interviews of all majority staff on the Committee advised the Sergeant at Arms that a clerk in the Nominations Unit - Jason Lundell - had admitted to them that day that he had accessed Democratic files over the Committee's computer system. Mr. Lundell's desktop computer was immediately taken into custody. Manuel Miranda's desktop computer in the office of Majority Leader Frist was also taken into custody for analysis.
Also on November 21, 2003, Chairman Hatch gave the SAA permission to take the Committee's servers' hard drives.3 SAA staff conducted a site survey to ascertain the physical and logical layout of the Committee's servers and over the weekend of November 22-23, 2003, the four Committee servers were disconnected, their hard drives removed and preserved, and the Committee's data was restored to new hard drives.4
3 The committee's e-mail server was not taken for analysis because backup tapes of that server would provide the same information.
4 During the course of this investigation, with the approval of the Rules and Administration Committee, separate local area networks for the majority and minority were installed.
On December 3, 2003, the file server from the Majority Leader's office was imaged5 and the copy secured for forensic analysis. A backup tape of that office's e-mail server from November 17, 2003, was provided to investigators, but proved to be blank. Subsequently, the System Administrator provided backup tapes from September 29, 2003, and January 12, 2004. These tapes were readable and analyzed by the forensic experts.
5 "Imaging" involves making exact, digital images of the media.
C. Investigative Resources
The request for the Sergeant at Arms to conduct this investigation was, as best can be determined, unprecedented. To ensure a thorough investigation, the Sergeant at Arms supplemented his staff's resources with an independent computer forensics firm and additional investigators.
The services of a qualified, outside computer forensics company were obtained pursuant to an existing contract the SAA had in place for Information Technology Support. The Statement of Work for the analysis asked for: (1) a matrix of access permissions assigned to security groups, and individual accounts and the network resources to which they had access, as can best be reconstructed, back to January 2001; (2) an audit of all available and reconstructed logs to look for anomalies in login failures, account logins compared to machine names, file access, and copying, with special emphasis on the documents identified as being from the Judiciary Committee computer system; and, (3) an analysis of probable methods by which these files could have been obtained by other than permitted users. Each of the company's employees who worked on this analysis was required to sign a non-disclosure certification. The work of the forensics analysis and recovery team was overseen by the SAA's lead investigator, the Assistant Sergeant at Arms for Police Operations.
In addition to the forensics analysis of the Judiciary Committee servers, available backup tapes, and the desktops of relevant staff members, this investigation consisted primarily of interviews of those individuals who had access to the Judiciary Committee server. Over 160 interviews were conducted of current and former Judiciary Committee staff members and other individuals who were identified during interviews as possibly having information relating to the investigation. Employees of the SAA technology staffs were also interviewed. Four agents from the United States Secret Service were detailed to the SAA to assist in this investigation. They reported to the SAA lead investigator.
All of those interviewed were asked a standard set of questions as well as individualized questions based on the investigation to date, or as follow up to their answers to the standard questions. Interviewees were allowed to have counsel during the interviews; six individuals chose to have attorneys present.
It would not have been possible to conduct this investigation without the cooperation of the majority and minority Members of the Judiciary Committee and their staffs. Since the inception of the investigation, Chairman Hatch and Senator Leahy have encouraged their staffs to cooperate with the SAA. Staff Directors Bruce Artim and Bruce Cohen have been invaluable in providing information and helping with the logistics of locating former employees and arranging interviews. The original copy of the final version of this report and the work product of this investigation will be kept by the Sergeant at Arms. Copies of this report have been made and distributed to the Chairman and Ranking Minority Member of the Committee.
II. Overview of Findings
Investigators interviewed over 160 individuals, primarily those who had access to the Judiciary Committee computer system. In addition, five servers, four workstations and multiple e-mail backup tapes from the Judiciary Committee and Majority Leader Frist's office were analyzed by forensic experts. Individuals who were interviewed did so voluntarily and were advised that this was an administrative, fact-finding inquiry. This report presents the findings of the investigation.
The report begins by outlining the structure of the Judiciary Committee's computer network then addresses whether the Democratic documents disclosed in the press were from the Committee's computer system. It then outlines the admissions of two former Committee staff members who accessed Democratic files, including the scope of that access, and sets forth the forensic verification of how they were able to access other users' files over an extended period of time. The report also examines the statements of other individuals who were identified as knowing that access to Democratic documents was available, addresses a possible source of the disclosures to the press, analyzes other possible means of access to the computer system, and finally, makes recommendations for the future.
Investigators were provided critical information early in the investigation (Friday, November 21, 2003) when staff for Chairman Hatch who had been conducting interviews of majority staff on the Committee advised the Sergeant at Arms that a clerk in the Nominations Unit had admitted to them that day that he had accessed Democratic files over the Committee's computer system. His desktop computer was immediately taken into custody by the SAA.
The forensic review confirmed that 18 of the documents at issue resided on the Nominations Unit clerk's desktop. The documents in question were found within a large, password protected compressed file with either the exact name, or a close approximation. The documents at issue were also found on the Judiciary Committee server in the authors' folders, or the folders of other Democratic staff members to whom the author sent the document.
The Nomination Unit clerk was interviewed on November 23, 2003, as part of this investigation and subsequently re-interviewed twice, with counsel present, later in the investigation. His version of events remained consistent each time he was interviewed and the investigation verified much of what he told investigators. He and his counsel remained cooperative throughout the investigation.
The clerk first became aware that he could access the files of Democratic staff some time in October or November of 2001. He made this discovery after watching the Committee's Systems Administrator perform some work on his computer. An admittedly curious person, the clerk attempted to duplicate what the System Administrator had done. In so doing, he was able to observe all of the network's other users' home directories. He then clicked on different folders to see which ones he could access; he was able to access some folders, but not others. The folders that he could access, he stated, belonged to both Republican and Democratic staff.
The Nominations Unit clerk reported that he had access to the home directories of other users shortly after beginning his employment in the fall of 2001 until the spring of 2003. Initially he printed approximately 100-200 pages of documents pertaining to Judge Pickering's nomination and gave them to one of his supervisors. Two days later that supervisor and another admonished him not to use the Democratic documents and those that he had given his supervisor were shredded.
Manuel Miranda joined the staff of the Judiciary Committee in December 2001. A short time after Mr. Miranda was hired, the clerk showed him how he could access Democratic files. The clerk who initially discovered how to access the files told investigators that he was not sure what to look for in the files, so Mr. Miranda would guide him as to what information was helpful. Mr. Miranda would often suggest which directories he should concentrate on and would sometimes tell him that there was something new in a particular folder and ask the clerk to print it for him. Mr. Miranda admitted accessing the computer files of Democratic staff himself on one or two occasions.
The Nominations Unit clerk explained that he frequently searched the folders of some Democratic staff on an almost daily basis while working on the nomination of Judge Priscilla Owen. In fact, over the course of accessing other users' files for approximately 18 months, the clerk downloaded thousands of documents. Forensics analysis of a compressed zip folder from his workstation where he kept these documents identified 4,670 files, the majority of which appeared to be from folders belonging to Democratic staff. During the approximately 18 months the clerk accessed other users' files, he stated that he had four or five different computers assigned to him and that regardless of the hardware he used he was able to access this information.
In January 2003, Mr. Miranda left the Judiciary Committee and took a position in the office of Majority Leader Frist. The Nominations Unit clerk and Mr. Miranda both admitted that the clerk continued to provide Democratic - and also Republican - documents to Mr. Miranda after he left the Judiciary Committee. Forensic analysis of the e-mail traffic between the two confirms this. In March or April 2003, the clerk was re-assigned to another Unit in the Judiciary Committee. About the same time (April 2003) the Committee's server was upgraded and the clerk believed that prevented him from being able to access other users' files on the server.
While there was extensive analysis of servers and individual workstations in this investigation, the results were limited due to the absence of proactive security auditing on the Committee's computers. The fact that not all security events were audited significantly inhibited this investigation because permission changes could not be analyzed on any computer.
Because the Committee was not auditing permission changes, the forensic review was not able to provide a history of who had access to the files containing the Democratic documents at issue.
The forensic review of the Judiciary Committee servers that was conducted is consistent with the clerk's explanation of how he was able to access democratic files. The forensic analysis provided investigators with two "snapshots" of the network's permission settings - one from July 2003 (when a file copied from the older server in April was deleted) and one from November 2003 when the server was imaged for this investigation.
The forensic analysis indicated that a majority of the files and folders on the server were accessible to all users on the network. Any user on the network could read, create, modify, or delete any of the files or folders within these folders. The investigation revealed that users whose network profiles were established prior to August 2001- when a new System Administrator was hired by the Committee - were generally established correctly and had strict permissions; those established after the date were "open." The investigators do not believe that the Committee's System Administrator acted maliciously, or that he himself inappropriately accessed any user's files. Rather, this significant security vulnerability appears to have been caused by the System Administrator's inexperience, and a lack of training and oversight. This System Administrator left the Committee in July 2003, but permissions remained "open." Forensic analysis of the Judiciary Committee server when this investigation began in November 2003 indicates that the system was even more open to all users on the network at that time.
Despite this significant lack of security, the investigation did not reveal any evidence that users continued to access other users' files after the Nominations Unit clerk stopped doing so in April 2003. Other than the Democratic documents in question, no one who was interviewed brought forth any other documents that they believed had been compromised from the computer system.
