The theft raises questions about Congress ’cybersecurity stance and whether U.S. officials have done enough to protect their devices and computer networks from direct physical access.
The incident highlights the serious cybersecurity risks now faced by all lawmakers, congressional officials and any outside parties with whom they have been able to communicate during the business, security professionals say. Merkley is a member of the Senate Foreign Relations Committee, which routinely discusses U.S. global strategy and oversees the State Department.
There is no evidence that riot police ranks included skilled hackers or motivated spies, and so far there is no evidence of data breach. But it’s a danger that U.S. Capitol police and congressional IT administrators must consider now, said Kiersten Todt, director general of the Cyber Readiness Institute.
“What you absolutely want is for last night, after the looting and invasion, the congressional computer division to be up to date and take inventory of all the offices,” Todt said, “checking which devices were accounted for and not. they were and were able to clean these devices immediately. “
Spokesmen for U.S. Capitol police and House and Senate At Arms sergeants did not return requests for comment.
As with remote hacking, physical access to a computer or mobile device can allow thieves to view emails, connect to networks, and download important files without permission. But threats of physical access are often considered even more dangerous, as they offer hackers more options to compromise a device.
“There’s so much more you can do when you’re physically close to a system,” said Christopher Painter, one of the top U.S. cybersecurity officials.
Attackers who have gained control of a laptop, for example, can connect USB drives loaded with malware, install or modify computer hardware, or make other surreptitious changes to a system that they could not remotely perform. .
Given the right level of access, even a casual attacker could see congressional emails, shared file servers and other system resources, said Ashkan Soltani, a security expert and former chief technologist at the Federal Trade Commission. .
Even unclassified information can be harmful in the right contexts and in the wrong hands, Painter added.
Several current members of the Senate told CNN that while there are IT protections throughout the organization, many decisions about information security practices are left in the hands of lawmakers ’cabinets.
Lawmakers and their staff use a potpourri of technology: iPhones, iPads, MacBooks, Android devices, Microsoft Surface tablets, and HP, Dell, and Lenovo laptops, to name a few, according to one employee.
Mobile devices and laptops are generally password protected, employees said. One of them said that in his office, devices are set to lock automatically after 30 minutes or sometimes less.
Access to certain applications, such as shared file storage systems and Skype, requires logging in to a VPN, employees said. And logging into the VPN also requires multi-factor authentication.
But a VPN is not required to access emails that have been downloaded to a mobile device, they said, and many employees do not store their files behind multiple layers of protection.
“A lot of people just save folders to the desktop; not everyone uses server storage,” a member of the chain told CNN.