Capitol riots raise urgent concerns about Congress’s information security
Digital security experts are raising the alarm over Wednesday’s breach of the US Capitol, which not only threatened lawmakers’ physical safety but also created potential national security and intelligence risks, they say.
As rioters stormed the Capitol building, they broke into congressional offices, ransacked papers and in at least one case, stole a laptop, according to a video shared on Twitter by Sen. Jeff Merkley.
Merkley’s office wasn’t the only one robbed, according to authorities. On a call with reporters Thursday afternoon, US officials said multiple senators’ offices were hit.
“This is probably going to take several days to flesh out exactly what happened, what was stolen, what wasn’t,” said Michael Sherwin, acting US attorney for the District of Columbia. “Items, electronic items, were stolen from senators’ offices. Documents, materials, were stolen, and we have to identify what was done, mitigate that, and it could have potential national security equities. If there was damage, we don’t know the extent of that yet.”
There has already been some public confusion about what was taken, and . On Friday, Rep. Jim Clyburn told reporters on a call that his iPad had been stolen in the Capitol. Rachel Stein, a spokesperson for Clyburn, later clarified that the iPad had simply been moved by staffers for safety, and that other staffers hadn’t known. And a laptop from House Speaker Nancy Pelosi’s office also went missing, Reuters said on Friday. Drew Hammill, a Pelosi spokesman, confirmed the theft but quickly added that the device was “only used for presentations.”
The thefts — and fears thereof — raise questions about Congress’s cybersecurity posture and whether US officials have done enough to secure their computing devices and networks from direct, physical access.
The incident highlights the grave cybersecurity risks that now face all lawmakers, congressional staffers, and any outside parties they may have communicated with in the course of business, security professionals say. Merkley sits on the Senate Foreign Relations Committee, which routinely discusses US global strategy and has oversight over the State Department.
There is no evidence that the rioters’ ranks included skilled hackers or motivated spies, and no indication so far of a data breach. But it is a danger that US Capitol Police and congressional IT administrators must now consider, said Kiersten Todt, managing director of the Cyber Readiness Institute.
“What you absolutely hope is that last night, after the looting and the invasion happened, that the congressional IT division was on top of things and taking inventory across all offices,” Todt said, “checking to see which devices were accounted for, and which were not, and were able to wipe those devices clean immediately.”
Spokespeople for the US Capitol Police and the House and Senate Sergeants At Arms did not return requests for comment.
As with remote hacking, physical access to a computer or mobile device can allow thieves to view emails, connect to networks and download important files without permission. But physical access threats are often considered even more dangerous, because they give hackers more options for compromising a device.
“There’s a lot more you can do when you have physical proximity to a system,” said Christopher Painter, a former top US cybersecurity official.
Attackers that have gained control of a laptop, for example, can plug in malware-laden USB drives, install or modify computer hardware, or make other surreptitious changes to a system they would not be able to accomplish from a distance.
Given the right level of access, even a casual attacker would be able to view congressional emails, shared fileservers and other system resources, said Ashkan Soltani, a security expert and former chief technologist at the Federal Trade Commission.
Even unclassified information can be damaging in the right contexts and in the wrong hands, Painter added.
Several current Senate staffers told CNN that while some IT protections exist across the organization, many decisions about information security practices are left up to individual lawmakers’ offices.
Lawmakers and their staff use a potpourri of technology: iPhones, iPads, MacBooks, Android devices, Microsoft Surface tablets, and laptops from HP, Dell and Lenovo, to name a few, according to one of the staffers.
Congressional devices commonly have a tool known as Lookout installed, two of the staffers said. Lookout is a mobile security provider whose services include the ability to monitor for phishing, malware and network attacks on devices and can block connections to corporate resources if it detects a problem.
Mobile devices and laptops are generally password-protected, the staffers said. One of them said that, in his office, devices are set to lock themselves automatically after 30 minutes or sometimes less.
Accessing certain applications, such as shared file storage systems and Skype, requires logging into a VPN, the staffers said. And logging onto the VPN also requires multi-factor authentication.
But a VPN is not required to access emails that have been downloaded to a mobile device, they said, and many staffers do not store their files behind multiple layers of protection.
“A lot of people just keep folders on their desktop — not everyone uses their server storage,” one staffer told CNN.
— CNN’s Kara Scannell contributed reporting.
Update: An earlier version of this story reported that Rep. Jim Clyburn said an iPad had been stolen from his office. A spokesperson later clarified that the iPad had been moved for safety and that there was confusion among staffers as to its whereabouts.