The investigation did not identify any individuals, other than the clerk and Mr. Miranda, who were accessing other users' files on the Judiciary Committee computer network. While the clerk admitted to accessing and printing approximately 100-200 pages of documents and providing them to his supervisor in October or November of 2001, they did not know how he had obtained the documents or that he continued to access additional Democratic documents. Additionally, the supervisors did not bring the matter to the attention of the Staff Director. A forensic analysis of the hard drives of both supervisors was conducted and none of the Democratic documents at issue resided on either drive.
The Nominations Unit clerk identified other Judiciary Committee staff members within the Nominations Unit whom he believed knew Democratic computer files were accessible.
Investigators interviewed all of those individuals that were identified as having knowledge about access to Democratic files. Of those interviewed, only one - the Committee's former System Administrator who was working part-time on developing a database for the majority - knew that any users' folders were inappropriately open to others. This individual did not know the extent of the problem and thought the System Administrator was just "sloppy" with setting some users' permissions. He did not advise the System Administrator of his discovery.
In the interviews that were conducted, to date no other individuals on either the Republican or Democratic staffs admitted that they knew that access could be obtained to the other's files. There was speculation among those interviewed that if Mr. Lundell learned how to get access to Democratic files, others on the Committee were probably doing the same thing. The Democratic staff working on judicial nominations clearly did not know there was a vulnerability. If they had, presumably they would have protected their files.
Members of the press and the Coalitions who had possession of the document at issue declined to be interviewed. Without their cooperation, the investigation faced a significant impediment to identifying the source of the disclosure. Several individuals who were interviewed, both Republicans and Democrats, implicated Mr. Miranda. While there is no definitive evidence pointing to Mr. Miranda as the individual who gave the documents to the press, or a party outside of the Senate, there is circumstantial evidence implicating him.
When the Nomination Unit clerk, who considered Mr. Miranda a friend, was asked how the Democratic documents were disclosed to the press, he identified Mr. Miranda as the likely source. He described a conversation with Mr. Miranda shortly after the documents were excerpted in the press where he understood Mr. Miranda to acknowledge giving the documents to a third party who then gave them to the press.
The report does not make any recommendation for referral of individuals for Senate or legal ethics or criminal violations. It does set forth some of the options the Judiciary Committee may be considering. It also recommends immediate steps that the Committee should take to enhance its computer security and sets forth measures the SAA will be recommending to the Senate leadership to enhance the computer security network-wide.
III. The Judiciary Committee Computer Network
A. Organizational Background
The SAA provides Information Technology support to the entire Senate, including Committees. Office Automation support is accomplished via the current SAA contractor, Signal Solutions.
The SAA provides Senate offices with a variety of computer hardware and software, including networks, workstations, peripherals and all products associated with a computer system connected to a Local Area Network (LAN), including software such as Operating Systems (usually a variant of Windows NT) and other functional packages and office suites. Software setup and Operating System configuration is usually conducted by SAA staff following configuration specifications requested by the office's System Administrator.
Almost all Senate offices, including Committees, employ their own Systems Administrator. These individuals have a broad range of technical skills, ranging from the bare minimum to advanced technical understanding. The SAA provides training (through the Joint Office of Education and Training), guidance, and/or direct support to Systems Administrators when requested to do so.
B. History of the Judiciary Committee's Network and Systems Administrators
It was determined from interviews of SAA employees that the Judiciary Committee migrated from a mini-computer system to a Local Area Network prior to October 31st, 1991. The specific date is not known, nor is the name of the Systems Administrator at the time.
On August 14th, 1995, the Judiciary Committee computer software system was upgraded from Microsoft (MS) LAN Manager Version 1.1 to MS Windows NT Server 3.51. In December 1999, another upgrade was completed resulting in the software installation of MS Windows NT Server 4.0.
In July 1999, Cesar Yabor left the Judiciary Committee after serving as its Systems Administrator. According to SAA staff, Mr. Yabor was very independent and rarely used their customer support. In August 1999, an SAA team installed new Y2K-compliant workstations within the Committee. This caused a number of network issues to surface as a result of the System Administrator's nonstandard configurations on the servers and customized, non-standard, individual logon script files. In late 1999, the Judiciary Committee requested assistance from the SAA to bring its computer network back to a standard configuration and into Y2K compliance. An SAA contractor assisted the Committee for approximately 2 months during the transition to a new Systems Administrator, Ryan Davis.
SAA Service Center tickets which track service requests to the Help Desk show that in December 1999 Ryan Davis requested specific assistance from the SAA Help Desk with regard to the Judiciary computer server upgrade. According to these records, Mr. Davis "successfully changed and synchronized server passwords for proper security measures."
On June 21, 2001, Mr. Davis resigned as the Committee's System Administrator and Matt Payne-Funk, the System Administrator for Senator Leahy's personal office, performed those duties "unofficially" for the Committee until Brian Wikner was hired on July 17, 2001. This position was first job after obtaining his college degree.
The Committee received new computer hardware ordered by Mr. Wikner on February 20, 2003. (Service Center ticket 92377). The service ticket's notes indicate that Mr. Wikner declined to schedule a pre-installation meeting with SAA staff and declined the SAA's offer to configure the system. He requested that the equipment be delivered in the original boxes and indicated that he would handle the installation himself. After this installation Mr. Wikner called the SAA Help Desk on April 18, 2003, with questions about how to copy files from one server to another. He was advised of the proper procedures and, according to the Help Desk report, was able to copy the files successfully. Three days later Mr. Wikner called the Help Desk regarding problems associated with the new Windows 2000 server he had built to use as a file server. He reported encountering login problems on workstations when users attempted to connect to the server and contacted the SAA Help Desk for assistance. The SAA provided technical assistance and on April 30, 2003, Mr. Wikner advised the Help Desk staff that he was not having any further difficulties.
On May 29, 2003, Craig Field assumed the System Administrator position for the Committee. He remains in this position today. Mr. Wikner left the Committee on July 21, 2003. A timeline reflecting the tenure of the Committee's recent System Administrators is attached at "G."
Like some other Senate offices, the Judiciary Committee has historically been staffed with Systems Administrators who preferred to perform most computer-related tasks themselves. This has been true even if they had only minimal technical experience before becoming the Committee's System Administrator. There is no minimum level of proficiency required to obtain a System Administrator position, and there was a considerable variance in the proficiency levels of the Committee's different system administrators. Notably, the records of the Senate Joint Office of Education and Training reflect that Brian Wikner only attended two technical training classes during his tenure, neither relating to the NT Administration.
C. The Architecture of the Judiciary Committee Network
The Judiciary Committee Computer network, when it was imaged at the beginning of this investigation, consisted of a Primary Domain Controller (PDC) Server known as "JUDAK," a Backup Domain Controller (BDC), a Print Server known as "JUDPT," and a File Server which is referred to as "JUDFS01". Collectively, these servers are simply known as the Judiciary Committee File and Print Servers. The network configuration also included an e-mail server that was not taken into custody because backup tapes were available. A diagram of the Judiciary Committee Local Area Network as of November 2003 is attached as "H."
The "JUDAK" server was the primary domain controller (PDC) for the Committee. The server ran the Windows NT 4.0 Operating System and controlled all servers, computer workstations, users, printers, scanners and other computer hardware on the network. PDCs are considered critical infrastructure machines and act as the central management point for the entire network and all its users.
The print server "JUDPT" was the central managing point for all printers and computers that printed. This connected all servers and workstations to all printers and managed the printing of all documents.
The file server "JUDFS01" acted as the central file repository point for all users on the network. The file server allowed users to save and retrieve their files and folders from a central location. This central location offered a large amount of hard drive space (over 200 gigabytes) for data storage by the over 140 user accounts. Administrators generally backup the entire file server periodically as a single entity providing for the recovery of lost data.
The Committee's servers were configured in a way that a Local drive/partition contains the Server Operating System and related utilities, this is known as the server "C:" drive. There also exists a server "E:" drive. This particular local drive/partition contains data files, such as user home directories and shared directories. The System Administrator is responsible for security settings or permissions on the various folders on this drive or partition to allow (or not allow) them to be "shared" with users on the network. The practice in the Judiciary Committee is to "share" certain files among staff working for the same Senator. Users access the folders by mapping them to a drive letter (e.g., H: or S:) that they use just like a drive on their individual workstations.
Specific to each user's desk workstation is a Local "C:" drive that contains the workstation Operating System, applications, and data files. Additionally, the "H:" drive (as stated above) is also seen and is "mapped" to a user's home directory on the file/print server. An "S:" drive is also "mapped" to the shared folder on the file/print server.
Each user should have exclusive access to his or her own directory. As the name implies, more than one user typically has access to any shared folders on the server. Access to home directories and shared folders is controlled by permissions set by the system administrator.
The diagram below reflects the Committee's server and desktop configurations.
A detailed explanation of each drive is attached at "I."
IV. The Documents Disclosed to the Press Resided on the Judiciary Committee Computer Network
The Democratic staff documents excerpted in the press and published on the internet appeared initially to have been taken from the Judiciary Committee's computer system. Specifically, one of the authors of a memorandum to Senator Kennedy advised investigators that the document posted on the public website was not the final version of the memorandum printed and disseminated. Likewise, the author of the document that does not have a heading (the first page posted on the website with an "02" in the upper right corner) indicated that it was typed as an outline of thoughts, not intended to be read by anyone else and, therefore, never printed.
