The violent pro-Trump mob that stormed the Capitol on Wednesday exposed not only glaring weaknesses in the legislative body’s physical security but also its digital and operational security, according to experts.
The intruders were able to roam the halls of Congress and at certain points had unfettered access to some lawmakers’ offices and computers. One rioter left a note in front of a computer in House Speaker Nancy Pelosi’s office saying, “We will not back down.” Sen. Jeff Merkley, D-Ore., said a laptop was stolen from his office.
There is no public evidence that devices were tampered with. But some experts are hoping that, in addition to a likely investigation into the failures of physical security measures, lawmakers take the opportunity to review their own digital security practices, which have long been a concern.
The insurrectionists who breached the Capitol were unsophisticated opportunists who were more interested in taking selfies than infiltrating computer networks. But someone with better resources and planning, and different motivations, could have planted malicious code on computers or left other surveillance tools behind. And it’s not hard to imagine a foreign intelligence operative blending in with the pro-Trump zealots and gliding into the Capitol (To be clear, there is no evidence that that happened in this case.)
“Close-access attacks can be difficult to detect and mitigate,” said Bruce Potter, chief information security officer at cybersecurity firm Expel. “If an adversary has unfettered physical access to a network or physical space, the only limits to the type of access they can get is their imagination and resources.”
However, Potter added, “close-access attacks require some preparation and targeting, so attacking the Capitol space and networks as a target of opportunity would be difficult.”
More sensitive data on Capitol Hill is stored in classified systems. There is no evidence that such systems were affected by the rioting Wednesday.
While lawmakers are perennial targets of foreign intelligence operatives, the issue of cybersecurity protections for members of the House and Senate is sometimes overlooked.
In March 2019, Sens. Tom Cotton, R-Ark., and Ron Wyden, D-Ore., asked the Senate Sergeant at Arms for an annual tally of when its computers and smartphones have been breached in order to better inform congressional cybersecurity policy. The Senate Sergeant at Arms has yet to provide the information sought in the letter, according to a Wyden spokesperson.
Other lawmakers have at times shown an indifference to the security protocols designed to keep spies from eavesdropping on them. Multiple Republicans in October stormed a secure briefing room for classified information during an impeachment inquiry, reportedly brandishing their phones in a place such devices are forbidden. (There is no evidence that Sensitive Compartmented Information Facilities were affected by Wednesday’s unrest.)
A handful of cybersecurity-focused lawmakers have led calls for more attention and resources to protecting themselves from hacking threats in recent years. There is a chief information security officer in the House, and technologists at the Senate Sergeant at Arms’ office, tasked with tracking such threats. Some observers hope the security debacle on Wednesday can serve as a reminder that more needs to be done.
“It was very frightening to be in the Capitol Complex yesterday,” said one House aide who was not authorized to speak to the press, adding that “we completely lost operational control of the situation.”
“There are already a lot of good questions about the physical security [of Capitol Hill] going forward, and it’s important in those conversations to understand how physical security affects cyber and try as much as possible to have a holistic conversation about how the two interact,” the House aide added.
UPDATE: 12:15 pm, EDT: This story has been updated to note that a laptop was stolen from Sen. Jeff Merkley’s office.