Cybersecurity experts believe that the pro-Trump mob that breached the physical security of the Senate floor in the U.S. Capitol on Wednesday posed substantial cybersecurity risks. As congressional staffers and legislators were relocated to secure locations, any unsecured computers, documents, mail, or personal schedules left unsecured in the congressional offices could have been accessed.
Speaker of the House Nancy Pelosi (D-San Francisco) and Sen. Jeff Merkley (D – Ore) lost laptops during the capitol riot. The House majority whip and South Carolina Democrat Rep. James Clyburn (D – District 6) clarified that the missing iPad was only relocated and not stolen as initially reported by the media.
Some protesters also boasted of shuffling through documents, including the protester pictured sitting in Pelosi’s office who reportedly plucked an envelope from the speakers’ desk.
Capitol riot posed substantial cybersecurity risks to congressional and federal computers
Cybersecurity experts note that if the protesters accessed logged in congressional computers, they might have copied sensitive information. University of Maryland Global Campus’ associate professor of computer networks and cybersecurity Jesse Varsalone says that if the computers were encrypted, the protesters did not pose a cybersecurity risk.
However, if the information was already displayed on the screen, the protesters posed significant cybersecurity risks, according to Suzanne Spaulding, the former undersecretary of the Department of Homeland Security and the current security adviser at Nozomi. Spaulding told the Los Angeles Times that the protesters could have snapped images of documents and opened emails.
The Washington Post reported that one protester had access to an unlocked computer displaying a staffer’s email at Pelosi’s office. However, the news outlet could not confirm if the device was a personal computer or a work machine.
Spaulding added that although the protesters who broke into the Capitol building may not have intended to use “use their physical access to gain access to the IT system,” the folks who made away with the laptops could eventually exploit them.
David Wolpoff, chief technology officer at Randori Inc., pointed out that just the physical access to congressional computers posed potentially serious cybersecurity risks. Wolpoff noted that “if someone has physical access to your computer, then it’s not your computer anymore.”
CNN reported that although the legislature has overall cybersecurity guidelines, some decisions were left to individual legislators’ offices. For example, many staffers download emails, storing them on devices without multiple layers of encryption. Consequently, the cybersecurity risks associated with physical access and the stealing of “less important” devices could not be discounted.
Sen. Merkley’s laptop poses additional cybersecurity risks because it was part of the federal network and could allow attackers to infiltrate government systems. Similarly, although Pelosi’s device stolen during the Capitol riot was only used for presentations, there’s no guarantee that it didn’t contain any information not meant for the public, including classified presentations.
Other cybersecurity risks posed by the Capitol riot include the installation of malware during the commotion. An Obama administration cybersecurity adviser Mick Baccio tweeted that there was the possibility of spying and planting bugs during the capitol riot. However, most cybersecurity experts believe that it was improbable they did so.
Currently, no evidence suggests that tech-savvy cybersecurity threat actors or foreign operatives were among the mob that overwhelmed the Capitol police. However, the Capitol security team must review the entire footage to understand how the protesters interacted with various devices.
Determining the extent of cybersecurity damage
The full extent of the Capitol protesters’ cybersecurity risks would also become clear after congressional I.T. staff took inventory of the devices and incidents during the capitol riot. Acting U.S. Attorney for the District of Columbia Michael Sherwin said that it would take “several days to flesh out exactly what happened, what was stolen, what wasn’t.”
Truss Director of security Kimber Dowsett tweeted that IT staff must “run asset inventory IR” following the Capitol riot.
House of Representatives spokesman for the administrative office David O’Boyle said that officials took necessary steps to secure computer systems during the capitol riot.
However, Sherwin maintains that “Items, electronic items, were stolen from senators’ offices. Documents, materials, were stolen, and we have to identify what was done, mitigate that, and it could have potential national security equities. If there was damage, we don’t know the extent of that yet.”
“Legislators and their staffers are often working with sensitive information. Even one missing laptop is a big deal,” says John Dermody, a counsel in the Washington, D.C. office of the international law firm O’Melveny & Myers and a member of the firm’s Data Security & Privacy Group.
Dermody hopes it could be possible to remotely wipe the stolen devices to prevent any sensitive information leakages. He also recommended that Capitol Hill employees should reset their passwords to avoid the misuse of any stolen credentials. Capitol I.T. security staff should also “scrub the entire network to make sure nothing illicit was placed on the system, such as by a thumb drive,” according to Dermody.
“With all the focus on sophisticated cybersecurity tools, we can lose sight of the fact that there is no cybersecurity without physical security,” Dermody says, warning that U.S. adversaries are undoubtedly looking for ways to capitalize on the chaos.
“Foreign intelligence services are opportunistic, and even if the riot was unexpected, they will look for ways to take advantage.”