The forensic review confirmed that 18 of the documents at issue resided on the Judiciary Committee server. The one document that was not found was identified to investigators as written by Jonathan Meyer, Counsel for Senator Biden, and was posted on the website with "p.20" in the upper right corner.6 The forensic review searched all files and folders - even those that had been deleted - on all of the servers and workstations taken into custody. Printed copies and, in some cases filenames, of the Democratic staff documents that were provided to the forensic consultants. Additionally, unique mathematical computations for each file were created by the forensic experts and used to search for the documents. All of the found documents resided on desktop. The documents in question were found within a large, password protected compressed file with either the exact name of the original document, or a close approximation. The documents were also found on the Judiciary Committee server in the authors' home directories, or the home directories of other Democratic staff members to whom the author sent the document. A list of the folders where the documents were found is attached at "J" (Memos in Question Analysis).
6 Mr. Meyer stated that he had saved the document to his H: drive and the only other place it resided was on the H: drive of Neil MacBride, Chief Counsel for Crime, Corrections and Victims' Rights for Senator Biden.
The forensic analysis revealed no matches for the documents in question on any of the other computer analyzed.
V. A Judiciary Committee Staff Member Accessed the Computer Files of the Documents' Authors
Lundell's Initial Access
As noted earlier in this report, counsel for Senator Hatch who were conducting interviews the week of November 17th brought to the attention of the Sergeant at Arms that Jason Lundell, a nominations clerk for the Senate Judiciary Committee, had acknowledged accessing Democratic files on the Judiciary Committee's computer system. Mr. Lundell was interviewed on November 24, 2003, as part of this investigation and subsequently re-interviewed, with counsel present, later in the investigation. His version of events remained consistent each time he was interviewed and the investigation verified much of what he told investigators. Importantly, prior to the initial media reports referencing the Democratic documents at issue, Mr. Lundell had already been accepted to graduate school in accounting in Texas and was planning on leaving employment with the Judiciary Committee. He was put on administrative leave the day of his admission to Senator Hatch's counsel and left for Texas on January 7, 2004.
Mr. Lundell began working for the majority in the Nominations Unit of the Judiciary Committee on September 19, 2001. He was interviewed and hired by Makan Delrahim, the Republican Staff Director for the Committee at that time. Mr. Lundell's responsibilities involved the handling and processing of nominations paperwork. Later he was given additional responsibilities, including researching for the Committee's attorneys and speaking with the Department of Justice's Legislative Affairs and Legal Policy representatives.7 He stated that he worked for Rena Comisac and Alex Dahl.
7 As of the time this report is being completed, the Department of Justice still has under consideration investigators' request to interview the employee who Mr. Lundell reported having contacts with.
According to Mr. Lundell, he became aware that he could access the files of Democratic staff some time in October or November of 2001. He made this discovery after watching the Committee's Systems Administrator, Brian Wikner, perform some work on his computer. An admittedly curious person, Mr. Lundell attempted to duplicate what the System Administrator had done after Mr. Wikner left his workspace. According to Mr. Lundell, he accessed "My Network Places/Entire Network/Judak." In so doing, he was able to observe all of the users' home directories. He then clicked on different folders to see which ones he could access; he was able to access some folders, but not others. The folders that he could access, he stated, belonged to both Republican and Democratic staff.
Mr. Lundell reported that he had access to other users' home directories shortly after beginning his employment in the fall of 2001 until the spring of 2003. Mr. Lundell recalled that the nomination of Judge Charles Pickering to a seat on the Fifth Circuit was the "hot topic" within the Judiciary Committee in the fall of 2001. As a result, he began navigating the server and searching for information about Judge Pickering. He printed approximately 100-200 pages of documents pertaining to Judge Pickering's nomination and gave them to Ms. Comisac in an attempt to get on good terms with her. According to Mr. Lundell, Ms. Comisac appeared pleased with the information and thanked him. He reported that two days later Mr. Dahl and Ms. Comisac admonished him not to use the Democratic documents and Ms. Comisac shredded the materials he had given her.
B. Manuel Miranda's Possession of Democratic Documents
In December of 2001 Mr. Manuel Miranda joined the Judiciary Committee as a counsel for the Nominations Unit. Mr. Lundell stated that a short time after Mr. Miranda was hired, he showed Mr. Miranda how to access Democratic staff files and explained that Mr. Dahl and Ms. Comisac had instructed him not to use Democratic materials. Mr. Miranda's response, according to Mr. Lundell, was that everyone knew about the open access and that he did not have to follow the directions given by Mr. Dahl and Ms. Comisac. Furthermore, Mr. Lundell recalled that Mr. Miranda told him that Senator Hatch wanted the staff to use any means necessary to support President Bush's nominees.
According to Mr. Lundell, he was not sure what to look for in the files, so Mr. Miranda would guide him as to what information was helpful. Mr. Lundell explained that Mr. Miranda would often suggest which directories he should concentrate on and would sometimes tell him that there was something new in a particular folder and request that Mr. Lundell print it out for him. When Mr. Lundell printed out documents, he would either hand them to Mr. Miranda or leave them in Mr. Miranda's top desk drawer. He recalled specifically leaving documents in the desk drawer without a handle.
In his second interview, Mr. Lundell explained that Mr. Miranda was his supervisor, (a relationship not corroborated by anyone else, including Mr. Miranda), and when asked by Mr. Miranda to look for specific Democratic information he believed he was being directed to do so by his supervisor. Mr. Lundell believed that Mr. Miranda's instructions superseded those he had been given earlier by Ms. Comisac and Mr. Dahl. Mr. Lundell also stated that Mr. Miranda told him there was nothing wrong, or illegal with accessing the Democratic files.
In January 2003, Mr. Miranda left the Judiciary Committee and took a position in the office of Majority Leader Frist. He continued to have access to the Judiciary Committee server until at least February 12, 2003, when he e-mailed himself (from his Judiciary Committee account to his account on the Frist server) more than 45 documents over three days. Mr. Miranda and Mr. Lundell both admitted that Mr. Lundell continued to provide Democratic - and also Republican - documents to Mr. Miranda after he left the Judiciary Committee. E-mail traffic between Mr. Lundell and Mr. Miranda confirms this. For example, on February 24, 2003, Mr. Lundell replied to an e-mail from Mr. Miranda with the subject matter "please send asap" by attaching over 30 documents to Mr. Miranda. And, a March 3, 2003 e-mail from Mr. Lundell to Mr. Miranda with the subject "lots of chatter" attaches ten documents, the majority of which appear to be written by Democratic staff.
C. The Scope of Access
Mr. Lundell explained that he frequently searched the folders of Olati Johnson (Sen. Kennedy), Chris Rhee (Sen. Durbin), Tom Oscherwitz (Sen. Feinstein), Lisa Graves (Sen. Leahy), Neil McBride (Sen. Biden), Alan Busansky (Sen. Feingold), and Rachel Arfa (Sen. Leahy). He acknowledged that most of the documents he accessed were from the files of Olati Johnson and Chris Rhee . He admitted accessing these files on an almost daily basis while working on the nomination of Texas Supreme Court Judge Priscilla Owens to the District Court. He stated he accessed the files much less frequently after October 2002 when his mother was murdered. Mr. Lundell provided investigators with a two-page printout of a computer screen with Judiciary Committee staff folders and indicated which folders he could access and those he could not. (Attachment "K.")
According to Mr. Lundell, when he learned of the vulnerability of the computer server he took steps to safeguard his own files. He did this by contacting a friend outside the Senate, whom he thought to be very good in computer security issues. This individual guided Mr. Lundell through the necessary steps at his desktop. An interview with this individual confirmed that Mr. Lundell advised him that others could read his files and asked for assistance in preventing this access. Mr. Lundell's friend helped him "right click on properties" and establish permissions on his files. Mr. Lundell stated that he also secured the files of Mr. Miranda and Ryan Higginbotham, another member of the Nominations Unit, from their workstations.
In March or April 2003, about the same time Mr. Lundell left the Nominations Unit and moved to the Civil Division, the server was upgraded and Mr. Lundell believes that prevented him from being able to access other users' files on the server. During the approximately 18 months Mr. Lundell accessed other users' files, he stated that he had four or five different computers assigned to him and that regardless of the hardware he used he was able to access this information.
The investigation revealed that over the course of accessing other users' files for approximately 18 months, Mr. Lundell downloaded thousands of documents. He stated that he created a password protected "zip folder" on his desktop computer once he realized there was going to be an investigation and moved the relevant documents to that folder. He provided investigators with the password for the folder. The forensics analysis revealed that the compressed zip folder contained 4,670 files, the majority of which appeared to be from folders belonging to Democratic staff. Over 2,000 of these files appear to belong to one individual, a former counsel for Senator Durbin. Mr. Lundell told investigators that the only copy of these documents that he possessed other than those found on his workstation was given to his attorneys. Mr. Lundell's counsel provided investigators with two discs which included the contents of Mr. Lundell's H: drive, including the zipped files. The attorneys also provided investigators with approximately 500 pages of documents including Democratic documents, Republican talking points and issue papers on judicial nominations, and press and website reports about judicial nominees and this investigation. They represented this to be the complete results of Mr. Lundell's production to them of any documents he had in his possession relating to this investigation. Mr. Lundell confirmed that he had given everything over to his counsel.
VI. Forensic Verification and Analysis
A. Limitation of Analysis
While there was extensive forensic analysis of servers and individual workstations in this investigation, the results were limited due to the absence of proactive security auditing. Each server and workstation contains three main logs; an application log which tracks programs and what they are doing on the network, a system log which tracks any remarkable system, operating system events, and a security log which tracks successful and failed access attempts to system resources. System Administrators can use the security log to apply both reactive and proactive measures to potential and actual security incidents. The security log can audit successful and failed log ons and log offs, file accesses, user rights, security policy changes and computer restarts.
Prior to the Committee's server upgrade in April 2003, only failed log-on and log-offs were audited. As a result, the forensic review was unable to determine whether any users changed their user rights, attempted to access files to which they did not have access to, or the exact date and time of each log on and log off.
The fact that not all security events were audited significantly inhibited this investigation because permission changes could not be analyzed on any computer. When a user account is created, the System Administrator assigns that user access to certain privileges and resources on the network. If the system is not properly configured, users may be able to change their level of access and privileges. Because the System Administrators were not auditing permission changes, the forensic review was unable to produce a history of who had access to the files containing the Democratic documents at issue. This trend of not fully logging security events began before the the Committee's server upgrade in April of 2003. When the Committee migrated from Windows NT to Windows 2000 in April 2003, the same log settings were preserved and, as a result, the logging continued to be inadequate for a comprehensive security audit.
B. Open Permissions
The forensic review of the Judiciary Committee servers is consistent with Mr. Lundell's explanation of how he was able to access files that were owned by Democrat staff of the Committee. The files on the Committee's server (JUDAK) were copied to the new server (JUDIC-FS01) on April 18, 2003 and deleted in July 2003.8 Forensic experts were able to recover most of these deleted files and analyze file permissions as they were set at the time of deletion.
8 No reason or indication as to why files and folders remained on JUDAK until July 22, 2003, was found.
The forensic analysis indicated that a majority of the files and folders on the server were accessible to all users on the network. Specifically, in 84 out of 144 of the home directories analyzed, the permission assignment was "open," indicating that the "EVERYONE" group had full control. This means that any user on the network could read, create, modify, or delete any of the files or folders within these folders. The remaining folders had a "strict" permission assignment, which meant that a specific user(s) were assigned to the folder, typically the owner of the home directory and the System Administrator. The folder permission analysis is attached to this report at "L".
The folder permission analysis verified Mr. Lundell's statements that he was able to access the home directories, or H: drives, of Olati Johnson, Tom Oscherwitz, Lisa Graves, Neil McBride, Rachel Arfa, and Alan Busansky.9 These files were among those open to everyone on the Judiciary Committee server. Additionally, the forensic review confirmed that access was restricted to the files belonging to Mr. Lundell, Mr. Miranda, and Mr. Higginbotham.10 This finding is consistent with Mr. Lundell's report that he took steps to protect these users' files.
9 Alex Busansky's home directory does not appear on the folder permission chart. His directory did appear a few levels down under the "Internet\Feingold" directory and was open.
10 The files of Bill Castle, another employee in the Nominations Unit, were also open only to himself and the System Administrator. Mr. Lundell does not specifically recall protecting Mr. Castle's files, but stated that it was possible. Mr. Castle remembers finding Mr. Lundell at his desktop and asking him to leave.
The Windows 2000 operating System is built on Windows NT technology and has similar security. As a result, the open permission settings that existed before the Judiciary Committee's server upgrade in April 2003 were inherited by the new server unless the System Administrator took specific steps to change them. Nevertheless, the conversion to the Windows 2000 Operating System left Mr. Lundell unable to navigate access to other users' files. Part of the explanation for this is that the Windows 2000 server has a setting (unlike the previously used Windows NT) that does not show the list of all users' folders. As a result, while the Democratic files Mr. Lundell had been accessing were still technically open, the path to get to them had changed and it appeared to him that access was no longer available.
C. Pattern of Open Permissions
Our investigation revealed that some user home directories were set to "open" permissions and other home directories were set to "strict" permission. This appears to be a result of the Judiciary Committee Network having two System Administrators during the time frame in question. One System Administrator had very strict account policies in place and the other did not. An analysis of the creation date and permissions of various user accounts was performed and supports this. (Attached at "M" is a chart H: Drive Permissions Analysis Including Start/Creation Dates).
Users accounts created prior to August 2001 were generally created with "strict" permissions; those established after that date were "open." Of the 126 users whose folders were available for forensic analysis, there were only nine exceptions to this general pattern. Four of these exceptions were Nominations Unit staff whose files Mr. Lundell admitted protecting. Of the remaining five exceptions, only two had strict permissions that should have, according to the pattern, been open. Andrea Sander, counsel for Senator Kyl since August 2003 (formerly counsel for Senator Sessions from August 2002 - August 2003) and counsel for Senator Brownback. Judiciary Committee leave records indicate that Mr. Wikner was on leave when Ms. Sander and Mr. Woo began their employment with the Committee. It is likely that their user profiles were established by Mr. Payne-Funk in Mr. Wikner's absence. They both were interviewed and denied any knowledge of being able to access other user files, or of the Democratic documents in question.
The Committee's recent System Administrators were interviewed on multiple occasions. Ryan Davis was the Committee's System Administrator from December 1999 to June 21, 2001. At that time Matt Payne-Funk, the System Administrator from Senator Leahy's personal office took over the duties unofficially until Brian Wikner began on July 17, 2001. Mr. Wikner remained in the position until Craig Field assumed the duties on May 29, 2003.
Investigators interviewed Mr. Wikner in person early in the investigation and had subsequent telephone and e-mail conversations with him. After explaining to investigators how he set up a user profile, Mr. Wikner called to correct his response and subsequently sent an e-mail on February 18, 2003, which stated, in part:
In the final step of the process, [sic] I said I would go into the newly created user folder, enable the share, and restrict permission to full access by the particular user. I want to clarify that this was only done under the system I put in place in Spring 2003.
In conversations I've had with Matt Payne-Funk since we spoke, it has come to light that I was not instructed to set such user permissions on each folder under the old system. This was an oversight in teaching me how to set up the accounts. My assumption was that these permissions were restricted by some other means, and as I was taking over an already functioning system, I did not think to double check this area of security.
This statement explains why permissions were open for users who came to work for the Judiciary Committee after July 2001. The investigators do not believe that Mr. Wikner acted maliciously, or that he himself inappropriately accessed any user's files. Rather, this significant security vulnerability appears to have been caused by Mr. Wikner's inexperience, and a lack of training and oversight.
Despite Mr. Wikner's assertions that he properly set permissions after April 2003, forensic analysis of the Judiciary Committee server when this investigation began in November 2003 indicates that the system was even more open to all users on the network at that time. Two-thirds of the folders analyzed were created on April 18, 2003, when they were copied from the old server (JUDAK) to the new server. The majority of the folders on the new server (JUDIC-FS01) have no permissions set. Access to these files would require a user to manually map to another user's drive (as opposed to clicking on folders as Mr. Lundell did).
Because the servers in the Judiciary Committee Network remained open from August 2001 through November 2003 it is plausible to assume that additional users may have escalated their privileges, and therefore would have been able to view files belonging to other users. Despite this significant lack of security, the investigation did not reveal any evidence that users continued to access other users' files after Mr. Lundell stopped doing so in April 2003. Other than the Democratic documents in question, no one who was interviewed brought forth any documents that had been improperly acquired from the computer systems in question. The next section of this report will address the knowledge of the individuals identified by Mr. Lundell as having knowledge of the ability to access Democratic files.
VII. Other Individuals Identified as Having Knowledge
A. Ms. Comisac and Mr. Dahl in the Fall of 2001
As previously discussed in this report, Jason Lundell admitted to accessing and printing approximately 100-200 pages of documents and providing them to Ms. Comisac and Mr. Dahl in October, or November of 2001. Ms. Comisac and Mr. Dahl confirmed that Mr. Lundell brought them a stack of documents that appeared to be written by Democratic staff. Ms. Comisac stated that she did not know how Mr. Lundell had received these documents, but that her impression at that time was that they came from a computer that Mr. Lundell inherited from a former Democratic staffer. She remembers recognizing that one of the documents was an internal Democratic memorandum at which point she decided not to do anything with them and placed them in her top desk drawer. The next day she shredded the documents and told Mr. Lundell to shred every copy he made and admonished him that it was not appropriate to read them - "this is not the way they do things here."
Mr. Dahl's account of receiving the documents is very similar to that of Ms. Comisac. Mr. Dahl recounts that it was late in the day when Mr. Lundell presented a manila folder of documents that appeared to be written by Democratic staff. Mr. Dahl did not know that Mr. Lundell had access to the files. He stated that later in the evening as he thought about the documents, he concluded that it was wrong to have or use them. The next day he told Ms. Comisac, "I don't think it's right, we need to get rid of them." They then asked Mr. Lundell into Ms. Comisac's office and told him to destroy any hard copies that he had and advised him to delete the files if they were on his computer.
Ms. Comisac and Mr. Dahl both stated that they thought they had resolved the problem and did not feel it was necessary to bring the matter to the attention of their supervisor, Staff Director, Makan Delrahim. Mr. Delrahim is no longer a Senate employee, but was interviewed for this investigation. He denies having access to Democratic files or knowing that anyone else had access. The investigation also revealed that is unlikely that Mr. Miranda shared with Mr. Delrahim the fact that he could access Democratic files. Interviews revealed that the two gentlemen did not have a close or friendly working relationship.
The forensics analysis of both Ms. Comisac's and Mr. Dahl's Judiciary Committee hard drives was conducted. This analysis revealed that none of the Democratic documents at issue resided on either drive. Furthermore, the analysis determined that neither Ms. Comisac, nor Mr. Dahl altered the manner in which they saved their documents, which they might have done if they understood that Mr. Lundell and others could access files through the Judiciary Committee server.
Investigators found Ms. Comisac and Mr. Dahl to be credible and cooperative in this investigation. In fact, on February 23, 2004, Ms. Comisac called investigators after she discovered one of the Democratic documents at issue in her possession when she was unpacking her files at a new job. She told investigators she had received the document from John Abegg, counsel for Majority Whip McConnell, in February or March of 2003. She does not remember the exact conversation, but she had the impression the document came from Mr. Miranda. When Mr. Abegg was re-interviewed he indicated Mr. Miranda may have shown him an "opposition document" early in the year, but denied any recollection of the giving the specific document to Ms. Comisac; although, he acknowledged that it was possible he did so.
B. Nominations Unit Staff
Mr. Lundell was questioned by investigators about whether he was aware of anyone else who knew that Democratic files were accessible. He initially stated that, "Everybody knew," but when questioned further he named only several Judiciary Committee staff within the Nominations Unit, specifically, Amy Haywood, Ryan Davis, Pete Jensen, and Chris Rodgers. Mr. Lundell indicated that he was also able to access these files from Amy Haywood's computer. Mr. Lundell stated that the other individuals he named had knowledge of being able to access Democratic files because Ryan Davis, a former System Administrator for the Committee who was re-hired in November 2001 to develop a database for the majority, demonstrated how access could be obtained. The investigators interviewed all of those individuals that were identified by Mr. Lundell as having knowledge about access to Democratic files.
Amy Haywood was employed by the Judiciary Committee in July 1998 as a legislative correspondent and later its nominations clerk. After a break in service she returned to the Committee from August 2001 through September 2003, first as the Nominations Unit investigator and later as a counsel in the Unit. In her first interview, Ms. Haywood recalled overhearing a conversation between Ms. Comisac, Mr. Dahl, and Mr. Lundell, in which she heard Mr. Lundell say that he could access Democratic files. She believed this was possible because he had inherited a computer previously used by Democratic staff. She further stated that if Mr. Davis had shown colleagues how to access files, it was only because he was shocked or startled that it was possible; he was not showing them so that they could access the files.
When Ms. Haywood was re-interviewed she was asked again about the "demonstration" Mr. Lundell told investigators that Ryan Davis had conducted and her knowledge of Mr. Lundell's ability to access Democratic files. Ms. Haywood's recollection of events is not clear. She initially stated during the second interview that Mr. Lundell told her directly that he could access other individual's files on the server and at one point had shown her how he could do it, using his own workstation. She later indicated that it could have been that Mr. Lundell showed her on her own computer. Ms. Haywood also stated that she does not have specific recollection of a demonstration by System Administrator. She stated that it is possible that it happened and that she does not remember it because she did not think it was significant at that time. Overall, Ms. Haywood was not helpful in determining whether others within the Nominations Unit knew that access was available to Democratic files. She acknowledged that events "could have happened" the way Mr. Lundell described them to investigators, but had no specific recollection. Mr. Lundell, conversely, is certain that Ms. Haywood knew how to access Democratic files, but had no specific knowledge that she had ever done so.
When Ryan Davis was the Committee's System Administrator from December 1999 to June 2001 he stated that he was meticulous about security permission. Investigators interviewed Mr. Davis three times. While he was nervous and guarded with investigators initially he eventually was forthcoming and essentially confirmed Mr. Lundell's recollection of events. He denied accessing Democratic files and had never seen the documents at issue.
When Mr. Davis returned to the Committee in November 2001 to create a database he remembers discovering that Mr. Wikner, then the Committee's System Administrator, was being "sloppy with permissions." Mr. Davis denies ever giving a "demonstration" as Mr. Lundell reported, but does recall that when he was working on Amy Haywood's computer (she did not have an H: drive and was helping her fix that problem) he was able to view folders belonging to other Judiciary Committee staff. He remembers trying to open "a couple" folders and that they were only "Hatch stuff." He recalls that Ms. Haywood, Mr. Lundell, and Peter Jensen present at the time and that he may have said something like, "I can't believe he left it open." This discovery occurred while he was working on Ms. Haywood's computer. When asked whether he thought Ms. Haywood might have been able to remember the steps he had taken to access other users' folders he stated, "If Amy could remember steps, I'd give you a hundred dollars. She is the most technologically illiterate person I know."
Mr. Davis does not recall ever notifying Mr. Wikner of the fact that he was able to access folders that should have been closed. During this investigation Mr. Davis, still a Senate employee, sent an e-mail to Senator Hatch's counsel responding to a Boston Globe report that a Republican "computer technician informed his Democratic counterpart of the glitch, but Democrats did nothing to fix the problem" by stating:
... my firmest recollection is that I did not have a conversation with Brian Wikner about what, at the time, I could only have deemed him as being sloppy with some permission and not some problem that of which others would take advantage. What I can remember is leaving him a message to call me about a concern and he didn't return my call.
The only individual interviewed who alleged that Mr. Davis told the Committee's System Administrator about open access to user files was Mr. Miranda.11 He claimed to have learned about this from Mr. Lundell. However, Mr. Lundell denied telling Mr. Miranda this and stated he did not know whether Mr. Wikner was apprised of the situation.
11 Mr. Davis advised investigators that he received a voice mail from Mr. Miranda on February 24, 2004, asking whether Mr. Davis had ever advised Brian Wikner of a problem with the computer, or folder permissions.
Peter Jensen, a law clerk for the Committee in the summer of 2002 and currently Investigations Counsel, initially told investigators that he had never been shown how to access Democratic files. In a second interview focusing on the "demonstration" Jason Lundell said took place, Mr. Jensen stated that he had no recollection of a "demonstration" by Ryan Davis, but that it could have happened. Mr. Jensen thought it was possible that he could have been present while Ryan Davis was showing something on the computer, and he may not have known what was going on. Mr. Jensen denies accessing the files of Democratic staff.
Chris Rodgers, also a law clerk for the Committee
in the summer of 2002 and no longer employed by the Senate, was interviewed
telephonically and denied accessing Democratic files. He stated that he was
not aware that the possibility of doing so existed; it was not common knowledge
in the office. He also denied being present at a "demonstration" by
C. Other Judiciary Committee Staff
In the interviews that were conducted, no other individuals on either the Republican, or Democratic staffs admitted that they knew that access could be obtained to the other's files. There is speculation among those interviewed that if Mr. Lundell learned how to get access to Democratic files, others on the Committee were probably doing the same thing. The Democratic staff working on judicial nominations clearly did not know there was a vulnerability. If they had, presumably they would have protected their files.
Other than the supposed "demonstration" by Ryan Davis, neither Mr. Lundell, nor Mr. Miranda identified anyone who they thought knew about accessing Democratic files. It is believable that they would not have told others. Notably, excerpts from e-mails between the two men set forth later in this report indicate their desire to keep secret the fact they had access to these documents. Mr. Miranda was thought of by his peers as having "a mole" on the other side and would smile when he was asked how he knew what appeared to be insider Democratic information.
There was speculation, by Republican staff that were interviewed, that the Democrats had been reading their memoranda. Each time this was mentioned, the investigators asked the person being interviewed to identify documents that he/she thought had been compromised and none was ever identified.
Unfortunately, forensic analysis cannot determine which users accessed specific files and/or folders. As explained earlier in this report, the audit logs that would show this were not turned on in the Judiciary Committee system. While the system has this type of tracking capability, in the Senate it is typically used only as an incident response and it is standard procedure to leave the logs off during normal operation. For this same reason, forensics cannot tell us whether a user was successful or unsuccessful in attempting to access something he/she was not authorized to access.
VIII. A Possible Source of the Disclosure to the Press
During the investigation several individuals acknowledged having seen hard copies of the Democratic documents. Investigators spoke with anyone that was identified as having a copy of the documents to ascertain how they came into their possession. Most individuals who had hard copies had downloaded them from the Coalition for a Fair Judiciary website. The one exception to this was Joe Matal, counsel for Senator Kyl, who told investigators that he received the documents from William McGurn of the Wall Street Journal on November 14, 2003.
Counsel for the Wall Street Journal declined to make Mr. McGurn, or Melanie Kirkpatrick12, available for interviews. Charles Hurt, the author of the Washington Times article on November 15, 2003, stated that he received the documents in hard copy, but not from a staff person on the Hill. He declined to name his source.
12 Two individuals who were interviewed expressed their belief that Ms. Kirkpatrick was the author of the November 14, 2003, Wall Street Journal editorial.
Kay Daly, President of the Coalition for a Fair Judiciary, whose website initially posted the documents, also declined to be interviewed citing the Sergeant at Arms' lack of "jurisdiction" over her, or the Coalition. Sean Rushton, Executive Director for the Committee for Justice, who Mr. Lundell believed to be the middle-man between Mr. Miranda and the press, declined to be interviewed after investigators refused to give him a list of questions in advance. He also returned investigators' call to interview C. Boyden Gray, Chairman of the Committee for Justice, reporting that Mr. Gray declined to be interviewed.
Without the press, or Coalitions being willing to reveal their source of the Democratic documents, the investigation faced a significant impediment to identifying the source of the disclosure. Additionally, because this was a fact-finding, administration investigation, law enforcement tools such as grand jury subpoenas to compel testimony and offers of prosecutorial immunity were not available to investigators. However, several individuals who were interviewed, both Republican and Democratic, implicated Mr. Miranda. While there is no definitive evidence pointing to Mr. Miranda as the individual who gave the documents to the press, or a party outside of the Senate, there is a substantial amount of circumstantial evidence implicating him. Additionally, Mr. Miranda's statements contradicted forensic evidence on two occasions and at other times were inconsistent with the recollection of other, reliable individuals.
