The theft raises questions about Congressional stance on cybersecurity and whether US officials have done enough to secure their computing equipment and networks from direct, physical access.
The incident highlights the serious cybersecurity risks facing all lawmakers, convention workers and any outside parties they may have communicated with while conducting business, security professionals say. Merkley is on the Senate Foreign Relations Committee, which routinely discusses US global strategy and oversees the State Department.
There is no evidence that the rioters were skilled hackers or motivated spies, and no evidence of a data breach so far. But it’s a danger that US Capitol police and Congressional IT administrators must now consider, said Kiersten Todt, director of the Cyber Readiness Institute.
“What you’re absolutely hoping is that last night, after the looting and invasion took place, the Congress IT department was informed and took stock of all the offices,” said Todt, “to see what devices were being accounted for, and that weren’t and could wipe devices immediately.
Spokespersons for the US Capitol Police and House and Senate Sergeants At Arms have not responded to requests for comment.
Similar to remote hacking, physical access to a computer or mobile device allows thieves to view emails, connect to networks, and download important files without permission. But physical access threats are often considered even more dangerous, as they give hackers more options to compromise a device.
“You can do a lot more when you are physically close to a system,” said Christopher Painter, a former US top cybersecurity officer.
For example, attackers who have gained control of a laptop could connect malware-laden USB drives, install or change computer hardware, or make other covert changes to a system that they could not remotely run.
With the right level of access, even a casual attacker could view emails from Congress, shared file servers, and other system resources, said Ashkan Soltani, a security expert and former chief technologist with the Federal Trade Commission.
Even unclassified information can be harmful in the right contexts and in the wrong hands, Painter added.
Several current Senate officials told CNN that while IT protections exist throughout the organization, many decisions about information security practices are left in the offices of individual lawmakers.
Lawmakers and their staff are using a potpourri of technology: iPhones, iPads, MacBooks, Android devices, Microsoft Surface tablets and laptops from HP, Dell and Lenovo, just to name a few, said one of the staff.
Mobile devices and laptops are generally password protected, the staff said. One said devices in his office are set to automatically lock themselves after 30 minutes or sometimes less.
To access certain applications, such as shared file storage systems and Skype, you must log in to a VPN, the staff said. And logging into the VPN also requires multi-factor authentication.
But a VPN is not required to access emails downloaded to a mobile device, they said, and many staff members do not store their files behind multiple layers of protection.
“A lot of people just keep folders on their desktop – not everyone uses their server storage,” an employee told CNN.