The theft raises questions about the cyber security of Congress and whether U.S. officials have done enough to secure their computer devices and networks from direct, physical access.
The incident highlights the serious cyber security risks facing all lawmakers, congressional staff and all outside parties with whom they have communicated in the course of business, security staff say. Merkley sits on the Senate Committee on Foreign Relations, which regularly discusses the U.S. global strategy and oversees the Department of State.
There is no evidence that the rioters existed in the ranks of skilled hackers or motivated spies, and so far no indication of a breach of the data. But this is a danger that U.S. Capitol police and IT administrators of Congress must now consider, said Kiersten Todt, managing director of the Cyber Readiness Institute.
“What you absolutely hope for is that last night, after the looting and invasion took place, that the IT department of Congress was at stake and took inventory in all offices,” Todt said, “to check which devices were offset, and which were not, and were able to wipe those devices immediately clean. ‘
Spokesmen for the U.S. Capitol Police and the Sergeants At Arms of the House did not request comments.
As with remote hacking, physical access to a computer or mobile device can allow thieves to view email, connect to networks and download important files without permission. But physical access threats are often considered even more dangerous because they offer hackers more options to compromise a device.
“There’s a lot more you can do when you’re physically close to a system,” said Christopher Painter, a former U.S. cyber security officer.
For example, attackers who have gained control of a laptop can plug in USB chips loaded with malware, install or modify computer hardware, or make other secret changes to a system that they could not remotely.
Given the right level of access, even a random attacker could see congressional emails, shared file servers and other system resources, said Ashkan Soltani, a security expert and former chief technologist at the Federal Trade Commission.
Even unclassified information can be harmful in the right contexts and in the wrong hands, Painter added.
Several current Senate staff members told CNN that some IT protections exist across the organization, but that many decisions about the practice of information security are left to the offices of individual lawmakers.
Lawmakers and their staff use a huge amount of technology: iPhones, iPads, MacBooks, Android devices, Microsoft Surface tablets and laptops from HP, Dell and Lenovo, to name a few, according to one of the staff members.
According to staff members, mobile devices and laptops are generally password protected. One of them said that devices in his office were set to lock themselves automatically after 30 minutes or sometimes less.
Access to certain applications, such as shared file storage systems and Skype, requires you to log in to a VPN, staff said. And logging in to the VPN also requires multi-factor authentication.
However, a VPN is not required to access email downloaded to a mobile device, and many staff members do not store their files behind multiple layers of protection.
“A lot of people just keep folders on their desks – not everyone uses their server storage,” one staff member told CNN.