Merkley’s office wasn’t the only one robbed, according to authorities. On a call with reporters Thursday afternoon, US officials said multiple senators’ offices were hit.
“This is probably going to take several days to flesh out exactly what happened, what was stolen, what wasn’t,” said Michael Sherwin, acting US attorney for the District of Columbia. “Items, electronic items, were stolen from senators’ offices. Documents, materials, were stolen, and we have to identify what was done, mitigate that, and it could have potential national security equities. If there was damage, we don’t know the extent of that yet.”
The thefts raise questions about Congress’s cybersecurity posture and whether US officials have done enough to secure their computing devices and networks from direct, physical access.
The incident highlights the grave cybersecurity risks that now face all lawmakers, congressional staffers, and any outside parties they may have communicated with in the course of business, security professionals say. Merkley sits on the Senate Foreign Relations Committee, which routinely discusses US global strategy and has oversight over the State Department.
There is no evidence that the rioters’ ranks included skilled hackers or motivated spies, and no indication so far of a data breach. But it is a danger that US Capitol Police and congressional IT administrators must now consider, said Kiersten Todt, managing director of the Cyber Readiness Institute.
“What you absolutely hope is that last night, after the looting and the invasion happened, that the congressional IT division was on top of things and taking inventory across all offices,” Todt said, “checking to see which devices were accounted for, and which were not, and were able to wipe those devices clean immediately.”
Spokespeople for the US Capitol Police and the House and Senate Sergeants At Arms did not return requests for comment.
As with remote hacking, physical access to a computer or mobile device can allow thieves to view emails, connect to networks and download important files without permission. But physical access threats are often considered even more dangerous, because they give hackers more options for compromising a device.
“There’s a lot more you can do when you have physical proximity to a system,” said Christopher Painter, a former top US cybersecurity official.
Attackers that have gained control of a laptop, for example, can plug in malware-laden USB drives, install or modify computer hardware, or make other surreptitious changes to a system they would not be able to accomplish from a distance.
Given the right level of access, even a casual attacker would be able to view congressional emails, shared fileservers and other system resources, said Ashkan Soltani, a security expert and former chief technologist at the Federal Trade Commission.
Even unclassified information can be damaging in the right contexts and in the wrong hands, Painter added.
Several current Senate staffers told CNN that while some IT protections exist across the organization, many decisions about information security practices are left up to individual lawmakers’ offices.
Lawmakers and their staff use a potpourri of technology: iPhones, iPads, MacBooks, Android devices, Microsoft Surface tablets, and laptops from HP, Dell and Lenovo, to name a few, according to one of the staffers.
Mobile devices and laptops are generally password-protected, the staffers said. One of them said that, in his office, devices are set to lock themselves automatically after 30 minutes or sometimes less.
Accessing certain applications, such as shared file storage systems and Skype, requires logging into a VPN, the staffers said. And logging onto the VPN also requires multi-factor authentication.
But a VPN is not required to access emails that have been downloaded to a mobile device, they said, and many staffers do not store their files behind multiple layers of protection.
— CNN’s Kara Scannell contributed reporting.