Post-Riot, the Capitol Hill IT Staff Faces a Security Mess

Wednesday's insurrection could have exposed congressional data and devices in ways that have yet to be appreciated.
computer
"One thing I can guarantee you is that in Tehran, in Moscow, in Beijing folks are sitting in meetings right now thinking how can we take advantage of this?"Photograph: Samuel Corum/Getty Images

In the aftermath of destructive riots that trashed the United States Capitol on Wednesday, the nation is grappling with questions about the stability and trajectory of US democracy. But inside the Capitol building itself, the congressional support staff is dealing with more immediate logistics, like cleanup and repairs. A crucial part of that: the process of securing the offices and digital systems after hundreds of people had unprecedented access to them.

Allowing physical access to a location can have serious cybersecurity ramifications. Rioters could have bugged congressional offices, exfiltrated data from unlocked computers, or installed malware on exposed devices. In the rush to evacuate the Capitol, some computers were left unlocked and remained accessible by the time rioters arrived. And at least some equipment was stolen; Senator Jeff Merkley of Oregon said in a video late Wednesday that intruders took one of his office's laptops off a conference table.

The House of Representatives and Senate each have a Sergeant-at-Arms office that oversees security. On the Senate side this body also supervises cybersecurity, whereas in the House that responsibility lies with the Office of the Chief Administrative Officer. On Thursday, speaker of the house Nancy Pelosi said that sergeant at arms Paul Irving would resign over Wednesday's breach of the Capitol. Senate majority leader Chuck Schumer said he would remove that chamber's sergeant at arms, Mike Stenger, if he does not resign.

“It’s a very, very difficult situation,” former Senate sergeant at arms Frank Larkin told WIRED on Thursday. “The place has been rattled a number of times where they’ve had to do instantaneous evacuations or shelter in place, but a scenario like this was not something that was high on the list of possibilities as far as threats. I think 1814 is the last time the Capitol experienced anything like this,” referring to the British invasion of Washington, DC, that year.

Some of the remediation will involve steps that congressional security already performs as a matter of course, like extensively reviewing security camera footage from the House and Senate floor, in hallways, and other spaces to see what intruders did, including what interactions they may have had with electronics. But many spaces, including offices, are not under video surveillance. Another routine process involves sweeping for bugs, like hidden microphones or cameras. But it will take time to evaluate every room and hallway all at once, and the stakes for missing something are high.

"This is probably going to take several days to flesh out exactly what happened, what was stolen, what wasn't," acting US attorney for the District of Columbia Michael Sherwin said in a briefing on Thursday. "Items, electronic items, were stolen from senators' offices. Documents, materials, were stolen, and we have to identify what was done, mitigate that, and it could have potential national security equities. If there was damage, we don't know the extent of that yet."

Unlike a building such as the White House, in which access is very tightly controlled, the Capitol building is often called the "People's House.” Its security is similar to that of a hospital; many spaces are open and accessible if you have a reason to be there, and only some areas are tightly guarded or otherwise access-controlled. Larkin, who also spent years with White House security in the Secret Service and is now vice president of corporate development at SAP National Security Services, says that the Capitol inherently has more entrances and exits than can be simultaneously guarded at normal staffing levels. He emphasizes that failures to contain and secure the situation happened while the pro-Trump mob was outside the building. But Larkin, who retired as Senate sergeant at arms in 2018, adds that cybersecurity is the next priority after physical security.

In spite of this, the mob Wednesday had ample opportunities to steal information or gain device access if they wanted to. And while the Senate and House each build off of their own shared IT framework, ultimately each of the 435 representatives and 100 senators runs their own office with their own systems. This is a boon to security in the sense that it creates segmentation and decentralization; getting access to Nancy Pelosi's emails doesn't help you access the communications of other representatives. But this also means that there aren't necessarily standardized authentication and monitoring schemes in place. Larkin emphasizes that there is a baseline of monitoring that IT staffers will be able to use to audit and assess whether there was suspicious activity on congressional devices. But he concedes that representatives and senators have varying levels of cybersecurity competence and hygiene.

It's also true that potentially exposed data at the Capitol on Wednesday would not have been classified, given that the mob had access only to unclassified networks. But congressional staffers are not subject to Freedom of Information Act obligations and are often much more candid in their communications than other government officials. Security and intelligence experts also emphasize that troves of unclassified information can still reveal sensitive or even classified information when combined.

Former National Security Agency hacker Jake Williams points out that, while US law enforcement was somehow caught flat-footed, president Donald Trump's supporters (egged on by Trump himself) have repeatedly foreshadowed that something like this could occur.

“You have to step back and realize that foreign intelligence could have looked at this and said, ‘Yeah, this is going to be an opportunity,” says Williams, founder of Rendition Infosec. “I don’t think every office that was entered everything needs to be burned to the ground, but you need to be acknowledging that there’s real intelligence value in learning legislators’ intentions and plans on policy. This security breach is a big deal.”

Even without physical intrusions, foreign adversaries could also use the incident as a jumping off point to launch phishing campaigns against congressional offices or begin spreading disinformation to foment future unrest.

“One thing I can guarantee you is that in Tehran, in Moscow, in Beijing folks are sitting in meetings right now thinking how can we take advantage of this?" says Kelvin Coleman, executive director of the National Cyber Security Alliance, who formerly worked in the Department of Homeland Security and National Security Council.

Coleman adds, though, that for now the most important thing congressional IT staffers can do is account for which devices were stolen and begin a mass effort to reset passwords, add multifactor authentication to any accounts that don't already have it, wipe and reimage hard drives when practical, and comb monitoring logs for signs of access or exfiltration.

Given the scope of the intrusion, Coleman and others say that it's important to assume that any device could have been compromised and remediate the breach with that scale and scope in mind. But he and others emphasize that rather than replacing every device and cable in the entire congressional orbit, constant vigilance and an “assume breach” mentality will be the best defense going forward. The Economic Development Administration took an ill-advised maximalist approach after a 2011 compromise, launching a massive campaign to physically destroy all of its digital equipment, including desktop computers, printers, cameras, mice, and keyboards—most of which were uninfected. The effort concluded only when the agency ran out of money for the project.

Congress needn't take an action so dramatic as that. But it also must acknowledge how exposed Wednesday's incident has left it.

“Anytime there’s a physical breach of a space, I automatically assume it was a digital compromise as well,” Coleman says. “This is just a bad, bad storm that we find ourselves in, and cybersecurity is absolutely included in that.”


More Great WIRED Stories