Enterprise

Don’t worry about the cybersecurity fallout of the Capitol breach

Members of Congress can't access classified information on their work computers, and the chances that Wednesday's mob contained a few moonlighting cyberspies are slim.

Capitol building

Any lasting cybersecurity damage from the breach is likely to be limited.

Photo: Louis Velazquez/Unsplash

Among the disasters that visited Capitol Hill on Wednesday, the fact that the people who infiltrated Congressional offices had unfettered access to IT assets for several hours ranks rather low.

One of the most iconic images of Wednesday's events was a picture of the home screen of Speaker Nancy Pelosi's office computer, abandoned in haste after a mob broke into the Capitol building, forcing Congress and staffers to retreat to safer locations. By design, nothing on Pelosi's computer was classified: Members of Congress have to enter a protected area room in the building to view secret documents, as you'll recall from last year's impeachment proceedings when several House Republicans stormed into such a room in protest because they were denied access to documents their leaders could access.

There could have been plenty of unclassified information that would still be considered sensitive, such as Pelosi's contacts and email correspondence. And it's fair to say that congressional IT practices are somewhat haphazard; some computers might have been encrypted, while some might not have even had password protection, according to security experts.

As Katie Moussouris, CEO and founder of Luta Security, told The Washington Post: "There's an old saying, if an attacker has physical access to your computer, it's not your computer anymore."

Still, any lasting cybersecurity damage from the breach is likely to be quite limited.

A laptop from Sen. Jeff Merkley's office was taken, but there were no other reports of missing computers. Representatives from Merkley's office did not respond to an inquiry as to whether or not that laptop was encrypted; computers purchased for Senate offices after October 2018 were required to have encryption technology turned on at the urging of Merkley's fellow Oregon senator, Ron Wyden, but it's not clear when the laptop in question was purchased.

There's a far greater threat to information security in the Capitol Building, and it doesn't require access to the building itself. As we've seen with the SolarWinds hack that infiltrated several executive branch agencies last year, the biggest threats to government information security aren't wearing red hats and breaking windows; they're coming from overseas through the internet to steal sensitive data.

And in any event, the Capitol Building is not exactly the most secure facility controlled by the government, as Wednesday's events show. Any foreign intelligence agent bent on figuring out what the House Committee on Ways and Means is up to would probably have better luck accessing computers by infiltrating the cleaning staff or mingling with visitors on a post-pandemic tour of the building.

The incident does shine a light on congressional cybersecurity practices, which are far less robust than the requirements of the executive branch.

In the House, members of Congress are responsible for procuring their own IT assets just like any of us, whereas in the Senate, technology purchases are made through the office of the Sergeant at Arms. Email and file servers in the House are managed by the chief administrative officer, a non-partisan position. In the Senate, that duty falls to the Sergeant at Arms, who serves at the pleasure of the party in power.

"Images on social media and in the press of vigilantes accessing congressional computers are worrying," said Rep. Anna Eshoo, a Democrat from California, in a statement. "I asked the Chief Administrative Officer of the House to conduct a full assessment of threats based on what transpired yesterday, and the CAO has already taken important steps to that end. I have confidence that House and Senate IT and cybersecurity professionals are taking the matter seriously."

On Thursday afternoon, the CAO updated members of the House saying that administrators took "efforts including issuing commands to lock computers and laptops and shutting down wired network access to prevent inappropriate access to House data." It's not clear what, if any, action was taken on the Senate side.

Executive branch staff are almost universally required to use two-factor authentication to log into their work computers, but such a requirement does not exist in the legislative branch. Congresspeople are essentially small-business owners who can require their staff to follow whatever cybersecurity practices they deem necessarily, including, well, nothing.

There's certainly a chance that a few individuals among the mob that breached the Capitol Building could have read less-than-flattering emails sent by or to members of Congress, and could use those emails to damage a few reputations.

But the most likely outcome of Wednesday's breach is that a lot of passwords have already been changed, or will be changed in the next few days.

Update: This article was updated at 4:07 p.m. PT to include a statement from Rep. Anna Eshoo, and corrected at 5:17 p.m. PT to fix the spelling of her first name.

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins