National: Riot in the Capitol is a nightmare scenario for cybersecurity professionals | Tonya Riley/The Washington Post
Lawmakers and congressional staff were ushered into secure locations as a mob backing President Trump violently stormed the U.S. Capitol in hopes of overturning the election he lost. The assault – which only temporarily delayed the certification of president-elect Joe Biden’s win – left many unanswered questions about security at the Capitol, including its cybersecurity. “There’s an old saying, if an attacker has physical access to your computer, it’s not your computer anymore,” Katie Moussouris, CEO and founder of Luta Security, told me. A now-removed tweet from a right-wing journalist showed rioters had access to at least one unlocked computer in House Speaker Nancy Pelosi’s office, open to email appearing to belong to a staffer. It’s unclear if the computer was a work or personal device, and my colleague Mike DeBonis confirmed no computers were taken from Pelosi’s office. “Having shown that they’re willing to rummage through and destroy physical papers and run through the offices of our Congress right now with physical destruction, I would not be surprised if they were trying to access some of the computers that were left unlocked,” Moussouris says. (Some rioters boasted about looting offices for documents. One person, pictured earlier in Pelosi’s office, told the New York Times’s Matthew Rosenberg that he plucked an envelope from Pelosi’s desk.) Bad actors could also try to guess the passwords of locked devices, which could be successful if the device lacked a strong password, Moussouris says. Anything more intensive, such as breaking into an iPhone, probably would require a third party. The government normally keeps its most sensitive classified information in separate spaces called sensitive compartmented information facilities. That’s why the extent to which the mob posed a security risk to Congress depends on the expertise of the rioters, Moussouris said. Most, she guessed, are “not exactly cybercriminals.” But taking a laptop would give the thief more time to crack into the computer – or even potentially take to a professional to crack into. House IT officials did not respond for comment about steps they’re taking to secure exposed devices. Important practices that all organizations should implement include having multi-factor password protection and a centralized mechanism to wipe devices of data, Moussouris told me.