Mr. Miranda has admitted to accessing Democratic files on his computer. Initially he told investigators that Mr. Lundell has tried to demonstrate this to him, but he was unsuccessful because he was not very computer savvy. Later, he admitted to accessing the files from his workstation on two occasions. In his press statement the day he resigned, Mr. Miranda stated, "Although I came to learn how to access two or three of these files easily enough, I did so few times and initially to ascertain that Democrats could access Republican files as well."
When the Democratic documents first appeared on the Coalition for a Fair Judiciary website on November 18, 2003, the last document that was posted was an e-mail containing the directory path of Mr. Miranda at the bottom. A forensic review helped determine this document was an e-mail from a web page that was viewed and printed by Mr. Miranda with Internet Explorer. Mr. Miranda could not offer an explanation for this, other than noting that the document was not a Democratic staff memorandum.13 When he was advised his directory path was on a document on the website, he called and asked that it be removed and a new version without his directory path was subsequently posted.
13 The document was an e-mail dated April 2, 2003, from Allison Herwitt of NARAL Pro Choice America.
When Mr. Lundell was asked how the Democratic documents were disclosed to the press, he identified Mr. Miranda as the likely source. Mr. Lundell stated that he met Mr. Miranda in the Senate Chef (an eatery in the Dirksen building) early in the week of November 17, 2003, shortly after the story broke. Mr. Lundell stated that he specifically asked Mr. Miranda if he had leaked the documents to the press and that Mr. Miranda said "No." Mr. Lundell told investigators that he then asked Mr. Miranda whether he gave them to Sean Rushton who gave them to the press. Mr. Miranda's response, according to Mr. Lundell, was to nod his head affirmatively.
When investigators presented Mr. Miranda with this information, he confirmed meeting Mr. Lundell in the Senate Chef, but denied giving the documents to Mr. Lundell, or indicating to Mr. Lundell that he did so.
Mr. Miranda recalled having seen nine of the Democratic documents that were posted on the website before they were made public. He may have seen the others, but stated that he did not specifically recall them. He denied giving the documents to the press in his initial interview and when asked in his second interview whether he had ever given them to anyone else, he answered "no - not to my recollection." In his third interview, Mr. Miranda continued to deny giving the documents to the press and had no specific recollection of giving them to anyone else, although he admitted he often shared "opposition information" with colleagues and could not say for sure whether he had given them to anyone else.
Also in his second interview, Mr. Miranda told investigators that most of the documents Mr. Lundell printed for him were useless and he would just throw them out. The ones he thought might be useful he kept in a folder that he later lost. He speculated this might have happened when he moved from the Judiciary Committee to the Majority Leader's offices. In his third interview he indicated he believes he lost the folder in the Majority Leader's office.
In Mr. Miranda's interview with investigators on January 15, 2004, he admitted to receiving memoranda while in the Senate Majority Leader's office, but denied actively soliciting it. The e-mail traffic below directly contradicts Mr. Miranda's statement to investigators:
From: Miranda, Manuel (Frist)
Sent: Wednesday, April 09, 2003 3:27 pm
To: Lundell, Jason (Judiciary)
On what Feinstein is doing re: Owen. Info on meeting she has had. Her Tps?[sic]
From: Lundell, Jason Sent: Wednesday, April 09, 2003 3:40 PM To: Miranda, Manuel (Frist) Subject: RE: anything
This all I could find (most of it from OJ).14
14 "OJ" is a reference to Olati Johnson. Nine documents were attached to this email.
Mr. Miranda asserted to investigators that his conduct in accessing Democratic files was not unauthorized and that it was appropriate to make these documents public because they were left available to others by the Democrats. He does not believe that he has committed any wrongdoing. A review of the e-mail traffic between Mr. Miranda and Mr. Lundell, however, indicates that they actively sought to keep what they were doing from others and acted covertly. For example, in the e-mail exchange between the two set forth below in March 2003 regarding a set of Republican documents referred to as the "Amex binder," Mr. Miranda does instruct Mr. Lundell to send documents to a third party.15
15 The "Amex binder" is a compilation of talking points, floor speeches, etc. kept by Senator Hatch's nominations staff. Ms. Comisaac indicated that she considered most of the information innocuou, but that there were some things she would not want to disseminate. Overall, it could be given to proper parties with a supervisor's permission.
From: Miranda, Manuel (Frist)
Sent: Thursday, March 06, 2003 10:48 AM
To: Lundell, Jason (Judiciary)
Subject: Am Ex
Can I ask you to undertake a discreet mission. Sean Rushton should get a complete relpcate [sic]of the Ame Ex binder. He needs to get up to speed with outr [sic] best info as he build [sic] relationships with the press.
Let me know how soon...assuming you accept, Mr.Phelps.16
16 The reference to "Mr. Phelps" refers to the secret agent who received instructions via audiotap in the Mission Impossible TV series.
From: Lundell, Jason (Judiciary) Sent: Thursday, March 06, 2003 11:09 AM To: Miranda, Manuel (Frist) Subject: Am Ex
Of course I would be happy to assist in this covert action. The question is: exactly how much should I provide? You know, we have loads on [sic] information.
From: Miranda, Manuel (Frist) Sent: Saturday, March 08, 2003 3:50 PM To: Lundell, Jason (Judiciary) Subject: Am Ex
Whatever is in the binder and whatever gives him a sense of the facts in rebuttal to the recurring themes.
From: Lundell, Jason (Judiciary)
Subject: Follow up on previous e-mail
Date: Fri, 07 March 2003 15:20
To: Miranda, Manuel (Frist)
As is the usual practice, please don't let anyone here know that I know all this.
On March 21, 2003, Jason Lundell e-mailed Sean Rushton 169 documents represented to be the "Am Ex" folder.
Another example of Mr. Miranda taking steps to protect others from finding out that he had accessed Democratic files occurred when he left the Judiciary Committee.
From: Lundell, Jason (Judiciary) Subject: Old Files Date: Wednesday, March 5, 2003 4:20 PM To: Miranda, Manuel (Frist) It seems Brian has removed your old file folders you didn't want others to see-which is good because people here have started to access your old files. You should check the e-mail I just bcc'd you on because Makan and Alex asked for the Dear Colleague letter. I had no choice but to forward it to them. Good luck with everything!
Another example from earlier that same date:
From: Lundell, Jason (Judiciary)
Sent: Wednesday, March 5, 2003 2:42 PM To: Miranda, Manuel (Frist) Subject: FILES
You may need to e-mail Brian separately (just bcc: me on it) and instruct him to permanently remove the personal, confidential files from the system contained in the folders named "Rose" and "Personal." Everyone now has access to these files. I have already copies [sic] these onto my computer as your backup just in case. If there is anything else you need off of there before he deletes any more files, let me know and I'll get you taken care of. But you should probably express your concern that you don't want your private files available to everyone and just ask him to delete those two folders. I'll monitor the situation and let you know what happens.
Six minutes later Mr. Miranda e-mails Brian Wikner:
From: Miranda, Manuel (Frist)
Sent: Wednesday, March 05, 2003 2:48 PM
To: Wikner, Brian (Judiciary)
Please delete my personal files from the stored files. They are in folders marked "Personal" and "Rose" and "fillib".
From: Wikner, Brian (Judiciary) Sent: Wednesday, March 05, 2003 2:51 PM To: Miranda, Manuel (Frist) Subject: RE: Files
No problem Manny. I've deleted them.
Mr. Lundell advised investigators that "Rose" was the folder where Mr. Miranda put the Democratic documents that Mr. Lundell e-mailed to him. A review of the contents of this folder confirmed it contained Democratic documents. The e-mail exchange set forth above indicates that after Mr. Miranda left the Judiciary Committee the System Administrator followed the Committee's usual practice and moved the documents from a former staff member's home directory into a folder in the shared directory. When this was discovered, Mr. Miranda had the System Administrator delete the folder containing Democratic documents. In his last interview, Mr. Miranda denied that he had ever downloaded any of the Democratic documents from Democratic folders, or Mr. Lundell's e-mails to him. Instead, he stated that "Rose" contained possibly scanned copies of Democratic files he received from Mr. Lundell, or notes he made about those documents. The contents of "Rose" contradict Mr. Miranda's statement.
After the Wall Street Journal article appeared on November 14, 2003, and the documents were posted on the public website, Lee Rawls, Chief of Staff to Majority Leader Frist, called Mr. Miranda into his office where Mr. Miranda stated that he had accessed Democratic files in the past, but that he had not accessed anything since he had come to the Majority Leader's office.
As outlined by the e-mails set forth above, Mr. Miranda continued to receive Democratic documents from Mr. Lundell after he left the Judiciary Committee even though he was not able to access the files himself after he was taken off the Judiciary Committee's computer network. According to Mr. Rawls, Mr. Miranda during that meeting said, "I made a mistake." Mr. Miranda denies this.
In his final interview Mr. Miranda mentioned for the first time that a backup disc, made while he was at the Majority Leader's office, had just come into his possession. He told investigators that a friend of his from outside the Senate had made a backup disc for him and had recently reminded him of that. He declined to give investigators the name of the friend stating that he did not want to prolong this investigation. He also refused to give investigators the names of his White House legislative contacts for the same reason. The existence of this backup disc and the lost file of Democratic documents leaves open the possibility that Mr. Miranda has Democratic documents in his possession.
