Capitol riots raise urgent congressional information security concerns, warn cyber experts


As rioters stormed the Capitol building, they broke into congressional offices, ransacked papers and, in at least one case, stole a laptop, video shows shared on twitter by Sen. Jeff Merkley.

The theft raises questions about Congress’ cybersecurity posture and whether U.S. officials have done enough to secure their devices and computer networks from direct physical access.

The incident highlights the serious cybersecurity risks now facing all lawmakers, Congressional staff and any outside parties they may have communicated with in the course of their business, according to security professionals. Merkley sits on the Senate Foreign Relations Committee, which regularly discusses US global strategy and oversees the State Department.

There is no evidence that the rioter ranks included skilled hackers or motivated spies, and no indication to date of a data breach. But it’s a danger that the U.S. Capitol Police and Congressional IT administrators must now consider, said Kiersten Todt, CEO of the Cyber ​​Readiness Institute.

“What you absolutely hope is that last night after the looting and invasion that the IT division of Congress was on top of things and taking inventory of all the offices,” Todt said, “ by checking which devices were counted and which were not and were able to immediately clean these devices. “

Spokesmen for the U.S. Capitol Police and House and Senate Sergeants-at-Arms did not return requests for comment.

As with remote hacking, physical access to a computer or mobile device can allow thieves to check their email, connect to networks, and download important files without permission. But physical access threats are often viewed as even more dangerous, as they give hackers more options to compromise a device.

U.S. intelligence agencies say massive U.S. government hack 'likely originated in Russia'

“You can do a lot more when you are in the physical proximity of a system,” said Christopher Painter, former senior US cybersecurity official.

Attackers who have taken control of a laptop computer, for example, can plug in USB drives loaded with malware, install or modify computer hardware, or make other covert modifications to a system that they could not accomplish by. distance.

With the right level of access, even a casual attacker would be able to view Congressional emails, shared file servers and other system resources, said Ashkan Soltani, a security expert and former chief technologist at the Federal Trade Commission.

Even unclassified information can be damaging in the right contexts and in the wrong hands, Painter added.

Several current Senate staff have told CNN that while some IT protections exist throughout the organization, many decisions about information security practices are left to the offices of individual legislators.

Lawmakers and their staff use a medley of technologies: iPhones, iPads, MacBooks, Android devices, Microsoft Surface tablets, and laptops from HP, Dell and Lenovo, to name a few, according to one of the Staff.

Mobile devices and laptops are generally password protected, staff members said. One said that in his office devices are set to automatically lock after 30 minutes or sometimes less.

Federal law enforcement pushes for arrests and charges after Wednesday's riot on Capitol Hill

To access some apps, such as shared file storage systems and Skype, you need to connect to a VPN, staff said. And connecting to the VPN also requires multi-factor authentication.

But a VPN isn’t needed to access emails that have been downloaded to a mobile device, they said, and many staff don’t store their files behind multiple layers of protection.

“A lot of people just keep files on their desks – not everyone is using their server storage,” a staff member told CNN.

Source link