The theft raises questions about Congress’ cyber security stance and whether American officials have done enough to protect their computing devices and networks from direct physical access.
The incident highlights the serious cybersecurity risks that all lawmakers, Congressional officials and any outside parties with whom they may have communicated in the course of business now face, security professionals say. Merkley serves on the Senate Foreign Relations Committee, which routinely discusses the US’s global strategy and oversees the State Department.
There is no evidence that the ranks of hooligans include skilled hackers or motivated spies, and no indication yet of data breaches. But it is a danger that the United States Capitol Police and Congressional IT administrators must now consider, said Kiersten Todt, managing director of the Cyber Readiness Institute.
“What you absolutely expect is that last night, after the loot and the invasion, that the Congressional IT division is in control of things and taking inventory of all offices,” said Todt, “checking which devices were counted. and that were not, and were able to wipe these devices immediately. “
Spokesmen for the US Capitol Police and the House and Senate Arms Sergeants did not return requests for comment.
As with remote hacking, physical access to a computer or mobile device can allow thieves to view email, connect to networks and download important files without permission. But physical access threats are often considered even more dangerous, because they give hackers more options to compromise a device.
“There is so much more you can do when you are physically close to a system,” said Christopher Painter, a former US cybersecurity officer.
Attackers who have gained control of a laptop, for example, can connect USB drives loaded with malware, install or modify computer hardware, or make other surreptitious changes to a system that they would not be able to perform remotely.
Given the right level of access, even a casual attacker would be able to view Congressional emails, shared file servers and other system resources, said Ashkan Soltani, a security expert and former chief technology officer at the Federal Trade Commission .
Even unclassified information can be harmful in the right contexts and in the wrong hands, Painter added.
Several current Senate officials told CNN that, while there are some IT protections throughout the organization, many decisions about information security practices are left to the offices of individual lawmakers.
Lawmakers and their team use a potpourri of technology: iPhones, iPads, MacBooks, Android devices, Microsoft Surface tablets and laptops from HP, Dell and Lenovo, to name a few, according to one of the officials.
Mobile devices and laptops are often password protected, officials said. One said that in his office, devices are set to lock automatically after 30 minutes or sometimes less.
Accessing certain applications, such as shared file storage systems and Skype, requires logging into a VPN, officials said. And VPN login also requires multi-factor authentication.
But a VPN is not necessary to access e-mails that have been downloaded to a mobile device, they said, and many employees do not store their files in multiple layers of protection.
“Many people simply keep folders on their desktops – not everyone uses their server storage,” an official told CNN.