IX. Analysis of Other Possible Methods of Access to Documents from the Judiciary Committee Computer System.
While it is clear to investigators that the Democratic documents disclosed to the press in this case originated with Mr. Lundell's accessing the files of Democratic staff who had open permissions, the investigation revealed other possible theories of how these documents might have become public. This section of the report addresses several of those theories and starting with the premise that the documents were, at least initially, taken from the computer system, presents several possible methods through which access could have been gained. This section of the report addresses some of the possible ways this might have occurred.
A. Hacking Into the System From the Outside
The SAA employs a number of technical, management and operational controls
at the boundaries of the Senate network. These controls are designed to:
The controls are both preventive and detective in nature. Multiple technologies provide these controls and they are deployed according to an overall "defense in depth" strategy. A diagram of the Senate's layered information security approach is attached at "N."
Some technical controls are monitored by network operations staff and some are monitored by an outside information technology security contractor. When potential security events are noted by either party, SAA staff is alerted. Despite not detecting any failure in these controls, the SAA periodically engages outside parties to evaluate their efficiency and effectiveness.
Remote access is provided only to authorized personnel upon request. Technical controls used for remote access include a two-factor authentication consisting of a time synch physical token (SecurID) and a personal identification number. These tokens are issued to Senate office representatives, who are then responsible for distributing and tracking them within their offices.
Remote users are routed to their office subnet only. These remote connections are also monitored by the SAA's enterprise-wide detective controls. When anomalous behavior is detected (such as when a remote user's computer or laptop is believed to be infected with a virus or computer worm), the SAA identifies the user ID attached to the remote connection and notifies the proper System Administrator.
The SAA has not encountered any incident where unauthorized access by an outside intruder occurred to a Senate computer within its network boundaries.
B. PcAnywhere presented a security risk.
When the Committee's servers were being imaged for this investigation, pcAnywhere started up on the Primary Domain Controller. This led investigators to question whether this software was in any way involved in giving unauthorized users access to the Judiciary Committee network.
PcAnywhere is part of the standard SAA template installed on desktop workstations and laptop computers, primarily to allow the System Administrator, or the SAA Help Desk, to access the machines for troubleshooting purposes. As part of the standard installation, it is configured to require the workstation owner's express permission each time a System Administrator, or the Help Desk needs access. It is common to see pcAnywhere on a Senate user's workstation and the Judiciary Committee did allow the SAA's Help Desk to assist its staff by utilizing this application.
PcAnywhere was most likely installed by the Committee's System Administrator because the servers were delivered by the SAA without software and the SAA does not have any records indicating that it subsequently installed the application.
The forensic explanation of why the pcAnywhere application automatically started during imaging of the Judiciary Committee server is that it was most likely part of a start-up routine established by the System Administrator, or a process that was set to start up at a specific time. The application was running silently in the background and was scheduled to be activated and begin "listening" for remote connections at the time it started up.
While it is not likely that pcAnywhere contributed to the disclosures in this case, the forensic review notes that it did present a vulnerability for the Judiciary Committee network. The program requires strict rules for obvious security reasons and the application on the Judiciary Committee server was explicitly configured less secure and contrary to its producer's recommendations. Unfortunately, because pcAnywhere did not log any user or program information, there was no way to determine if an unauthorized user attempted to break into the server.
C. The Anthrax Incident in October 2001
Some of those who were interviewed for this investigation speculated that the involvement of the SAA during the anthrax incident in October 2001 may have resulted in the relaxation of security controls for the Committee. According to the ASAA-CIO, the Judiciary Committee computer systems were unaffected by the Anthrax incident on October 15, 2001. During the temporary relocation of some Judiciary Committee staff to the Postal Square Building from November 2001 through January 2002, the SAA provided access to the Judiciary Committee network from Postal Square to accommodate workstations that were set up there for the use of the Judiciary Committee staff. This involved setting up a separate subnet for the Committee's workstations in Postal Square and then giving that subnet access through the Senate network routers to the Judiciary Committee subnet. The setup did not include, or require any changes to the host-based security on the Judiciary Committee servers. Anyone who wanted to access a resource on the Judiciary Committee network still had to log on to the server with a valid user name and password and have the appropriate permissions.
It is also important to note that the Nominations Unit, located at this time in the Dirksen building, did not require relocation. Mr. Lundell worked at his same workstation throughout the incident. Additionally, because the Committee's servers were located in the Dirksen Building, the System Administrator still had physical access to the server to perform whatever administrative tasks needed to be done.
D. Poor Physical Security/Computer Security Controls
Throughout the course of this investigation, several systemic flaws in both the physical security and computer security practices within the Judiciary Committee were identified as potential compromise points for sensitive documents. While the investigation has revealed that these vulnerabilities did or currently do exist, in no way did the investigation reveal that they contributed to the particular accessing and compromise of the documents in this case. Nevertheless, this report will note the security deficiencies identified in interviews of current and former Judiciary Committee staff to advise the Committee of potential vulnerabilities.
The Committee has never had documented computer security rules. While the Sergeant at Arms offers training and recommendations to the Systems Administrators assigned to Senate offices, there is no requirement that a Systems Administrator abide by those recommendations, or attend training.
One of the consistent computer security problems identified was the issuance and maintenance of passwords needed to access the Judiciary Committee server. Interviews with numerous Committee staff members revealed that many of them were issued predictable passwords that were identical to their username. For example, a staff member named John Doe would be issued a username of "JohnD," and his password would also be "JohnD." The individual would never be prompted to change, or customize his password. Interviews revealed that, while some staff members took it upon themselves to change their passwords, many did not (even as this inquiry was ongoing). In contrast, access to the e-mail server set up by the SAA staff requires a more stringent alphanumeric password, and the system forces the user to change his/her password after a preset number of days.
Another common password weakness identified was the issuance of generic and predictable passwords for interns, such as "intern1," "intern2," etc. Finally, there seemed to be a pattern of staff members sharing passwords. An administrative assistant for one subcommittee kept a list of user names and passwords for all staff members who worked for one Senator. Other staff members said that they would sometimes share their passwords with co-workers for various reasons, while others indicated that they would leave their passwords on, or near their workstation.
Another common computer security flaw identified was staff members not logging off the Judiciary Committee server, or not turning off their computers when leaving their workstations. The majority of staff members interviewed said they did not regularly turn off their computers upon leaving their workstations, including when they left work at the end of the day. This is particularly problematic because, unlike many current system configurations, the Judiciary Committee server does not automatically log a user off the system after a predetermined period of inactivity.
When this investigation commenced the Committee did not have an up-to-date list of which staff members had access to the network through remote access via SecureID. SAA records indicated the Committee had 16 active remote access cards, but the SAA does not track the names of individuals within the Committee who are given the cards. When this investigation began, the Committee's System Administrator was unable to account for all of the active remote access cards.17 While this is a potential vulnerability, users with remote access still need a valid username and password to access the network so it is unlikely the lack of inventory control contributed to access by an unauthorized person.
17 The System Administrator subsequently disabled all of the cards that were not accounted for.
Another security vulnerability identified was that, upon leaving for other jobs, staff members would sometimes download several, if not all, of their files onto compact discs, or other types of storage media. At least one of the authors of the compromised memoranda posted on the internet in this case had done so, although the author said the compact disc containing the questioned files was accounted for.
Several vulnerabilities were also identified in terms of physical security of documents within the Judiciary Committee offices. Interviews revealed that most offices did not have a system for disposing of sensitive documents. Most documents (draft copies of memos, etc.) were just thrown in the regular trash. Other than classified material such as FBI files, no distinction was made in the sensitivity of other documents. There was no regular practice of using locking waste bins, burn bags, shredders, or any other devices to enhance operational security. In fact, many of those interviewed indicated that sensitive documents were regularly left out on desks. Additionally, several staff reported that office doors were left unlocked at night.
X. Recommendations for the Future
A. Referral for Sanctions
Upon receipt and review of this report the Committee will have before it decisions to make about whether to refer individuals identified in this report for disciplinary, or criminal sanctions. The Chairman's letter authorizing the Sergeant at Arms to conduct this investigation requested only fact-finding and it is beyond the scope of this report to recommend any particular sanction for individuals identified in this report as having access to Democratic files. However, it is clear that one of the considerations before the Committee is what steps should be taken next. The Chairman and Senator Leahy have specifically asked whether a crime has been committed. Accordingly, this section of the report will address the criteria for possible referrals for disciplinary action and for criminal prosecution to the Department of Justice. It should be noted that any referral to a non-Senate entity - whether made by an individual, the Committee, or the Senate - could be problematic if that outside entity decides to conduct further investigation, or inquiry in a manner deemed inappropriate by Members.
1. Possible Ethics Committee Referral
Rule 29.5 of the Standing Rules of the Senate provides:
Any Senator, officer, or employee of the Senate who shall disclose the secret or confidential business or proceedings of the Senate, including the business and proceedings of the committees, subcommittees and offices of the Senate shall be liable, if a Senator, to suffer expulsion from the body; and if an officer or employee, to dismissal from the service of the Senate, and to punishment for contempt.
When this Rule was amended in 1992 by Sen. Res. 36318 to include the protection of business of committees, Senator Mitchell outlined the reasons why the protections afforded confidential business, or proceedings of the Senate should be expanded to cover committees, subcommittees, and offices. He stated:
...candid discussions among Members depend upon a trust that is based, in part, on a willingness of all Members to abide by the practices of the Senate. Those practices place responsibility for certain decisions, such as the decision whether to release confidential information, in the hands of the Senate as a whole, or in committees of the Senate, rather than in individual Senators. The unilateral decision by a Member or employee to release confidential committee information is inconsistent with the Senate's practice of making such decisions openly and collectively. Arrogation of this responsibility by individuals can destroy mutual trust among Members and be harmful to the institution.
