Capitol Riot Opens Congress to Potential IT Compromise
Experts weigh in on the IT security implications after violent rioters stormed Congressional offices, gaining access to unsecured computers and stealing devices.
A rioting mob Wednesday breached the Capitol Building, destroying, looting and compromising the integrity of the electoral process. But the attack also laid bare the insecurity of the legislative branch’s IT systems, including computers left running and exposed and reports of devices stolen from member’s offices.
Wednesday’s attack on the Capitol requires far more important conversations about the security of our nation and democracy than it does about the IT devices and data housed within. But the importance of information and cybersecurity are not minor—as seen in two major months-long espionage campaigns backed by China and Russia in the last five years—and have significant implications for national security.
After successfully breaching the Capitol Building, hundreds, if not thousands of Trump supporters wove their way through the labyrinth of hallways, searching rooms, breaking into members’ offices and committee chambers. As of Thursday afternoon, there were no public evidence or statements rioters had gained access to the most secure parts of the Capitol: the sensitive compartmented information facilities, or SCIFs.
However, at least one member of Congress reported the theft of a laptop from his office.
Sen. Jeff Merkley, D-Ore., recorded video of his destroyed office in the aftermath of the attack. Merkley said his office door was unlocked, though the attacker chose to break the door off its hinges nonetheless.
“They stole the laptop that was sitting on the table next to the telephone,” he says in the video.
“So, count this office trashed,” he added.
And at least one photo emerged on social media—later deleted, though Nextgov obtained a screenshot—of a desktop computer left on and unsecured in the office of House Speaker Nancy Pelosi. Rioters could see open emails and an alert from Capitol police warning of the ongoing siege.
“The breach is clearly alarming on many levels, starting with the physical violence,” Dan Lips, director of cyber and national security at Lincoln Network, told Nextgov. “It’s problematic that the intruders apparently had access to offices in the Capitol building. An intruder could have gained physical access to a machine, inserted a jump drive to compromise a machine. Devices could have been stolen and so forth. While the immediate focus is on clearing the buildings and making sure there are no physical security risks, the sergeant at arms offices will need to investigate and remediate these potential risks.”
Lips noted that the amount of available—and reliable—information about what happened Wednesday is limited, though the trail of destruction was clearly visible.
“It’s also possible that an adversary might take advantage of the opportunity to join the protestors,” he said. “I expect that offices and the [Senate Sergeant at Arms] offices will be doing after action reviews. That should include an assessment of potential technology impacts.”
While the risk is low that truly sensitive information leaked, it is not nonexistent, Lips said.
“Leadership offices located in the Capitol would presumably have sensitive internal communications that adversaries would like to access,” he said. “Even if they were just accessing internal emails and memos, such information could provide insight into the inner workings of the U.S. Congress.”
There are some simple security measures members could have taken to limit some of the compromise, according to Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University and former counsel for the House Intelligence Committee and Senate Foreign Relations Committee. In reference to pictures on social media of unlocked computers—including one of a desktop in House Speaker Nancy Pelosi’s office showing open email messages and a flash alert warning members of the ongoing siege—Jaffer suggested a two-minute lock policy would have been an easy solution.
“I get it: If you have to run out because it’s an emergency and people are storming the building with guns, you have to leave ASAP,” he said. “But your computer should automatically lock two minutes after that.”
That said, the potential exposure from an unsecured computer is relatively small, said Daniel Schuman, policy director at Demand Progress and former Hill staffer who worked on IT issues.
“The Capitol complex often has many, many visitors and guests going through it all the time,” Schuman said. “It is not unusual for certain computers, certain technologies, in certain circumstances to be exposed to the public and others in semi-controlled environments.”
As an example, Schuman suggested the desktop computer of a staffer should never be left unlocked and unattended, but that it does happen. And, he noted, the information on such a device is unlikely to be classified or top secret in nature.
“It’s stuff that you probably want to keep confidential,” but not something that would be a national security risk, he said.
Schuman also noted photos and videos of rioters sitting at members’ desks and using their phones, which are internet-connected voice-over-IP devices.
“Do we have to go and replace all phones in the computer network? Probably not, that doesn’t seem to make sense, even though those are like little computers,” he said. “But you probably should test them to make sure there weren’t bugs put on them.”
Jaffer agreed: The key to remediation in this case will be due diligence.
“Ripping and replacing everything is an extreme measure. It may be warranted in some circumstances,” Jaffer said, citing an op-ed from former Homeland Security Advisor Tom Bossert stating that might be necessary for some systems compromised in the SolarWinds breaches. “I don’t know that I would be burning down the entire network and ripping and replacing anything unless you have clear evidence that particular systems have been compromised—that people have gotten on them or that they have been left unlocked or the like.”
“It’s all about taking a risk-based approach,” he said. “What is the risk to your systems? How much has it been increased by what happened yesterday? And, then, what can you do to mitigate that risk?”
For the obvious, known compromises—open email apps and stolen devices—there are basic mitigation and forensic options available.
“An open email account is not great. It’s not great,” Schuman said. “But you can use IT forensics techniques and other technology measures to figure out to what extent it might be compromised. As you get to more secure facilities, it becomes a different story.”
Experts noted the networks and overarching systems are managed centrally, but individual member offices have control over the devices and policies they employ. That said, neither Jaffer nor Schuman said they would be comfortable allowing member offices to connect to the main network without a full forensic inventory and investigation.
“Did someone plant a bug? Did someone go and upload malicious software? There’s that set of threats,” Schuman said. “And then there’s: Did someone see your computer or did someone steal a staffer’s phone or their identity card?”
While much of the rioting appeared to be focused on disruption and destruction, the chaos could also have afforded an opportunity for foreign spies, though those scenarios seem less likely.
“The likelihood of foreign adversary assets—I wouldn’t say ‘spies,’ I don’t know that there were Russian nationals in that crowd; but might there have been people working for the Russians, certainly possible,” Jaffer said. “Do I have any evidence of that? No. But if I knew there was a major Trump rally going on and I was a foreign intelligence service, would I want to have my people nearby? Sure.”
That said, being at a major rally and being ready to storm the Capitol with a malware-laden thumb drive are two different things, with the latter being far less likely, Jaffer said.
“Is it possible? Of course it’s possible,” he said. “Is it likely? I have no evidence to believe that that happened. But we don’t know what we don’t know.”
With all the other concerns stemming from the attack, Jaffer said a potential foreign asset implanting malware on Capitol Hill networks is low on the list.
“History tells us that foreign intelligence services have exploited domestic protest movements,” Lips said. “If I was working at [the Sergeant at Arms] or an office that was breached, it’s a possibility that I’d consider.”
“The underlying problem is that underlying IT security in the legislative branch—just like IT security throughout the government—is nowhere near as robust as it needs to be,” Schuman said, pointing to several significant national security breaches of the last few years.
“So, do they need to go through with a hammer and destroy their entire infrastructure? Probably not,” he said. “There are a number of IT design questions which the storming implicates. But it doesn’t necessarily mean that you need to take a hammer to everything.”
“On the other hand, I would be nervous about all the stuff,” he added.
No matter the extent of the compromise, Schuman was not optimistic about the branch’s likely response.
“They’ll do some cosmetic stuff,” he said. “They’ll say, ‘We’ve solved the problems from the intrusion.’ They’ll probably spend—blow—a ton of money replacing technologies that they don’t need to replace or not replacing technologies they really should replace, and doing all the wrong stuff. And they’ll be like, ‘Problem solved.’ That’s what’s going to happen.”