Capitol Riot Opens Congress to Potential IT Compromise

Rep. Andy Kim, D-N.J., cleans up debris and personal belongings strewn across the floor of the Rotunda in the early morning hours of Thursday, Jan. 7, 2021, after protesters stormed the Capitol.

Rep. Andy Kim, D-N.J., cleans up debris and personal belongings strewn across the floor of the Rotunda in the early morning hours of Thursday, Jan. 7, 2021, after protesters stormed the Capitol. Andrew Harnik/AP

Experts weigh in on the IT security implications after violent rioters stormed Congressional offices, gaining access to unsecured computers and stealing devices.

A rioting mob Wednesday breached the Capitol Building, destroying, looting and compromising the integrity of the electoral process. But the attack also laid bare the insecurity of the legislative branch’s IT systems, including computers left running and exposed and reports of devices stolen from member’s offices.

Wednesday’s attack on the Capitol requires far more important conversations about the security of our nation and democracy than it does about the IT devices and data housed within. But the importance of information and cybersecurity are not minor—as seen in two major months-long espionage campaigns backed by China and Russia in the last five years—and have significant implications for national security.

After successfully breaching the Capitol Building, hundreds, if not thousands of Trump supporters wove their way through the labyrinth of hallways, searching rooms, breaking into members’ offices and committee chambers. As of Thursday afternoon, there were no public evidence or statements rioters had gained access to the most secure parts of the Capitol: the sensitive compartmented information facilities, or SCIFs.

However, at least one member of Congress reported the theft of a laptop from his office.

Sen. Jeff Merkley, D-Ore., recorded video of his destroyed office in the aftermath of the attack. Merkley said his office door was unlocked, though the attacker chose to break the door off its hinges nonetheless.

“They stole the laptop that was sitting on the table next to the telephone,” he says in the video.

“So, count this office trashed,” he added.

And at least one photo emerged on social media—later deleted, though Nextgov obtained a screenshot—of a desktop computer left on and unsecured in the office of House Speaker Nancy Pelosi. Rioters could see open emails and an alert from Capitol police warning of the ongoing siege.

“The breach is clearly alarming on many levels, starting with the physical violence,” Dan Lips, director of cyber and national security at Lincoln Network, told Nextgov. “It’s problematic that the intruders apparently had access to offices in the Capitol building. An intruder could have gained physical access to a machine, inserted a jump drive to compromise a machine. Devices could have been stolen and so forth. While the immediate focus is on clearing the buildings and making sure there are no physical security risks, the sergeant at arms offices will need to investigate and remediate these potential risks.”

Lips noted that the amount of available—and reliable—information about what happened Wednesday is limited, though the trail of destruction was clearly visible.

“It’s also possible that an adversary might take advantage of the opportunity to join the protestors,” he said. “I expect that offices and the [Senate Sergeant at Arms] offices will be doing after action reviews. That should include an assessment of potential technology impacts.”

While the risk is low that truly sensitive information leaked, it is not nonexistent, Lips said.

“Leadership offices located in the Capitol would presumably have sensitive internal communications that adversaries would like to access,” he said. “Even if they were just accessing internal emails and memos, such information could provide insight into the inner workings of the U.S. Congress.”

There are some simple security measures members could have taken to limit some of the compromise, according to Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University and former counsel for the House Intelligence Committee and Senate Foreign Relations Committee. In reference to pictures on social media of unlocked computers—including one of a desktop in House Speaker Nancy Pelosi’s office showing open email messages and a flash alert warning members of the ongoing siege—Jaffer suggested a two-minute lock policy would have been an easy solution.

“I get it: If you have to run out because it’s an emergency and people are storming the building with guns, you have to leave ASAP,” he said. “But your computer should automatically lock two minutes after that.”

That said, the potential exposure from an unsecured computer is relatively small, said Daniel Schuman, policy director at Demand Progress and former Hill staffer who worked on IT issues.

“The Capitol complex often has many, many visitors and guests going through it all the time,” Schuman said. “It is not unusual for certain computers, certain technologies, in certain circumstances to be exposed to the public and others in semi-controlled environments.”

