Future Tense

Could the Rioters Have Breached the Capitol’s Cybersecurity?

They made off with laptops and even accessed Nancy Pelosi’s computer. Here’s how worried legislators should be.

A desk in Pelosi's office with papers, a phone, and a computer on it. A manila folder with "WE WILL NOT BACK DOWN" written on it in red has been placed over the keyboard.
Rioters had access to House Speaker Nancy Pelosi’s computer. Saul Loeb/AFP via Getty Images

President Donald Trump’s speech on Wednesday inciting the mob that attacked Congress resulted in five deaths and a number of hospitalizations, the pillaging of the Capitol, and a major embarrassment for American democracy at home and abroad. After investigators survey the damage, we may discover that it also led to a cybersecurity breach.

On Thursday, acting U.S. Attorney for D.C. Michael Sherwin announced, “Electronic items were stolen from senators’ offices. Documents, materials were stolen, and we have to identify what was done, mitigate that, and it could have potential national security equities.” CBS reported that one of those electronics was a laptop that may have held sensitive national security information. Oregon Sen. Jeff Merkley said that rioters stole a laptop from his office, though it’s unclear whether it was the same one CBS was referring to. Reuters reported on Thursday that, according to a congressional aide, a laptop was also taken from House Speaker Nancy Pelosi’s office. Congressional laptops contain information that could help intruders gain access to federal networks. Even if the thieves didn’t have the time or know-how to access the laptops during the riot, they could later take those devices to an experienced hacker. Devices in Congress are not required to have two-factor authentication, as is the case for the executive branch of the federal government. In fact, it’s usually members of Congress themselves who set the cybersecurity standards for their own staffs.

Advertisement
Advertisement
Advertisement

Apart from retrieving the stolen devices, investigators are also trying to determine whether hardware left in the Capitol and their networks may have been compromised. Photos going around social media indicate that the rioters accessed Pelosi’s own desktop computer. Given the unfettered access that the intruders had to the Capitol, the scenarios of what could have happened are numerous.

Advertisement
Advertisement

Andrew McLaughlin, who served as the deputy chief technology officer of the United States during the Obama administration, says that the worst-case scenario would be an intruder using a USB drive to deliver malware to hardware that was already logged into a Capitol network, like Pelosi’s computer. This could allow the malware to infect all the systems and devices for that network from within the external firewall. However, McLaughlin notes that there’s a fairly remote chance that this actually happened. “It seems unlikely that random MAGA invaders could have delivered malware onto Congress’ network if it was reasonably well-protected in the ways I’d expect, but the harm of a compromise would be vast,” he said, adding that USB capabilities are supposed to be disabled in Congress. This is a cybersecurity measure that the government implemented after Edward Snowden used a thumb drive to abscond with National Security Agency secrets. Installing software onto government computers also requires a smart card, though there are exploits that can circumvent that protection, according to McLaughlin.

Advertisement

Indeed, the Capitol does have a number of cybersecurity measures in place that should’ve helped to mitigate the potential damage that may have occurred. The House Chief Administrative Office sent a memo to staff Thursday evening noting that it had ordered a lockdown for computers, laptops, and wired network access during the riot. “At this time, there have been no indications that the House network was compromised,” the memo read. (It’s not clear whether the same precautions were taken on the Senate side.) In addition, the computers in most of the Capitol’s offices aren’t supposed to have classified information on them. Capitol Police did not respond to Slate’s inquiry as to whether the Sensitive Compartmented Information Facilities, or SCIFs, secure rooms for classified information, in the Capitol had been breached. “Classified material should only be in SCIFs, which have their own physical security and guards, and I haven’t heard of those being breached,” said Justin Rood, congressional director of the Project on Government Oversight. “So my hope is that these concerns are limited to unclassified machines.” SCIFs are searched for bugs before each use, and their doors are designed to protect against sieges.

Advertisement
Advertisement
Advertisement

There are nevertheless a number of cybersecurity measures that Congress should take to respond to the invasion. Because the course of events still isn’t completely clear, it can be tough to determine what exactly to prioritize at this point. At the very least, though, hardware units in any of the breached areas will need to be taken offline, scanned, and likely replaced. “The hardware in those offices is not used for classified information, but anything done in the context of legislative offices is sensitive and could provide insight to an adversary, and it could also be a steppingstone into further attacks on even more sensitive systems,” said Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security. Cybersecurity staff will similarly need to reinstall software, reset passwords and credentials, and search the Capitol for bugs and other surveillance devices that rioters may have hidden around the buildings.

Future Tense is a partnership of SlateNew America, and Arizona State University that examines emerging technologies, public policy, and society.

Advertisement