Following From the destructive riots that ransacked the U.S. Capitol on Wednesday, the nation is grappling with questions about the stability and trajectory of American democracy. But inside the Capitol building itself, congressional support staff take care of more immediate logistics like clean-up and repairs. A crucial part of this: the process of securing offices and digital systems after hundreds of people have gained unprecedented access.
Physical access to a location can have serious cybersecurity consequences. Rioters may have bugged Congressional offices, exfiltrated data from unlocked computers, or installed malware on exposed devices. In the rush to evacuate the Capitol, some computers were left unlocked and remained accessible by the time the rioters arrived. And at least some material was stolen; Oregon Senator Jeff Merkley said in a video On Wednesday evening, intruders removed one of the laptops from his desk from a conference table.
The House of Representatives and the Senate each have an office of the Sergeant-at-Arms who oversees security. On the Senate side, this body also oversees cybersecurity, while in the House this responsibility lies with the Office of the Director General of Administration. House Speaker Nancy Pelosi on Thursday said Sergeant-at-Arms Paul Irving would step down over the Capitol violation on Wednesday. Senate Majority Leader Chuck Schumer has said he will remove that chamber’s Sergeant-at-Arms Mike Stenger if he does not resign.
“It’s a very, very difficult situation,” former Senate Sergeant-at-Arms Frank Larkin told WIRED on Thursday. “The place has been rocked a number of times where they had to do instant evacuations or shelter in place, but a scenario like this was not something that was high on the list of possibilities in this regard. which concerns threats. I think 1814 is the last time the Capitol experienced something like this, ”referring to the British invasion of Washington, DC that year.
Some of the corrective actions will involve steps that Congressional Security is already taking as a matter of course, such as thoroughly reviewing footage from security cameras on the House and Senate floors, in hallways, and in other spaces to see what the intruders have done, including any interactions they may have had with it. electronic. But many spaces, including offices, are not under video surveillance. Another routine process involves sweep the bugs, like microphones or hidden cameras. But it will take time to assess every room and every hallway at the same time, and the stakes for missing something are high.
“It will probably take several days to explain exactly what happened, what was stolen, what was not,” Acting United States Attorney for the District of Columbia Michael Sherwin said in a briefing Thursday. “Articles, electronic articles, have been stolen from senators’ offices. Documents, materials, have been stolen, and we need to identify what has been done, mitigate that, and that could have potential actions in terms of national security. If there was any damage, we don’t yet know the extent of that. “
Unlike a building like the White House, whose access is very tightly controlled, the Capitol building is often referred to as “the People’s House”. Its security is similar to that of a hospital; many areas are open and accessible if you have a reason to be there, and only certain areas are closely guarded or otherwise controlled. Larkin, who also spent years with White House security in the Secret Service and is now vice president of business development at SAP National Security Services, says the Capitol inherently has more in and out than what can be kept simultaneously at normal staffing levels. He points out that failures to contain and secure the situation occurred as the pro-Trump mob was outside the building. But Larkin, who retired as Senate Sergeant-at-Arms in 2018, adds that cybersecurity is the next priority after physical security.
Despite this, the Mafia on Wednesday had plenty of opportunities to steal information or gain access to devices if they wished. And while the Senate and House each rely on their own common IT framework, each of the 435 Representatives and 100 Senators ultimately manages their own office with their own systems. It’s a boon for security in the sense that it creates segmentation and decentralization; accessing Nancy Pelosi emails does not help you access communications from other representatives. But it also means that there aren’t necessarily any standardized authentication and monitoring systems in place. Larkin points out that there is a monitoring database that IT staff can use to audit and assess if there was any suspicious activity on Congress devices. But he admits that representatives and senators have varying levels of cybersecurity proficiency and hygiene.