The insurrection at the U.S. Capitol Wednesday, which saw rioters storm the building and reportedly steal devices belonging to government officials, opened what one cybersecurity expert has called a Pandora’s box of national security and data privacy issues.
Multiple sources pointed to the need to treat the incident as a breach of IT assets, regardless of whether evidence shows any malicious activity: devices will need to be swept, technical surveillance countermeasures will have to be put in place to ensure there are no eavesdropping devices, and network traffic must be monitored long term.
“When you lose physical control of a space, you have to assume everything is compromised,” said Bryson Bort, founder and CEO at SCYTHE. “Everything should be rebuilt from the ground up.”
Assessing the damage
In the initial hours, days and weeks, cybersecurity teams will be considering risk factors that existed at the time of the incident.
“If their workstations were unlocked during the scurry there is no telling what could have been accessed with the privileges of the user,” said M. Michael Mitama, CEO at THETA432. “Whatever the end user was reviewing at the time would have been left open for all eyes to see. Mobile phones could have captured photos of the desktop contents to be used later in consequential attacks. USB access (if not blocked) could have introduced malware into the entire network of the hosts. Ransomware introduction could have shut down the entire network and would have caused catastrophic outages if USB ports were not protected.”
“The ability to prevent cyber incidents from happening are basic IT protocols,” said Kiersten Todt, managing director of the Cyber Readiness Institute. What “we’ll learn is if those protocols were followed.”
Had the breach happened two years ago, the Senate would have been much more vulnerable. In 2018 Sen. Ron Wyden, D-Ore., successfully pushed the Senate Rules and Administration Committee to mandate encryption by default for all new Senate devices. Congressional IT generally works on a two-to-three-year refresh cycle, so data on many devices installed since then are far better protected than before.
Common security features like two-factor authentication and autolocking computer screens after a few minutes of inactivity are not mandatory, and congressional staff must proactively request such setups first. While there is segregation of congressional networks in some places, all 100 senators share the same email server and network infrastructure. All of these factors will be considered as security teams assess the damage.
Social media may provide insight as well. Photos of a rioter accessing Outlook on a congressional workstation, for example, suggests that protocols may not have been followed or that they fell short. Perhaps, said Bob Maley, chief security officer at NormShield, the period of time before the system automatically locked was too long.
Perhaps more critical still, congressional cybersecurity teams will need to identify how many devices were taken and whether they had encryption set by default. Rioters stole a laptop from the office of House Speaker Nancy Pelosi, D-Calif., and Sen. Jeff Merkley, D-Ore., tweeted that a laptop was taken from his office as well.
“If the Capitol had device management capabilities on their mobile devices, laptops, tablets, mobile phones, etc., they can administer these devices via remote wiping if stolen,” said Mitama. “If they were computers and they had a LoJack type of software, they could actually track the device to the location and send the police or FBI for retrieval.”
If the security operations center was able to push notifications of a breach, a remote command to restart all systems should have been pushed at the time also, said Joseph Neumann, director of offensive security at Coalfire. That, along with full disk encryption, “should be enough to secure the endpoints to a degree. Secondly, the SOC should or possibly may have network isolated the building, rooms, from data centers or external resources.”
Potential exposure
Beyond near-term efforts to address immediate risk, cyber teams will need to consider the type of information exposed, and who might gain access.
“If you are a foreign government, especially one of the big four state-sponsored cyber adversaries, you’re going to see that as an opportunity to mix with the crowd,” said the staffer. “And if you get in and have a thumb drive, that could be a profound, profound compromise” with long-term consequences, not unlike the current circumstances tied to the SolarWinds hack.
That scenario might be more likely if rioters shared their plans online.
“I’d like to know if there was intel on [the] dark web about the group’s activities” and plans, said Maley. Bad actors monitoring those channels may have decided “’this is going down, disruption is happening, and I’m going to insert myself in this disruption.’”
Cyber experts doubt that those who stormed the Capitol picked off classified information, which is typically housed in secure facilities that are not easy to find or access, under armed guard at all times and include strict lockdown protocols in the event of an ongoing breach. While it’s “exceptionally unlikely” the invaders got in there, the former Senate staffer said, some offices do have safes that contain classified information at the Secret level or below. Those offices are supposed to be locked when staffers leave, but the chaos and speed of the breach and evacuation means many likely did not.
Beyond that, classified information isn’t the only valuable data lying around. Communications from Congress or their staff to other members or outside parties contain insights into ongoing policy disputes, who has influence, pressure points for blackmail and other unclassified information that would be valuable to a foreign intelligence operation.
“Even if you’re just looking at emails, that’s a lot of valuable intelligence – especially if you’re the Chinese and trying to understand how we function and the dysfunction associated with Congress. That’s a treasure trove,” said the staffer. “People are informal over email, people express their displeasure over email in a way that’s not ready for prime time. It’s valuable in terms of targeting folks for counterintelligence reasons, who may be vulnerable, but also understanding where the beef is and who has conflicts.”
I had not even considered the fact that outside threat actors could have used this breach to compromise the physical network of the US Government! Network access to routers and switches was even possible by breaching closets. How do the Cyber Investigators even verify all points of compromise??