Okay, since we strayed into "Unclassified networks don't contain anything of national security interest" - and I noted policy and pre-decisional documents often sit on those networks... and are sensitive and controls and not for public dissemination - so what are they?

Policy documents, often are just that, drafts of what an agency or commission plans to issue - they take months, and even years, sometimes to create, review and release. While generally non-material in worth, they can have an impact on places like Wall Street, as ...

... say in the hands of hedge funds, will short an industry or company that may be subject to a ruling. The Bureau of Labor Statistics maintains similar control over things like the Consumer Price Index for the same reasons, embargoed until the release day... oddly...

T***p had usually received these a day or so early, as other presidents do, so staff can draft segments, but they all tended to respect the embargo until this administration. We saw him do it twice and the markets reacted. Go look it up.

While working on the Open Data Initiative at OMB, I worked with the Nuclear Regulatory Commission, who, while mandated to participate, mentioned releasing any of their data gets weird, because on one hand you have places like those hedge funds placing bets on...

service cycles of nuke plants (it's a thing, the time for cycling through, if shortened can save a lot of $$, but it's typically non-public info), so the NRC was kind of "why should we?", conversely they had Greenpeace on the other hand, forgot which data set, doing something

the other way. Regardless, policy and data, even on unclassified networks can move a lot of stuff.

But that's just one part.

Most legislation drafts are also unclassified, but again, they are pre-decisional.

When I was tasked with the lead for marking up cybersecurity legislation for OMB in 2014, while I had the drafts emailed to me, and the original proposals entered into he congressional record... the back and forth between the Executive and Legislative tended to be, um...

under wraps... as it's seen with how the President and Congress ask each other for things, that's pre-decisional negotiations. If you have a major change, that say, isn't to be a law, but rather an EO or other policy doc, that's also often close hold.

If say, one of our adversaries wanted to target somebody for influence, somebody wavering, or somebody who had outsized influence on a piece of legislation or policy there are ways either directly, or through constituents to manipulate that evaluation process for influence.

all of this tends to take place on unclassified email systems for the most part... which while often sectioned off within agencies and such, getting PHYS access to an unlocked computer in say, a shared workspace, makes that barrier lower.

We shared an office building with no real physical space controls with the Voice of America, who employed foreign nationals, while at HHS OIG. While doing red-teaming, these concerns were brought up, but very little could be done. We had a historic building by GSA standards.

So, we created a policy and technical mechanisms to secure our systems (auto-lock screens, encrypted drives, 2FA/MFA requirements, and reducing or eliminating removable media). From reports about Congress, not only did that no exist in whole or part... but was unenforceable

Then what can you do? For one, obviously, move to MFA/2FA, screen locks, encryption, etc. - but that requires central management. There's a list of that in Congress, but generally, it's 535 offices that tend not to trust one another.

While possibly viewed as a strength to not allow lateral movement if an office or group of offices or committees were compromised, it makes recovery and clean up after an event such as this time consuming and expensive due to no central management like in most agencies.

...and now we get to "who's gonna pay for all of this"? In most cases, such as agencies, it's incremental improvements, build upon year after year, but central management allows this to scale well. Congress, not so much. There will need to be a major budget package for this fix.

Staffing, tech, time needed to do it all, plus any other rework that's been on the back burner... some paid from the US Treasury through budget allocations, others may be out of Congressional (Senator and Rep) office funding. Possibly pays to be a millionaire this time.

IIRC, and somebody PLEASE correct me here, due to the unique nature of Congress and it's structure and role, they are NOT subject to the Anti-Deficiency Act the way the Executive is, since they have the power of the purse as it was.

As an Executive Branch employee, you couldn't buy your own monitor if yours sucked, or in even some extreme cases, a lamp, because that creates a non-appropriated obligation to the US Government that wasn't approved by Congress. Congresscritters, I think, may not be subject

So, if this is the case, the Senate offices of Graham, Schumer, and McConnell may be first to recover... Pelosi and such down the line where $ and influence works ahead of IT, may also benefit from it as well. Again, Congress staff, please check me here.

But, regardless, the "nuke and pave" comes with it's own issues, EVEN IF the networks were unclassified in what they handled. The access is still useful to adversaries, mainly through soft power and influence. Knowledge is power as they say.