Rioters Had Physical Access to Lawmakers’ Computers. How Bad Is That?

On Wednesday, hundreds of Donald Trump supporters rioted and stormed the Capitol, getting into the Senate and the offices of some lawmakers, who were hastily evacuated. 

Given how quickly some staffers and lawmakers had to leave, some of them left their computers unlocked and unattended, and some of the terrorists were photographed in front of them. Cybersecurity experts now worry that the rioters had a chance to get their hands on sensitive data, and more importantly, compromise the security of the whole IT system at the Capitol.

"The terrorists/rioters would have easily gained access to congressional files, shared calendars, and emails (including potentially email lists of  constituents and supporters for any given congressman)," Ashkan Soltani, a security researcher and the former chief technology officer at the FTC, told Motherboard in an online chat. 

Soltani explained that given that the Freedom of Information Act (which allows the public to request internal public documents) doesn't cover Congress, some of the contents of staffers emails and documents are probably "much more candid in terms of internal plans and deliberations." 

"Finally, I do think there is also the potential to implant malware on the internal network via one of these systems since there was physical access," he added. 

Some, however, think that the damage will be limited.

A cybersecurity expert who advised the House and Senate IT on securing their networks, and served as a DHS advisor, said that he was not too worried "about the operational security implications of the yokels who took selfies and bragged online about their miscreance."

The expert, who asked to remain anonymous as he was not authorized to speak about the work he did for the government, said that the Capitol's systems "have pretty solid endpoint protections. And I'm pretty sure there will be a review/sweep, but because of the ad hoc fragmentation of Capitol systems management it might take weeks."

Kimber Dowsett, the Director of Security Engineering at Truss and a former cybersecurity worker in the government said that "if it were my shop, I’d throw everything, including the kitchen sink, at this."

"Remote wipes, rotate creds, the works. And that’s just for assets we know were on premises," Dowsett said in an online chat. "There’s personal devices in the mix, too, so I think IT is going to need to do a lot of outreach to make sure even stolen personal devices are on their radar."

Matt Tait, a former staffer at the UK spy agency GCHQ, said that Capitol IT administrators will  "eventually need to ask some tough questions like why screens didn't auto-lock, for example, and whether they have things like [disk encryption] Bitlocker and making IT systems more robust to being physically unattended." 

"But people matter more than computers, and getting everyone to safety was rightly the priority," Tait said in an online chat.  

Now that the terrorists have been kicked out, IT staff will have to start assessing the damage. For Soltani, the next step "depends on what level of audit logs they maintain." 

"They might have logs that show which accounts accessed which files and systems during the evacuation," he said. That would mean they can see what the rioters accessed and figure out what damage they made. 

Whether IT needs to consider all systems compromised will depend on how the network and systems were set up in the first place, according to Tait. 

"They need to do a deep sweep of the network and IT equipment as well as the building," Tait said. "But if the network has no monitoring for intrusions such that someone having half an hour alone with a computer means the entire network needs to be burned down, then the network needed to be burned down long before."