By Dan S. Wallach, Ph.D.
Baker Institute Rice Faculty Scholar and Professor of Computer Science and of Electrical and Computer Engineering, Rice University
and
Chris Bronk, Ph.D.
Assistant Professor, Department of Information and Logistics Technology, University of Houston
The photograph above was apparently taken on January 6, 2021, by one of the insurrectionists who broke into the U.S. Capitol. The insurrectionists ransacked the building, killed a Capitol Police officer, and rummaged through numerous offices including that of Speaker of the House Nancy Pelosi. During the melee, Pelosi’s staffers hid under a table in a meeting room, yet this computer remained open and accessible to the intruders.
What might the intruders have done to this computer? We see what appears to be an email application. The intruders could have read Pelosi’s emails, perhaps choosing something sensitive or salacious to forward externally. They could have launched a web browser and downloaded malware to install on the computer. In short, this photograph raises a variety of obvious alarms to anyone concerned with IT security. Our colleague Herb Lin published a short post on Lawfare regarding the potential for these and other cybersecurity issues to arise from the breakdown of law and order in the Capitol. To his points, there could well have been opportunities to plant malicious software as likely happened in Iran’s nuclear program and at Saudi Aramco.
The physical security of computers against in-person attacks is a topic that many organizations, governments and corporations must deal with on a regular basis. This includes fairly mundane issues, like lost laptops, as well as possibly invasive attacks at customs checkpoints and other places where a computer might be temporarily out of the hands of its rightful user. Modern PCs have a variety of features to defend against this, but they’re generally only enabled on devices that are centrally administered by an organization large enough to have a dedicated IT department. One common technique, used throughout the federal government, but notably not in the House of Representatives, is authenticating the login process with a physical ID card (e.g., Common Access Cards). If you remove the card from the computer, the screen immediately locks. Furthermore, the computer’s storage system is encrypted, with access to the cryptographic keys disabled absent the physical card plus the user’s password.
The Senate manages its information technology centrally, allowing the Senate’s chief information officer to enable, by default, these sorts of processes on all of the computers used for Senate business. (We note that the Senate Sergeant at Arms is presently accepting job applications for a number of IT and cybersecurity-related positions.) The House of Representatives doesn’t have any equivalent IT management, leading to an obvious question. Why? To understand this, we need to understand the security model for the U.S. Capitol itself. Up until now, the Capitol has remained very much an open building and may well remain so. After Pelosi ordered magnetometers installed at the entrance to the House chamber, several representatives refused to walk through them or to subject themselves to secondary searches after the magnetometers alarmed. For better or for worse, some U.S. Representatives do not wish to subject themselves to the restraints that might be required to ensure either physical or IT security.
When either of us have had business in the Capitol, entering the building has stood in marked contrast to gaining access at other federal agencies. No sign-in is required, nor is there any need for an escort, as is the case in most other federal buildings. Tourists amble through the halls among members, staff, and journalists. This is how Congress prefers to operate.
As we mentioned above, the House of Representatives has no centrally managed IT process for its computers. Each Representative’s office runs its own systems, buying equipment from whatever vendor it prefers. No government IT experts enforce good security practices on these computers, whether for mundane requirements like having good passwords, or for more sophisticated security controls, like mandated security patching, disk encryption or two-factor authentication. This leads to an obvious recommendation: Congress needs to up its IT security game. If the hallways of Congress will continue to be open to anyone to freely wander around, then improved IT security is a clear necessity.
We have seen many online discussions concerned with “classified” government information (i.e., information labelled “secret,” “top secret” and other such labels). We note that classified government information is not or should not be on any government computer operating in an open environment like the offices of U.S. Representatives or Senators, and is subject to a variety of restrictions on how it is managed. Consequently, we believe it to be unlikely that the Capitol intruders had easy access to classified information. Of course, while Pelosi’s emails are not legally “secret”, they are almost certainly “sensitive” and access to them would be of great interest to our nation’s adversaries. They deserve improved protections.
We must also speak to the security of Congressional smartphones. Members of Congress are constantly on the move, from hearings, to constituent meetings, and so forth. Unsurprisingly, members of Congress became early and enthusiastic adopters of Blackberry email devices, and now smartphones running Android or iOS. Due to a quirk of campaign finance law, Congressional representatives may not “dial for dollars” from their office phones, but must instead use personal or campaign-owned equipment. While using government equipment for campaign-related work is forbidden, using campaign equipment for government-related work is perfectly acceptable. Consequently, much of Congress’s business happens on campaign-supplied smartphones over which, yet again, there is no central IT management. Government security experts cannot oversee and protect members’ personal devices. Again, the solution is clear: allow government cybersecurity personnel to secure the smartphones and online accounts used by Members of Congress, regardless of whether Members are using those devices to conduct government business, make campaign-related calls, or exchange emails with family members.
There is some good news. The bipartisan House Select Committee on Modernization released an ambitious roadmap for bringing Congress up to date across a number of thrusts, not least IT. Accepting that “Congress still lags behind the private sector and executive branch in technology,” The Committee’s report produced 12 points that emphasized the need for more effectively supplying IT services, analysis, and data management, not least reestablishing Congress’s Office of Technology Assessment (OTA), which was defunded in 1995. In the wake of awareness on the Capitol’s physical security woes, we believe it’s appropriate to also rethink their cybersecurity.
For this reason, we propose that the House and Senate consider forming a task force on Cybersecurity for the U.S. Congress composed of knowledgeable staff within Congress and across the Federal government, capable of suggesting changes in rule and process as well as offering pragmatic technical solutions largely solved elsewhere. Congress has enacted laws on organizational cybersecurity for the federal government from which it is itself largely exempted. Although such a task force could offer no guarantee of blocking the most sophisticated of attacks, much could be done to prevent compromises which exploit Congress’s lax cybersecurity posture. This would be good for the institution, its members, and the country.
One of the joys of visiting the halls of Congress, under normal circumstances, is its absence of overwhelming security measures. Congress is the People’s House, and you’ll interact with constituents from across the country, traveling to meet their elected representatives. Hopefully, Congress will soon be able to send home the National Guard troops presently stationed around and throughout its halls. And when they do so, it would be entirely appropriate to adopt modern IT management and cybersecurity processes, used throughout the rest of the government, to protect them against IT security issues of all sorts.