For a short, but critical period of time last Wednesday, chaos reigned inside the U.S. Capitol building in Washington, D.C. Risk assessment failed. Sure, one day a mob could theoretically invade the building, but what are the chances? This legitimately remote possibility was assumed away and the long-term security posture designed for more likely threats. Reasonable enough, until a mob stormed the building.
Remediation has started. The response team will start with triage. Security pros will look for what’s obviously wrong: what systems were accessed, items taken, and spaces breached. Network defenders will conduct scans looking for problems. Classified systems and data will take priority.
In the upcoming days, investigators will develop a detailed timeline of events. Law enforcement will track down intruders to determine what they did, where they were, and who else was there. Security teams will interview Capitol Hill staff to determine devices, documents, and spaces left unsecured. Analysts will closely review forensic data and emerging intelligence. Countersurveillance teams will sweep the building looking for surveillance devices and network hunters will sweep the networks.
Security teams won’t get much sleep for the foreseeable future as they collect and analyze a mountain of data. Regardless of investigative effort, however, the picture will be incomplete. Investigators have to guess the rest and assume the worst. Here are my observations of the looming risks based on my 20 years of cybersecurity experience in variety of roles at U.S. Cyber Command, NSA, West Point, U.S. Forces Iraq, and the private sector:
- Security culture was weak.
The extent of the damage will depend on the security culture of Capitol Hill. Was classified material regularly taken out of secure facilities and monitors festooned with sticky notes containing passwords? Or did Capitol Hill have a strictly-followed clean desk policy, multi-factor authentication, full disk encryption, password-protected screensavers, and respect for classified information? If the latter was the case, we avoided a great deal of damage. Or were security policies annoying distractions to work around? As reporting continues, we’ll know more.
- Some people came prepared.
While many intruders appeared content to break into offices and take selfies, trained professionals, including foreign intelligence, may have mixed in with the crowd and used the chaos as cover. These professionals would have rehearsed, memorized targets, and possessed tailored tools, on the chance an opportunity arose. And it did.
- Items walked out of the building.
People left in a hurry. Orderly securing of workplaces was not a prime concern. As a result, intruders had access to sensitive items left lying about, including less secure personal items. Abandoned keys, documents, security tokens, mobile devices, identification badges, computers, and hard drives, were all at risk. If intruders could walk into the building, they could walk out with stolen items. Expect document and media exploitation to happen rapidly.
- Intruders installed surveillance devices.
In cybersecurity, we consider physical access a “game-over” scenario. We should accept that some computers were unsecured and tampered with. Besides grabbing sensitive files, intruders may have installed surveillance software and hardware, like keystroke loggers and rogue access points. We shouldn’t discount the possibility of hidden cameras and listening devices.
- Classified was compromised.
We don’t allow top secret top secret information outside of secure facilities. Did someone breach protocol? Even worse, was a Sensitive Compartmentalized Information Facility (SCIF) breached? Were secret-level documents or terminals vulnerable? Offices typically have burn bags to dispose of sensitive information. What was in the trash?
We lost control of the inner sanctum of U.S. democracy. We should assume compromise – that some came prepared and exploited the chaos. Congress will hold hearings and issue reports. Security teams will wipe or replace systems, and issue new security credentials. People will be fired and some high-level police officials have already resigned. Attackers will race against defenders to exploit any compromises or, alternatively, lay low to avoid detection and maintain long-term access. The government workforce will receive training about dealing with similar circumstances. Security teams will radically revise their threat models and security procedures will become much stricter. In short: Capitol Hill’s security will look a lot more like an embassy in a combat zone.
Gregory Conti, co-founder and principal, Kopidion