The insurrection at the U.S. Capitol Wednesday, which saw rioters storm the building and reportedly steal devices belonging to government officials, opened what one cybersecurity expert has called a Pandora’s box of national security and data privacy issues.
Multiple sources pointed to the need to treat the incident as a breach of IT assets, regardless of whether evidence shows any malicious activity: devices will need to be swept, technical surveillance countermeasures will have to be put in place to ensure there are no eavesdropping devices, and network traffic must be monitored long term.
“When you lose physical control of a space, you have to assume everything is compromised,” said Bryson Bort, founder and CEO at SCYTHE. “Everything should be rebuilt from the ground up.”
The incident, as well as the response among those on Capitol Hill tasked with securing government technology assets, serves as a dramatic and evolving case study for public and private sector entities regarding the scope of cybersecurity risk tied to a physical breach.
Assessing the damage
In the initial hours, days and weeks, cybersecurity teams will be considering risk factors that existed at the time of the incident.
“If their workstations were unlocked during the scurry there is no telling what could have been accessed with the privileges of the user,” said M. Michael Mitama, CEO at THETA432. “Whatever the end user was reviewing at the time would have been left open for all eyes to see. Mobile phones could have captured photos of the desktop contents to be used later in consequential attacks. USB access (if not blocked) could have introduced malware into the entire network of the hosts. Ransomware introduction could have shut down the entire network and would have caused catastrophic outages if USB ports were not protected.”
A former Senate staffer who focused on cybersecurity issues in Congress until last year told SC Media that the open concept architecture of the Capitol and uncertainty about how many offices and buildings were breached create gaps that must be filled in before a more accurate damage assessment can be done.
And while the staffer agreed that any physical breach of a building by outsiders requires all to “assume compromise,” calls to rip and replace every computer or device are probably not necessary. Rather, law enforcement should be using evidence from video cameras inside the halls to pinpoint which offices or sections of buildings were flooded by protestors and whether they entered any offices.
“The ability to prevent cyber incidents from happening are basic IT protocols,” said Kiersten Todt, managing director of the Cyber Readiness Institute. What “we’ll learn is if those protocols were followed.”
Had the breach happened two years ago, the Senate would have been much more vulnerable. In 2018 Sen. Ron Wyden, D-Ore., successfully pushed the Senate Rules and Administration Committee to mandate encryption by default for all new Senate devices. Congressional IT generally works on a two-to-three-year refresh cycle, so data on many devices installed since then are far better protected than before.
Common security features like two-factor authentication and autolocking computer screens after a few minutes of inactivity are not mandatory, and congressional staff must proactively request such setups first. While there is segregation of congressional networks in some places, all 100 senators share the same email server and network infrastructure. All of these factors will be considered as security teams assess the damage.
Social media may provide insight as well. Photos of a rioter accessing Outlook on a congressional workstation, for example, suggests that protocols may not have been followed or that they fell short. Perhaps, said Bob Maley, chief security officer at NormShield, the period of time before the system automatically locked was too long.
Perhaps more critical still, congressional cybersecurity teams will need to identify how many devices were taken and whether they had encryption set by default. Rioters stole a laptop from the office of House Speaker Nancy Pelosi, D-Calif., and Sen. Jeff Merkley, D-Ore., tweeted that a laptop was taken from his office as well.
“If the Capitol had device management capabilities on their mobile devices, laptops, tablets, mobile phones, etc., they can administer these devices via remote wiping if stolen,” said Mitama. “If they were computers and they had a LoJack type of software, they could actually track the device to the location and send the police or FBI for retrieval.”
If the security operations center was able to push notifications of a breach, a remote command to restart all systems should have been pushed at the time also, said Joseph Neumann, director of offensive security at Coalfire. That, along with full disk encryption, “should be enough to secure the endpoints to a degree. Secondly, the SOC should or possibly may have network isolated the building, rooms, from data centers or external resources.”
But is all of this happening? One can hope, though Neumann fears that “with the rush back to normalcy” the proper procedures might be shortchanged.
Beyond near-term efforts to address immediate risk, cyber teams will need to consider the type of information exposed, and who might gain access.
“If you are a foreign government, especially one of the big four state-sponsored cyber adversaries, you’re going to see that as an opportunity to mix with the crowd," said the staffer. "And if you get in and have a thumb drive, that could be a profound, profound compromise” with long-term consequences, not unlike the current circumstances tied to the SolarWinds hack.
That scenario might be more likely if rioters shared their plans online.
“I’d like to know if there was intel on [the] dark web about the group’s activities” and plans, said Maley. Bad actors monitoring those channels may have decided “'this is going down, disruption is happening, and I’m going to insert myself in this disruption.'”
Cyber experts doubt that those who stormed the Capitol picked off classified information, which is typically housed in secure facilities that are not easy to find or access, under armed guard at all times and include strict lockdown protocols in the event of an ongoing breach. While it’s “exceptionally unlikely” the invaders got in there, the former Senate staffer said, some offices do have safes that contain classified information at the Secret level or below. Those offices are supposed to be locked when staffers leave, but the chaos and speed of the breach and evacuation means many likely did not.
Beyond that, classified information isn’t the only valuable data lying around. Communications from Congress or their staff to other members or outside parties contain insights into ongoing policy disputes, who has influence, pressure points for blackmail and other unclassified information that would be valuable to a foreign intelligence operation.
“Even if you’re just looking at emails, that’s a lot of valuable intelligence – especially if you’re the Chinese and trying to understand how we function and the dysfunction associated with Congress. That’s a treasure trove,” said the former staffer. “People are informal over email, people express their displeasure over email in a way that’s not ready for prime time. It’s valuable in terms of targeting folks for counterintelligence reasons, who may be vulnerable, but also understanding where the beef is and who has conflicts.”
Indeed, Bort said even access to unclassified systems at Congress “would still be interesting: being able to know what McConnell, Pelosi, Schumer or McCarthy is doing in real-time with detail has huge value.”
Beyond immediate efforts toward damage control, security teams will need to focus on what may have been left behind: any malicious files or installers, or USB drives placed in drawers containing malware. “The work to be done is to check logs and to assess file access and registries on machines, on servers, especially email, to see if confidential information was sent outside from a legitimate account during this raid,” said Dirk Schrader, global vice president at New Net Technologies.
The lesson here is clear: public and private sector alike must focus efforts on tightening security and encouraging cyber hygiene. Just like pandemic planning came to the forefront, organizations now must "pull out the contingency planning binder again and revisit civil unrest procedures,” said Neumann, including full disk encryption, data at rest, and SOC procedures. Also critical is strict multifactor authentication, limited admin access and shortening the time period before systems lock down.
The private sector might be better prepared in some respects. “Most corporations have these protocols in place. However, to be overwhelmed by a crowd of this many people would take the intervention of law enforcement,” said Mitama. “If we look at this scenario from a defense in depth perspective, we would find that this type of intrusion could be prevented during this type of situation.”
And as organizations focus on network security in the wake of the SolarWinds hack, "they can’t lose sight of what physical events can do,” Todt said. That government and the private sector keep getting caught with their pants down, “is a failure of imagination.”