Merkley’s office was not the only one that was robbed, according to authorities. In a phone call to reporters Thursday afternoon, US officials said several Senate offices had been bombed.
“It will likely take several days to clarify what exactly happened, what was stolen, and what was not,” said Michael Sherwin, Acting District Attorney. “Items, electronic items, were stolen from Senate offices. Documents and materials were stolen, and we have to determine what was done, mitigate that, and they could have potential national security property rights. If there is damage, I don’t know the extent of that yet.” .
The thefts raise questions about the cybersecurity status of Congress and whether US officials have done enough to secure their computing hardware and networks from direct and physical access.
The incident highlights the grave cybersecurity risks now facing all lawmakers, congressional staff, and any outside parties they may have contacted in the course of work, say security professionals. Merkeley is a member of the Senate Foreign Relations Committee, which routinely discusses US global strategy and oversees the State Department.
There is no evidence that the rioters’ ranks included skilled pirates or enthusiastic spies, nor is there yet any indication of a data breach. It is a risk that the US Capitol Police and IT officials in Congress should consider, said Kirsten Todd, managing director of the Institute for Cyber Readiness.
Todd said, “What you are completely hoping for is that last night, after the looting and invasion took place, the Congressional IT Department was on top of things and taking inventory in all offices,” to check to see which devices were counted, which weren’t, and were able to scan those devices Immediately “.
Spokespeople for the Capitol Police, the House of Representatives and the Senate did not respond to requests for comment.
As with remote hacking, physical access to a computer or mobile device can allow thieves to view emails, connect to networks, and download important files without permission. But physical access threats are often considered more dangerous, as it gives hackers more options to compromise the device.
“There is a lot that you can do when you have physical proximity to a system,” said Christopher Pinter, a former senior US official in the field of cybersecurity.
Attackers who took control of a laptop computer, for example, could plug in USB drives loaded with malware, install or modify computers, or make other secret changes to a system that they would not be able to accomplish from a distance.
Given the correct level of access, Ashkan Soltani, a security expert and former chief technologist with the Federal Trade Commission, said even an occasional attacker would be able to view Congressional emails, shared file servers, and other system resources.
Pinter added that even unclassified information can be harmful in the right contexts and in the wrong hands.
Several current Senate employees told CNN that while some IT safeguards exist throughout the organization, many decisions regarding information security practices are left to individual lawmakers’ offices.
Legislators and their employees use a range of technology: iPhones, iPads, MacBooks, Android devices, Microsoft Surface tablets and laptops from HP, Dell and Lenovo, to name a few, according to one employee.
Staff said that mobile devices and laptops in general are password protected. Someone said that in his office, devices are set to automatically lock themselves after sometimes 30 minutes or less.
Employees said that accessing certain applications, such as shared file storage systems and Skype, requires a VPN login. Logging into the VPN also requires multi-factor authentication.
But they said that a VPN is not required to access emails downloaded to a mobile device, and not many employees store their files behind multiple layers of protection.
CNN’s Kara Scannell contributed to the report.