As an example, Schuman suggested the desktop computer of a staffer should never be left unlocked and unattended, but that it does happen. And, he noted, the information on such a device is unlikely to be classified or top secret in nature.

“It’s stuff that you probably want to keep confidential,” but not something that would be a national security risk, he said.

Schuman also noted photos and videos of rioters sitting at members’ desks and using their phones, which are internet-connected voice-over-IP devices.

“Do we have to go and replace all phones in the computer network? Probably not, that doesn’t seem to make sense, even though those are like little computers,” he said. “But you probably should test them to make sure there weren’t bugs put on them.”

Jaffer agreed: The key to remediation in this case will be due diligence.

“Ripping and replacing everything is an extreme measure. It may be warranted in some circumstances,” Jaffer said, citing an op-ed from former Homeland Security Advisor Tom Bossert stating that might be necessary for some systems compromised in the SolarWinds breaches. “I don’t know that I would be burning down the entire network and ripping and replacing anything unless you have clear evidence that particular systems have been compromised—that people have gotten on them or that they have been left unlocked or the like.”

“It’s all about taking a risk-based approach,” he said. “What is the risk to your systems? How much has it been increased by what happened yesterday? And, then, what can you do to mitigate that risk?”

For the obvious, known compromises—open email apps and stolen devices—there are basic mitigation and forensic options available.

“An open email account is not great. It’s not great,” Schuman said. “But you can use IT forensics techniques and other technology measures to figure out to what extent it might be compromised. As you get to more secure facilities, it becomes a different story.”                                                                                           

Experts noted the networks and overarching systems are managed centrally, but individual member offices have control over the devices and policies they employ. That said, neither Jaffer nor Schuman said they would be comfortable allowing member offices to connect to the main network without a full forensic inventory and investigation.

“Did someone plant a bug? Did someone go and upload malicious software? There’s that set of threats,” Schuman said. “And then there’s: Did someone see your computer or did someone steal a staffer’s phone or their identity card?”

While much of the rioting appeared to be focused on disruption and destruction, the chaos could also have afforded an opportunity for foreign spies, though those scenarios seem less likely.

“The likelihood of foreign adversary assets—I wouldn’t say ‘spies,’ I don’t know that there were Russian nationals in that crowd; but might there have been people working for the Russians, certainly possible,” Jaffer said. “Do I have any evidence of that? No. But if I knew there was a major Trump rally going on and I was a foreign intelligence service, would I want to have my people nearby? Sure.”

That said, being at a major rally and being ready to storm the Capitol with a malware-laden thumb drive are two different things, with the latter being far less likely, Jaffer said.

“Is it possible? Of course it’s possible,” he said. “Is it likely? I have no evidence to believe that that happened. But we don’t know what we don’t know.”

With all the other concerns stemming from the attack, Jaffer said a potential foreign asset implanting malware on Capitol Hill networks is low on the list.

“History tells us that foreign intelligence services have exploited domestic protest movements,” Lips said. “If I was working at [the Sergeant at Arms] or an office that was breached, it’s a possibility that I’d consider.”

“The underlying problem is that underlying IT security in the legislative branch—just like IT security throughout the government—is nowhere near as robust as it needs to be,” Schuman said, pointing to several significant national security breaches of the last few years.

“So, do they need to go through with a hammer and destroy their entire infrastructure? Probably not,” he said. “There are a number of IT design questions which the storming implicates. But it doesn’t necessarily mean that you need to take a hammer to everything.”

“On the other hand, I would be nervous about all the stuff,” he added.

No matter the extent of the compromise, Schuman was not optimistic about the branch’s likely response.

“They’ll do some cosmetic stuff,” he said. “They’ll say, ‘We’ve solved the problems from the intrusion.’ They’ll probably spend—blow—a ton of money replacing technologies that they don’t need to replace or not replacing technologies they really should replace, and doing all the wrong stuff. And they’ll be like, ‘Problem solved.’ That’s what’s going to happen.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.