President Donald Trump’s speech on Wednesday inciting the mob that attacked Congress resulted in five deaths and a number of hospitalizations, the pillaging of the Capitol, and a major embarrassment for American democracy at home and abroad. After investigators survey the damage, we may discover that it also led to a cybersecurity breach.
On Thursday, acting U.S. Attorney for D.C. Michael Sherwin announced, “Electronic items were stolen from senators’ offices. Documents, materials were stolen, and we have to identify what was done, mitigate that, and it could have potential national security equities.” CBS reported that one of those electronics was a laptop that may have held sensitive national security information. Oregon Sen. Jeff Merkley said that rioters stole a laptop from his office, though it’s unclear whether it was the same one CBS was referring to. Reuters reported on Thursday that, according to a congressional aide, a laptop was also taken from House Speaker Nancy Pelosi’s office. Congressional laptops contain information that could help intruders gain access to federal networks. Even if the thieves didn’t have the time or know-how to access the laptops during the riot, they could later take those devices to an experienced hacker. Devices in Congress are not required to have two-factor authentication, as is the case for the executive branch of the federal government. In fact, it’s usually members of Congress themselves who set the cybersecurity standards for their own staffs.
Apart from retrieving the stolen devices, investigators are also trying to determine whether hardware left in the Capitol and their networks may have been compromised. Photos going around social media indicate that the rioters accessed Pelosi’s own desktop computer. Given the unfettered access that the intruders had to the Capitol, the scenarios of what could have happened are numerous.
Andrew McLaughlin, who served as the deputy chief technology officer of the United States during the Obama administration, says that the worst-case scenario would be an intruder using a USB drive to deliver malware to hardware that was already logged into a Capitol network, like Pelosi’s computer. This could allow the malware to infect all the systems and devices for that network from within the external firewall. However, McLaughlin notes that there’s a fairly remote chance that this actually happened. “It seems unlikely that random MAGA invaders could have delivered malware onto Congress’ network if it was reasonably well-protected in the ways I’d expect, but the harm of a compromise would be vast,” he said, adding that USB capabilities are supposed to be disabled in Congress. This is a cybersecurity measure that the government implemented after Edward Snowden used a thumb drive to abscond with National Security Agency secrets. Installing software onto government computers also requires a smart card, though there are exploits that can circumvent that protection, according to McLaughlin.
Indeed, the Capitol does have a number of cybersecurity measures in place that should’ve helped to mitigate the potential damage that may have occurred. The House Chief Administrative Office sent a memo to staff Thursday evening noting that it had ordered a lockdown for computers, laptops, and wired network access during the riot. “At this time, there have been no indications that the House network was compromised,” the memo read. (It’s not clear whether the same precautions were taken on the Senate side.) In addition, the computers in most of the Capitol’s offices aren’t supposed to have classified information on them. Capitol Police did not respond to Slate’s inquiry as to whether the Sensitive Compartmented Information Facilities, or SCIFs, secure rooms for classified information, in the Capitol had been breached. “Classified material should only be in SCIFs, which have their own physical security and guards, and I haven’t heard of those being breached,” said Justin Rood, congressional director of the Project on Government Oversight. “So my hope is that these concerns are limited to unclassified machines.” SCIFs are searched for bugs before each use, and their doors are designed to protect against sieges.
There are nevertheless a number of cybersecurity measures that Congress should take to respond to the invasion. Because the course of events still isn’t completely clear, it can be tough to determine what exactly to prioritize at this point. At the very least, though, hardware units in any of the breached areas will need to be taken offline, scanned, and likely replaced. “The hardware in those offices is not used for classified information, but anything done in the context of legislative offices is sensitive and could provide insight to an adversary, and it could also be a steppingstone into further attacks on even more sensitive systems,” said Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security. Cybersecurity staff will similarly need to reinstall software, reset passwords and credentials, and search the Capitol for bugs and other surveillance devices that rioters may have hidden around the buildings.