Congressional Record, October 8, 1992, p. 17836.
18 This amendment followed the report of the Temporary Special Independent Counsel investigating the unauthorized disclosures in connection with the Thomas nomination and the Keating Ethics proceedings.
The legislative history of this amendment also explains that while the Select Committee on Ethics would have jurisdiction to consider an allegation of Rule 29.5, "[almost always, questions about leaks should be addressed first by Members or committees or offices themselves." Id.
The Select Committee on Ethics also investigates unethical and improper conduct which may reflect upon the Senate, even though that conduct does not violate a written law, Senate rule, or regulation. S. Res. 338, 88th Cong., 2d. Sess. (1964), as amended by S. Res. 110, 95th Cong., 1st Sess. (1977).
The Ethics Committee procedures may provide the Judiciary Committee with an avenue for determining whether a criminal referral to the Justice Department is appropriate. While it would not be able to exercise jurisdiction over former Senate employees, it may be willing to consider reviewing the report of this investigation for possible criminal referral.
2. State Bar Attorney Disciplinary Boards
Model Rule 8.4 of the American Bar Association's Model Rules of Professional Conduct states that it is professional misconduct for a lawyer to, among other things, "(c) engage in conduct involving dishonesty, fraud, deceit, or misrepresentation." The comments to this Rule are instructive:
(2)...a lawyer should be professionally answerable only for offenses that indicate lack of those characteristics relevant to law practice. Offenses involving violence, dishonesty, breach of trust, or serious interference with the administration of justice are in that category.
This investigation did not identify the states where any of the attorneys interviewed are licensed to practice law. The Committee may decide to refer attorneys subject to a rule similar to 8.4 to the attorney disciplinary boards where they are licensed to practice law. One significant note of caution in considering type of referral is that it may open doors to state disciplinary boards asserting jurisdiction over Senate attorneys where in the past they have not. Additionally, the Committee would be expected to cooperate in any subsequent investigation, the details and avenues of which may be beyond what it originally anticipated.
3. The Justice Department
If the Committee were to refer this report to the Justice Department, prosecution might be considered under the Computer Fraud and Abuse Act. The provision of this law most likely to apply in this case is 18 U.S.C. section 1030(a)(2)(B). It provides:
(a) Whoever -(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains -(B) information from any department or agency of the United States;
shall be punished under subsection (c) of this section.
For purposes of 18 U.S.C. section 1030:
- the term "exceeds unauthorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the access-er is not entitled so to obtain or alter; 18 U.S.C. section 1030(e)(6).
- the term "department of the United States" means the legislative, or judicial branch of the Government, or one of the executive departments enumerated in section 101 of title 5; 18 U.S.C. section 1030(e)(7).
When Congress amended 18 U.S.C. section 1030 in 1996 by adding section (a)(2)(B), it meant to address a gap in the law's coverage. The legislative history states:
The second gap is the significant limitation on the privacy protection given to information held on Federal Government computers. Specifically, the prohibition only applies to outsiders who gain unauthorized access to Federal Government computers, and not to Government employees who abuse their computer access privileges to obtain Government information that may be sensitive and confidential.
Senate Report 104-357, 104th Cong., 2d Sess., August 27, 1996, p. 4.
The legislative history also indicates that section (2)(B) was meant to cover government employees who "obtain information" by merely reading it. Id.
18 U.S. C. section 1030(a)(2)(B) is a misdemeanor punishable by a fine and/or not more than one year imprisonment. A referral to the Department of Justice could be made by either contacting the United States Attorneys' office for the District of Columbia or the Criminal Division's Computer Crimes and Intellectual Property Section. A prosecution under this section could result in litigation involving the article I, section 6 of the Constitution (speech and debate), the First Amendment (freedom of the press issues), the Fourth Amendment (issues relating to the search of computer records), and the definition of "unauthorized access' under the statute. And, while a criminal investigation could commence upon referral to the Department of Justice, a Senate Resolution would be needed to introduce documents or testimony into a Grand Jury or at trial. See Senate Rule 11.
In informal briefings prior to the issuance of this report, Committee Members asked about the possibility of pursuing a false statement case against Mr. Miranda for being untruthful with investigators. The relevant statute, 18 U.S.C. section 1001, provides:
(A) Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully --(2) makes any false, fictitious, or fraudulent statement or representation;
shall be fined under this title or imprisoned not more than 5 years, or both.
The statue specifically addresses false statements in the context of legislative investigations:
(C) With respect to any matter within the jurisdiction of the legislative branch, subsection (a) shall apply only to --(2)any investigation or review, conducted pursuant to the authority of any committee, subcommittee, commission, or office of the Congress, consistent with applicable rules of the House or Senate.
Members have also inquired about whether persons who received copies of the Democratic documents violated the law by receiving stolen property. The relevant statute under which prosecution might be considered provides:
Whoever embezzles, steals, purloins, or knowingly converts to his use or the use of another, or without authority, sells, conveys or disposes of any record, voucher, money, or thing of value of the United States or of any department or agency thereof, or
Whoever receives, conceals, or retains the same with intent to convert it to his use or gain, knowing it to have been embezzled, stolen, purloined or converted --Shall be fined under this title or imprisoned not more than ten years, or both; but if the value of such property does not exceed the sum of $1000, he shall be fined under this title or imprisoned not more than one year, or both. 18 U.S.C. section 641.
In addition to the statutes set forth above, a referral for prosecution may raise issues of whether any laws of the District of Columbia were violated in this matter. While this report does not intend to present an exhaustive consideration of all possibly applicable criminal statutes, the District's prohibition against taking property without right is another statute that local prosecutors might consider. It provides:
A person commits the offense of taking property without right if that person takes and carries away the property of another without right to do so. A person convicted of taking property without right shall be fined not more than $300 or imprisoned not more than 90 days, or both. DC ST 22-3216 (1981).
A prosecution under a District of Columbia or any federal statute would implicate many of the same issues outlined above as likely to be presented by a prosecution under 18 U.S.C. section 1030. In deciding whether to pursue a prosecution arising from the facts of this investigation, prosecutors will apply the usual standard of review in considering whether to pursue or decline the case: whether there is evidence of a prima facie case and a reasonable probability of conviction, i.e, whether the admissible evidence will probably be sufficient to obtain and sustain a conviction. Other considerations influencing prosecution include whether there is a substantial federal interest affected and if there exists an adequate, noncriminal alternative to prosecution.
United States Attorney Manual, section 9-27.220.
B. Immediate Steps to Enhance Computer Security for the Committee
Separate servers were provided to the Judiciary Committee during the pendency of this investigation. The Committee now has two System Administrators - one for the Republican staff and one for the Democratic staff. This will eliminate any concern that users' files have open permissions allowing those of the other party to view their documents. It does not, however, ensure that permissions are set properly to secure users' home directories from the view of other users on the same server, or that other vulnerabilities addressed in this report will not recur. To ensure the future security of the Committee's computer system, the SAA recommends additional training, enhanced security practices and a complete, prospective security audit.
The Committee leadership should require that its System Administrators' enroll in additional training programs with an emphasis on security policies. This training is provided on a regular basis by the Senate's Joint Office of Education and Training Office. Additionally, the Committee should require mandatory and recurring user training also with an emphasis on security policies and best practices. Users generally did not understand the difference between their home directories, shared folders, and their local hard drives, how to protect their passwords, or the importance of not leaving their computer running when away from their desks. This training could be provided by the System Administrator's or through the Joint Office of Education and Training. The Committee should also consider incorporating ethics training into an orientation program for new employees to ensure they understand the Senate's expectations for ethical conduct that meets the highest professional standards.
There are several security practices that should be implemented by the Committee
immediately if it has not already done so:
Regardless of the efforts of the Committee to enhance security since the beginning of this investigation, the SAA strongly recommends a prospective audit of the network by a party outside of the Committee. The audit would be focused on security and compromise protection. It will provide an assessment of the efficiency and effectiveness of current physical and logical controls over the computerized information systems and recommendations for improvement. The SAA believes this proactive review is necessary for the Committee to maintain a consistently available network with efficiency and security in mind. The audit could be conducted by the SAA, the General Accounting Office, or a private contractor. On February 20, 2004, the Chairman and Ranking Member sent a letter to the General Accounting Office to commence this important audit.
C. Measures to Enhance the Security of Computer Networks Senate-Wide
It is incumbent upon the SAA to take all steps necessary to ensure that the
vulnerabilities identified during this review of the Judiciary Committee
do not exist elsewhere among the Senate offices. As a result of the lessons
learned during this investigation, the SAA will ask the leadership of the
Senate to consider the following:
This investigation depended entirely on the voluntary cooperation of those who were asked to be interviewed. While investigators followed leads and interviewed many individuals as a result of learning their names during interviews, it remains possible that there are other current or former members of the Senate community who have knowledge of the open nature of the Judicary Committee computer system who have not come forward or been identified. This was evidenced most recently in press reports on March 2, 2003, when a former Grassley intern was reported to have knowledge of Committee computer security system vulnerabilities. His name was not been provided to investigators when they asked for all employees (paid, interns, and detailees) who worked for the Committee from June 2002 to the present. There are likely to be other individuals who had access to the Committee's computer system whose were not provided to investigators.
The tremendous amount of computer data in this case also leaves open the possibility that additional evidence could be discovered by investing substantially more time and money in analyzing individual workstations, print logs, and e-mails.