In the aftermath of destructive riots that trashed the United States Capitol on Wednesday, the nation is grappling with questions about the stability and trajectory of US democracy. But inside the Capitol building itself, the congressional support staff is dealing with more immediate logistics, like cleanup and repairs. A crucial part of that: the process of securing the offices and digital systems after hundreds of people had unprecedented access to them.
Allowing physical access to a location can have serious cybersecurity ramifications. Rioters could have bugged congressional offices, exfiltrated data from unlocked computers, or installed malware on exposed devices. In the rush to evacuate the Capitol, some computers were left unlocked and remained accessible by the time rioters arrived. And at least some equipment was stolen; Senator Jeff Merkley of Oregon said in a video late Wednesday that intruders took one of his office’s laptops off a conference table.
The House of Representatives and Senate each have a Sergeant-at-Arms office that oversees security. On the Senate side this body also supervises cybersecurity, whereas in the House that responsibility lies with the Office of the Chief Administrative Officer. On Thursday, speaker of the house Nancy Pelosi said that sergeant at arms Paul Irving would resign over Wednesday’s breach of the Capitol. Senate majority leader Chuck Schumer said he would remove that chamber’s sergeant at arms, Mike Stenger, if he does not resign.
“It’s a very, very difficult situation,” former Senate sergeant at arms Frank Larkin told WIRED on Thursday. “The place has been rattled a number of times where they’ve had to do instantaneous evacuations or shelter in place, but a scenario like this was not something that was high on the list of possibilities as far as threats. I think 1814 is the last time the Capitol experienced anything like this,” referring to the British invasion of Washington, DC, that year.
Some of the remediation will involve steps that congressional security already performs as a matter of course, like extensively reviewing security camera footage from the House and Senate floor, in hallways, and other spaces to see what intruders did, including what interactions they may have had with electronics. But many spaces, including offices, are not under video surveillance. Another routine process involves sweeping for bugs, like hidden microphones or cameras. But it will take time to evaluate every room and hallway all at once, and the stakes for missing something are high.
“This is probably going to take several days to flesh out exactly what happened, what was stolen, what wasn’t,” acting US attorney for the District of Columbia Michael Sherwin said in a briefing on Thursday. “Items, electronic items, were stolen from senators’ offices. Documents, materials, were stolen, and we have to identify what was done, mitigate that, and it could have potential national security equities. If there was damage, we don’t know the extent of that yet.”
Unlike a building such as the White House, in which access is very tightly controlled, the Capitol building is often called the “People’s House.” Its security is similar to that of a hospital; many spaces are open and accessible if you have a reason to be there, and only some areas are tightly guarded or otherwise access-controlled. Larkin, who also spent years with White House security in the Secret Service and is now vice president of corporate development at SAP National Security Services, says that the Capitol inherently has more entrances and exits than can be simultaneously guarded at normal staffing levels. He emphasizes that failures to contain and secure the situation happened while the pro-Trump mob was outside the building. But Larkin, who retired as Senate sergeant at arms in 2018, adds that cybersecurity is the next priority after physical security.
In spite of this, the mob Wednesday had ample opportunities to steal information or gain device access if they wanted to. And while the Senate and House each build off of their own shared IT framework, ultimately each of the 435 representatives and 100 senators runs their own office with their own systems. This is a boon to security in the sense that it creates segmentation and decentralization; getting access to Nancy Pelosi’s emails doesn’t help you access the communications of other representatives. But this also means that there aren’t necessarily standardized authentication and monitoring schemes in place. Larkin emphasizes that there is a baseline of monitoring that IT staffers will be able to use to audit and assess whether there was suspicious activity on congressional devices. But he concedes that representatives and senators have varying levels of cybersecurity competence and hygiene.