The United States Capitol was invaded on Wednesday. Countless rioters wandered the halls of government without supervision. Members of Congress and their staff were evacuated so quickly that computers were left on with windows open and unlocked. Rioters took pictures of themselves sitting behind the desks of some of the most powerful people in our government.
For the next 3½ hours, the Capitol Police basically watched it happen. They were embarrassingly outnumbered and arguably had no way to exert any meaningful degree of control over the matter. They prioritized protecting the members of Congress, but they obviously could not be everywhere.
After hours in which the rioters were being publicly encouraged to leave, and even told by the police to leave, an announcement was made that the invaders had been purged from the Capitol building and things were now safe again. This was exactly the wrong thing to do. Instead of chasing them out the door, the police should’ve locked the doors and arrested everyone inside. Not to punish them (although they definitely deserved it), but to discover who they were and what they were up to.
Hundreds of people, none of whom were searched, wandering the U.S. Capitol, which contains a huge number of convenient places to hide a bomb (and two pipe bombs were actually found at other Capitol Hill locations). Hundreds of people wandering around with their smartphone cameras capturing every detail of the building, whether they’re publicly accessible or not. Hundreds of people, none of whom were searched, with direct access to electronics, computers, and networks.
It’s a cybersecurity truism that if you have physical access to the machine, you own the machine. Applying that to computers with direct access to the congressional networks is terrifying.
A computer used by Nancy Pelosi’s staff or someone in the Gang of Eight presents the most serious immediate threat. While an intruder would not be able to access classified material on any of those computers or the default shared resources, they would have access to basically all of the leadership’s deliberative material, emails, employee personnel files, privileged files, and even protected whistleblower disclosures, and likely quick access to personal accounts the computer’s owner has accessed while in the office such as banking or Amazon, which may default to logged in and using a password manager to make access easy (which would allow for future coercion). Most importantly, you do not need extended access to the computer if you came prepared; a USB drive surreptitiously stuck into a machine with malicious code on it is the least sophisticated of numerous possible options for a bad actor to maintain extended access and control long after they have nonchalantly walked out the front door. It can even be done by accessing networking hubs or even cables if you have the right tools.
This is not a hypothetical threat either. A laptop was stolen from the office of Senator Jeff Merkley (D-OR), who sits on the powerful (and exceedingly relevant to foreign adversaries) Senate Appropriations and Foreign Relations Committees.
Bottom line: Any Washington based foreign spy who was not in this crowd by the time they got removed from the Capitol deserves to be fired by their government. Locating surreptitious devices that could be attached to any electronic device in the building is going to be a logistical nightmare orders of magnitude more complex than searching for incendiary devices. Add in the need to look for malicious code and it will be months before Congress can be truly safe again.
Less if the rioters had been detained, interrogated, and searched. But they weren’t. When the inevitable commission is formed to review the events of this tragic day, I only hope that they seriously consider what happens when almost a thousand people invade a government space and less than 50 are arrested. This is the counterintelligence cost of a passive response, and we’ll be paying it for some time.