Riot Exposed Capitol's IT Vulnerabilities

A rioting mob Wednesday breached the Capitol Building, destroying, looting and compromising the integrity of the electoral process. But the attack also laid bare the insecurity of the legislative branch’s IT systems, including computers left running and exposed and reports of devices stolen from member’s offices.

Wednesday’s attack on the Capitol requires far more important conversations about the security of our nation and democracy than it does about the IT devices and data housed within. But the importance of information and cybersecurity are not minor—as seen in two major months-long espionage campaigns backed by China and Russia in the last five years—and have significant implications for national security.

After successfully breaching the Capitol Building, hundreds, if not thousands of Trump supporters wove their way through the labyrinth of hallways, searching rooms, breaking into members’ offices and committee chambers. As of Thursday afternoon, there were no public evidence or statements rioters had gained access to the most secure parts of the Capitol: the sensitive compartmented information facilities, or SCIFs.

However, at least one member of Congress reported the theft of a laptop from his office.

Sen. Jeff Merkley, D-Ore., recorded video of his destroyed office in the aftermath of the attack. Merkley said his office door was unlocked, though the attacker chose to break the door off its hinges nonetheless.

“They stole the laptop that was sitting on the table next to the telephone,” he says in the video.

“So, count this office trashed,” he added.

And at least one photo emerged on social media—later deleted, though Nextgov obtained a screenshot—of a desktop computer left on and unsecured in the office of House Speaker Nancy Pelosi. Rioters could see open emails and an alert from Capitol police warning of the ongoing siege.

“The breach is clearly alarming on many levels, starting with the physical violence,” Dan Lips, director of cyber and national security at Lincoln Network, told Nextgov. “It’s problematic that the intruders apparently had access to offices in the Capitol building. An intruder could have gained physical access to a machine, inserted a jump drive to compromise a machine. Devices could have been stolen and so forth. While the immediate focus is on clearing the buildings and making sure there are no physical security risks, the sergeant at arms offices will need to investigate and remediate these potential risks.”

Lips noted that the amount of available—and reliable—information about what happened Wednesday is limited, though the trail of destruction was clearly visible.

“It’s also possible that an adversary might take advantage of the opportunity to join the protestors,” he said. “I expect that offices and the [Senate Sergeant at Arms] offices will be doing after-action reviews. That should include an assessment of potential technology impacts.”

While the risk is low that truly sensitive information leaked, it is not nonexistent, Lips said.

“Leadership offices located in the Capitol would presumably have sensitive internal communications that adversaries would like to access,” he said. “Even if they were just accessing internal emails and memos, such information could provide insight into the inner workings of the U.S. Congress.”

There are some simple security measures members could have taken to limit some of the compromise, according to Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University and former counsel for the House Intelligence Committee and Senate Foreign Relations Committee. In reference to pictures on social media of unlocked computers—including one of a desktop in House Speaker Nancy Pelosi’s office showing open email messages and a flash alert warning members of the ongoing siege—Jaffer suggested a two-minute lock policy would have been an easy solution.

“I get it: If you have to run out because it’s an emergency and people are storming the building with guns, you have to leave ASAP,” he said. “But your computer should automatically lock two minutes after that.”

That said, the potential exposure from an unsecured computer is relatively small, said Daniel Schuman, policy director at Demand Progress and former Hill staffer who worked on IT issues.

“The Capitol complex often has many, many visitors and guests going through it all the time,” Schuman said. “It is not unusual for certain computers, certain technologies, in certain circumstances to be exposed to the public and others in semi-controlled environments.”

As an example, Schuman suggested the desktop computer of a staffer should never be left unlocked and unattended, but that it does happen. And, he noted, the information on such a device is unlikely to be classified or top secret in nature.

“It’s stuff that you probably want to keep confidential,” but not something that would be a national security risk, he said.

Schuman also noted photos and videos of rioters sitting at members’ desks and using their phones, which are internet-connected voice-over-IP devices.

“Do we have to go and replace all phones in the computer network? Probably not; that doesn’t seem to make sense, even though those are like little computers,” he said. “But you probably should test them to make sure there weren’t bugs put on them.”

Jaffer agreed: The key to remediation in this case will be due diligence.

“Ripping and replacing everything is an extreme measure. It may be warranted in some circumstances,” Jaffer said, citing an op-ed from former Homeland Security Advisor Tom Bossert, who said that might be necessary for some systems compromised in the SolarWinds breaches. “I don’t know that I would be burning down the entire network and ripping and replacing anything unless you have clear evidence that particular systems have been compromised—that people have gotten on them or that they have been left unlocked or the like.”

“It’s all about taking a risk-based approach,” he said. “What is the risk to your systems? How much has it been increased by what happened yesterday? And, then, what can you do to mitigate that risk?”

For the obvious, known compromises—open email apps and stolen devices—there are basic mitigation and forensic options available.