The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Riot in the Capitol is a nightmare scenario for cybersecurity professionals

Lawmakers and congressional staff were ushered into secure locations as a mob backing President Trump violently stormed the U.S. Capitol in hopes of overturning the election he lost. 

The assault – which only temporarily delayed the certification of president-elect Joe Biden's win – left many unanswered questions about security at the Capitol, including its cybersecurity. 

The quick evacuation left computers and other device unattended as the mob ransacked offices. 
This is the stuff of cybersecurity pros' nightmares.

"There's an old saying, if an attacker has physical access to your computer, it’s not your computer anymore,” Katie Moussouris, CEO and founder of Luta Security, told me. 

A now-removed tweet from a right-wing journalist showed rioters had access to at least one unlocked computer in House Speaker Nancy Pelosi's office, open to email appearing to belong to a staffer. It's unclear if the computer was a work or personal device, and my colleague Mike DeBonis confirmed no computers were taken from Pelosi's office. 

However, Sen. Jeff Merkley (D-Ore.) said a computer was stolen from his office: 

Mick Baccio, security adviser at Splunk and a former Obama administration cyber official, pointed out the possibility of spying: 

Physical access to sensitive devices could have allowed tech-savvy intruders to penetrate congressional systems. 

“Having shown that they’re willing to rummage through and destroy physical papers and run through the offices of our Congress right now with physical destruction, I would not be surprised if they were trying to access some of the computers that were left unlocked, Moussouris says. (Some rioters boasted about looting offices for documents. One person, pictured earlier in Pelosi's office, told the New York Times's Matthew Rosenberg that he plucked an envelope from Pelosi's desk.) 

Bad actors could also try to guess the passwords of locked devices, which could be successful if the device lacked a strong password, Moussouris says. Anything more intensive, such as breaking into an iPhone, probably would require a third party. The government normally keeps its most sensitive classified information in separate spaces called sensitive compartmented information facilities. 

That's why the extent to which the mob posed a security risk to Congress depends on the expertise of the rioters, Moussouris said. Most, she guessed, are not exactly cybercriminals. 

But taking a laptop would give the thief more time to crack into the computer – or even potentially take to a professional to crack into. 

House IT officials did not respond for comment about steps they're taking to secure exposed devices. Important practices that all organizations should implement include having multi-factor password protection and a centralized mechanism to wipe devices of data, Moussouris told me. 

Capitol Police could not be reached for comment about the extent of protesters' intrusions.

Supporters of President Trump crossed barricades and began marching toward the back of the U.S. Capitol on Jan. 6. (Video: The Washington Post)
The breach will keep congressional IT staff busy.

Kimber Dowsett, director of security engineering at Truss:

Ian Campbell, who previously worked on IT support for members of the House, said that the task of inspecting the equipment is a herculean IT effort.

Yesterday's scare will likely lead to Congress revisiting the playbook for securing devices during an emergency. But ultimately the breach was a physical security problem that's raising major questions, as my colleagues Carol D. Leonnig, Aaron C. Davis, Dan Lamothe and David A. Fahrenthold write. 

The final days of Trump's term could be precarious. 

In a stark reversal from yesterday's inflammatory rhetoric riling up his supporters, Trump pledged an orderly transition following the voter. 

“Even though I totally disagree with the outcome of the election, and the facts bear me out, nevertheless there will be an orderly transition on January 20th,” Trump said in a statement tweeted by White House social media director Dan Scavino.

Trump said he would continue to “fight to ensure that only legal votes were counted. 

The keys

A wide-reaching government hack by Russia also hit the Justice Department, officials say.  

The agency confirmed that Russian actors accessed its unclassified Microsoft email system, Ellen Nakashima reports.

 “At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted, spokesman Marc Raimondi said. 

The method used by hackers has been eliminated, he said.

 At least ten federal agencies including the Treasury and Homeland Security Department were also breached. The intelligence community is still investigating the attack.

Biden is expected to pick the NSA's top cybersecurity official as the White House's new cyber czar.

Anne Neuberger, a career intelligence official, would play an influential role in the Biden administration's cleanup of the recent months-long hacking campaign, Natasha Bertrand reports. The cybersecurity role within the National Security Council was created in the recently-passed defense authorization bill. 

Neuberger served as the NSA's first cybersecurity director and has managed intelligence sharing with other agencies and the private sector. That means she could hit the ground running in implementing a Biden cyber agenda

A transition spokesperson declined to confirm the pick to Politico. Neuberger is widely respected by intelligence committee members in Congress and in the private sector. The NSA declined to comment.

Twitter and Facebook locked Trump's accounts for the first time during violent riots by his supporters.
Republicans repeatedly made false claims about the election and encouraged unrest ahead of violent scenes in the U.S. Capitol on Dec. 6. (Video: The Washington Post)

It's an unprecedented step by the two companies, who have often come under criticism for their handling of Trump's inflammatory rhetoric, Tony Romm, Elizabeth Dwoskin and Drew Harwell report. Twitter is set to restore Trump's account after a 12 hour suspension, and Facebook's will be in place for 24 hours. 

Facebook also took the rare step of removing a video from Trump laced with misinformation about the riot. YouTube also removed the video.

Tweets from Trump making similar claims were also removed. 

“These are the things and events that happen when a sacred landslide election victory is so unceremoniously & viciously stripped away from great patriots who have been badly & unfairly treated for so long,” Trump said in a tweet since removed. “Go home with love & in peace. Remember this day forever!”

Trump could face a permanent ban on the site if he continues to violate its policies when his account is reactivated.

Correction: This piece originally stated Trump's account had been unlocked at time of publication. It was not yet restored.

More cybersecurity news:

Huawei appeals Swedish court decision over 5G network exclusion (Reuters)

NYSE will remove share listings of Chinese telecom companies as Trump moves to ban Chinese apps Alipay and WeChat Pay (Jeanne Whalen)


  • The Aspen Institute is holding a panel “A Moment of Reckoning: Understanding the Russian Cyber Attack” today at 2p.m. Speakers include Sen. Mark Warner.
  • The Washington Post’s David Ignatius will interview Palantir chief executive Alex Karp to discuss how the company is helping foreign governments manage their coronavirus responses Thursday at 10 a.m. EST.
  • CES will take place virtually from Jan. 11-14
  • SANS will hold an event "BIPOC in Cybersecurity Forum: Cloud Security" on Feb. 18 from 11a.m. to 5p.m.

Secure log off

Watch as Vice president Mike Pence declares Biden the winner of the 2020 presidential election:


Congress finished counting the electoral votes and Vice President Pence declared Joe Biden the president-elect during a joint session of Congress on Jan. 7. (Video: The Washington Post)