Lawmakers and congressional staff were ushered into secure locations as a mob backing President Trump violently stormed the U.S. Capitol in hopes of overturning the election he lost.
The quick evacuation left computers and other device unattended as the mob ransacked offices.
This is the stuff of cybersecurity pros' nightmares.
"There's an old saying, if an attacker has physical access to your computer, it’s not your computer anymore,” Katie Moussouris, CEO and founder of Luta Security, told me.
A now-removed tweet from a right-wing journalist showed rioters had access to at least one unlocked computer in House Speaker Nancy Pelosi's office, open to email appearing to belong to a staffer. It's unclear if the computer was a work or personal device, and my colleague Mike DeBonis confirmed no computers were taken from Pelosi's office.
However, Sen. Jeff Merkley (D-Ore.) said a computer was stolen from his office:
The trail of destruction and looting. What happened today was an assault by the domestic terrorists who stormed the Capitol, but it was also an assault on our constitution.
— Senator Jeff Merkley (@SenJeffMerkley) January 7, 2021
[sound on] pic.twitter.com/BrELF7cMz1
Mick Baccio, security adviser at Splunk and a former Obama administration cyber official, pointed out the possibility of spying:
Bunch of unlocked computers left in those offices, too. Nightmare.
— Sean Zadig (@seanzadig) January 6, 2021
Physical access to sensitive devices could have allowed tech-savvy intruders to penetrate congressional systems.
“Having shown that they’re willing to rummage through and destroy physical papers and run through the offices of our Congress right now with physical destruction, I would not be surprised if they were trying to access some of the computers that were left unlocked,” Moussouris says. (Some rioters boasted about looting offices for documents. One person, pictured earlier in Pelosi's office, told the New York Times's Matthew Rosenberg that he plucked an envelope from Pelosi's desk.)
Bad actors could also try to guess the passwords of locked devices, which could be successful if the device lacked a strong password, Moussouris says. Anything more intensive, such as breaking into an iPhone, probably would require a third party. The government normally keeps its most sensitive classified information in separate spaces called sensitive compartmented information facilities.
That's why the extent to which the mob posed a security risk to Congress depends on the expertise of the rioters, Moussouris said. Most, she guessed, are “not exactly cybercriminals.”
But taking a laptop would give the thief more time to crack into the computer – or even potentially take to a professional to crack into.
House IT officials did not respond for comment about steps they're taking to secure exposed devices. Important practices that all organizations should implement include having multi-factor password protection and a centralized mechanism to wipe devices of data, Moussouris told me.
Capitol Police could not be reached for comment about the extent of protesters' intrusions.
The breach will keep congressional IT staff busy.
Kimber Dowsett, director of security engineering at Truss:
My heart goes out to the unsung IT heroes at the Capitol tonight. My guess is they’ve never had to run asset inventory IR before - a daunting, stressful task in a tabletop exercise - and they’re running one (prob w/o a playbook) following a full on assault of the Capitol.
— socially distant, mask wearing bat (@mzbat) January 7, 2021
Ian Campbell, who previously worked on IT support for members of the House, said that the task of inspecting the equipment is a “herculean IT effort.”
This is a herculean effort, but it's also not unprecedented - there's a herculean IT effort in the House every two years during office turnover.
— Ian (@neurovagrant) January 6, 2021
Yesterday's scare will likely lead to Congress revisiting the playbook for securing devices during an emergency. But ultimately the breach was a physical security problem that's raising major questions, as my colleagues Carol D. Leonnig, Aaron C. Davis, Dan Lamothe and David A. Fahrenthold write.
Having worked for the exec branch of gov’t for years, I can say that no, there wasn’t a plan that included seditionists storming the US Capitol and stealing or destroying a haul of IT assets.
— socially distant, mask wearing bat (@mzbat) January 7, 2021
The final days of Trump's term could be precarious.
In a stark reversal from yesterday's inflammatory rhetoric riling up his supporters, Trump pledged an “orderly transition” following the voter.
“Even though I totally disagree with the outcome of the election, and the facts bear me out, nevertheless there will be an orderly transition on January 20th,” Trump said in a statement tweeted by White House social media director Dan Scavino.
Trump said he would continue to “fight to ensure that only legal votes were counted.”
...fight to ensure that only legal votes were counted. While this represents the end of the greatest first term in presidential history, it’s only the beginning of our fight to Make America Great Again!”
— Dan Scavino🇺🇸🦅 (@DanScavino) January 7, 2021
The keys
A wide-reaching government hack by Russia also hit the Justice Department, officials say.
The agency confirmed that Russian actors accessed its unclassified Microsoft email system, Ellen Nakashima reports.
“At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted,” spokesman Marc Raimondi said.
The method used by hackers has been eliminated, he said.
At least ten federal agencies including the Treasury and Homeland Security Department were also breached. The intelligence community is still investigating the attack.
Biden is expected to pick the NSA's top cybersecurity official as the White House's new cyber czar.
Anne Neuberger, a career intelligence official, would play an influential role in the Biden administration's cleanup of the recent months-long hacking campaign, Natasha Bertrand reports. The cybersecurity role within the National Security Council was created in the recently-passed defense authorization bill.
Neuberger served as the NSA's first cybersecurity director and has managed intelligence sharing with other agencies and the private sector. That means she could hit the ground running in implementing a Biden cyber agenda
A transition spokesperson declined to confirm the pick to Politico. Neuberger is widely respected by intelligence committee members in Congress and in the private sector. The NSA declined to comment.
Twitter and Facebook locked Trump's accounts for the first time during violent riots by his supporters.
It's an unprecedented step by the two companies, who have often come under criticism for their handling of Trump's inflammatory rhetoric, Tony Romm, Elizabeth Dwoskin and Drew Harwell report. Twitter is set to restore Trump's account after a 12 hour suspension, and Facebook's will be in place for 24 hours.
Facebook also took the rare step of removing a video from Trump laced with misinformation about the riot. YouTube also removed the video.
Tweets from Trump making similar claims were also removed.
“These are the things and events that happen when a sacred landslide election victory is so unceremoniously & viciously stripped away from great patriots who have been badly & unfairly treated for so long,” Trump said in a tweet since removed. “Go home with love & in peace. Remember this day forever!”
Trump could face a permanent ban on the site if he continues to violate its policies when his account is reactivated.
Correction: This piece originally stated Trump's account had been unlocked at time of publication. It was not yet restored.
More cybersecurity news:
Daybook
- The Aspen Institute is holding a panel “A Moment of Reckoning: Understanding the Russian Cyber Attack” today at 2p.m. Speakers include Sen. Mark Warner.
- The Washington Post’s David Ignatius will interview Palantir chief executive Alex Karp to discuss how the company is helping foreign governments manage their coronavirus responses Thursday at 10 a.m. EST.
- CES will take place virtually from Jan. 11-14
- SANS will hold an event "BIPOC in Cybersecurity Forum: Cloud Security" on Feb. 18 from 11a.m. to 5p.m.
Secure log off
Watch as Vice president Mike Pence declares Biden the winner of the 2020 presidential election: