Cybersecurity experts warn about Congress’s information security after Capitol riots

As rioters stormed the Capitol building, they broke into congressional offices, ransacked papers and in at least one case, stole a laptop, according to a video shared on Twitter by Sen. Jeff Merkley.

Merkley’s office wasn’t the only one robbed, according to authorities. On a call with reporters Thursday afternoon, US officials said multiple senators’ offices were hit.

“This is probably going to take several days to flesh out exactly what happened, what was stolen, what wasn’t,” said Michael Sherwin, acting US attorney for the District of Columbia. “Items, electronic items, were stolen from senators’ offices. Documents, materials, were stolen, and we have to identify what was done, mitigate that, and it could have potential national security equities. If there was damage, we don’t know the extent of that yet.”

The thefts raise questions about Congress’s cybersecurity posture and whether US officials have done enough to secure their computing devices and networks from direct, physical access.

The incident highlights the grave cybersecurity risks that now face all lawmakers, congressional staffers, and any outside parties they may have communicated with in the course of business, security professionals say. Merkley sits on the Senate Foreign Relations Committee, which routinely discusses US global strategy and has oversight over the State Department.

It took an assault on Congress for Facebook and Twitter to draw a line on Trump

There is no evidence that the rioters’ ranks included skilled hackers or motivated spies, and no indication so far of a data breach. But it is a danger that US Capitol Police and congressional IT administrators must now consider, said Kiersten Todt, managing director of the Cyber Readiness Institute.

“What you absolutely hope is that last night, after the looting and the invasion happened, that the congressional IT division was on top of things and taking inventory across all offices,” Todt said, “checking to see which devices were accounted for, and which were not, and were able to wipe those devices clean immediately.”

Spokespeople for the US Capitol Police and the House and Senate Sergeants At Arms did not return requests for comment.

As with remote hacking, physical access to a computer or mobile device can allow thieves to view emails,…