Jan 13, 2021

Another fear after Capitol attack: information security

HTML EMBED:
COPY
The cybersecurity threat is made worse by the fact that members of Congress are each in charge of their own IT.

As we examine the fallout from the attack on the U.S. Capitol last week, what are the cybersecurity implications? Maybe not the top thing on your mind. But consider that for hours rioters had almost unimpeded access to offices, networks and computers on desks. A laptop was even stolen, and security experts say there’s the potential for all kinds of hacking and intrusions. And the cybersecurity threat is made worse by a unique feature of Congress: Everyone is in charge of their own IT.

I spoke with Bruce Schneier, a security technologist. He told me some of the things intruders could have done. The following is an edited transcript of our conversation.

A headshot of Bruce Schneier, a cybersecurity expert and author of the book “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World.”
Bruce Schneier (Photo courtesy of Claudia Miklas)

Bruce Schneier: I mean, certainly, you would plant room bugs, especially if you’re in [House Speaker Nancy] Pelosi’s office, where she’s sitting at her desk. You could put room bugs in there, [and] that’d be pretty awesome from a foreign government’s perspective. You can get into the networks of Congress. Now, we see how much effort the Russians put into the SolarWinds operation, trying to get into government networks. Here, they can now walk in. And there’s a saying among computer security people that if you no longer control your computer, it’s no longer your computer. When you get that computer back, that’s not a trustworthy computer anymore.

Molly Wood: One thing that was reported a few days ago was that a laptop was stolen from Nancy Pelosi’s office. And, I mean, that alone seems bad, right?

Schneier: But we have ways to deal with that. My laptop is encrypted. If you stole my laptop, you would get a hunk of plastic and metal and chips, and you wouldn’t get any of my data. Now, that’s pretty good security hygiene. One of the problems we have in Congress — this is kind of interesting — [is that] each member of Congress is kind of their own boss. And while there is an IT department, there are no centralized standards. So anybody could be doing whatever they want in their office, and we don’t know. So [Pelosi’s stolen computer] could be nothing, just a loss of a couple of thousand dollars of a computer, or it could be the loss of all the data that’s on the computer.

Wood: Well, that’s terrifying. Given some of the technology proficiency we have seen demonstrated here and there, it seems scary that everybody’s left to their own devices — no pun intended — when it comes to security hygiene.

Schneier: That’s the decentralized nature of our government. And there have been attempts to try to have uniform standards in Congress. And there are always members who disagree and you can’t force them. That’s a problem. It’s not like a corporation, an organization, where you can be told what to do.

Wood: What does mitigation look like? Like, are potential mitigation efforts, whether it’s sweeping for bugs or checking every network and every USB port, is that also going to be left up to every member? Or is that something where Capitol Police say, this is just going to be standard operating procedure for making sure we’re not compromised?

Schneier: I think the police will say that, but I think a member can object. [Capitol Police] can strongly suggest, and I believe most members would go along with it. Nobody wants room bugs in their offices, no matter what party you’re from.

U.S. Capitol rioters sit at the desks in the office of House Speaker Nancy Pelosi in Washington, D.C., in Jan. 6.
U.S. Capitol rioters relax in the office of House Speaker Nancy Pelosi. (Saul Loeb/Getty Images)

Related links: More insight from Molly Wood

I should note that a spokesperson for Speaker Pelosi tweeted after the attack that the stolen laptop was only used for presentations.

Now, some law-enforcement officials say that cybersecurity is low on their list of concerns after what happened at the Capitol, an attack in which five people died and, arguably, we all witnessed the birth of a new terrorist movement. But others say we almost have to assume there were foreign actors involved in the storming of the Capitol. It was a well-publicized event, and anyone with an interest in getting inside and stealing information would likely have seen it as, at minimum, a good opportunity.

But every cybersecurity expert agrees that offices, networks and individual devices should be carefully examined for intrusion. Hopefully, all the members of Congress will get on board. That is a weird system.

A piece in Gizmodo analyzes the GPS data that was pulled from that big download of Parler users. Parler, it seems, barely bothered with any security at all. The data seems to show that rioters got quite far inside the building, well past public areas, but it’s hard to tell with much real accuracy. There’s also a good Wired piece about Parler’s complete lack of protection for its users, which, I guess, could be considered free speech; certainly, free for the taking.

Listening makes you smarter…
donating makes it all possible.

Our mission is to raise the economic intelligence of the country, exploring the intersection of the economy, tech, and our daily lives. As a nonprofit news organization, we count on your support – now more than ever before.

Secure the future of public service journalism today when you become a Marketplace Investor.

The team

Molly Wood Host
Michael Lipkin Senior Producer
Stephanie Hughes Producer
Jesus Alvarado Assistant Producer