This article originally appeared on SearchSecurity.
The physical breach of the United States Capitol could lead to a cybersecurity breach, according to infosec experts, though it’s unclear how serious the risks are.
A massive mob of supporters for President Trump stormed the Capitol building and occupied the house of Congress on Jan. 6. Numerous reports surfaced of unlocked workstations and stolen laptops, but it is unclear if rioters accessed those systems and how the government is addressing the potential risks. Many security experts believe the threat of a breach or cyberattack stemming from the incident are low; however, there is no definitive answer as to what needs to happen from a response perspective, and which organization is tasked with that responsibility.
While much remains unknown, some information has been shared regarding missing items. One U.S. senator, Sen. Jeff Merkley (D-Ore.), recorded his return to the office, once the building was cleared, in a video posted to Twitter. In the video, he said rioters “stole the laptop that was sitting on the table next to the telephone.”
On Jan. 8, Drew Hammill, aide to the Speaker of the United States House of Representatives Nancy Pelosi, also posted on Twitter confirming the theft of a second laptop. However, he implied there was no sensitive information on it.
“A laptop from a conference room was stolen. It was a laptop that was only used for presentations,” he wrote on Twitter.
A risky situation
The possibility of accounts and networks being accessed, both through the stolen laptops and unlocked workstations during the chaotic intrusion, is a top concern. Blake Moore, vice president of strategy and operations at Wickr, told SearchSecurity the rapid evacuation of members and staff, led laptops and IT infrastructure open to “tampering by rioters who had unfettered access to office and technology.”
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, agreed that the biggest risk stems from the potential access to secure information.
“In an ideally segmented network environment, this should be limited to email and file shares. As far as I have read, the Sensitive Compartmented Information Facility (SCIF) areas where secure information is handled were not compromised,” he said in an email to SearchSecurity.
However, the separation of sensitive information is not always guaranteed. According to Morgan Wright, chief security adviser at SentinelOne, there can be what he refers to as “leakage.”
“Having been inside the government, I will tell you that even though there’s supposed to be classified and unclassified systems, a lot of times you get leakage of classified information into unclassified systems. Unintentionally, but it happens,” he said. “There are many reasons. People are inherently lazy and sometimes you might have a collection of usernames and passwords because these staffers manage a lot of accounts for their members of Congress and other stuff, so there may be access to sensitive information.”
While access to sensitive communications should be impossible by normal practices, Wright said he is more concerned about someone using the extraordinary physical access to inject malware directly into government laptop via a USB device. “You’re talking about the ability to get onto a staffer or member of Congress’ laptop while it was still running and logged into and the system is trusting whoever is doing whatever on the keyboard, treating that command as a trusted action.”
Another concern is, who may have accessed the information: friend or foe?
According to Clements, the physical access to any networks or devices at the Capitol would be an enticing target for just about any nation’s intelligence service, including allies and friendly nations. “So, while I haven’t seen any evidence that any such attack took place, the risk is very real.”
Nation-state adversaries could have been among the crowds that bypassed security while breaking into the Capitol, Wright said.
“If I were an adversary to the United States, how easy would it be to stick someone in that crowd and rather than a steal a laptop, be able to insert malware from a variety of places –workstations and more.”
What makes this incident even more difficult is the intelligence concerns on top of the cybersecurity concerns such as the injection of malware.” After Sunburst, can you really trust what’s actually out there anymore? The Sunburst and SolarWinds hack changed the whole way we view trust now. Can you trust an update? I don’t know,” Wright said.
Ondrej Krehel, CEO and founder of LIFARS, told SearchSecurity that insider computer intrusions are incredibly devastating and disruptive for any organization, including the government. “The chaos that ensued in Washington, D.C., was a perfect opportunity to plant a digital eavesdropping device into federal government facilities,” he said in an email to SearchSecurity.
On the other hand, some experts believe the incident won’t evolve into large breaches or cyber attacks. Ciaran Martin, managing director at cyber venture capital investment firm Paladin Capital Group and former head of the U.K.’s National Cyber Security Centre, told SearchSecurity that given the gravity of the overall situation, it’s important not to overhype the cybersecurity risks.
“This is the legislative branch of government, not the key departments of state, let alone the classified communications of the Pentagon or intelligence community. The intruders’ primary purpose wasn’t to get information off hard drives and networks. I’ve not seen any evidence anyone had a sustained go at any devices. One stolen laptop doesn’t bring down a government,” he said in an email to SearchSecurity.
What happens next?
It’s not clear which government entity is in charge of assessing the cybersecurity risks stemming from the Capitol building riots. SearchSecurity contacted the Cybersecurity and Infrastructure Security Agency (CISA) for information regarding the response; CISA referred SearchSecurity to the Office of the Sergeant at Arms, which has not responded for requests for comment.
While the extent of accessed data has not been disclosed, security experts believe there are steps that can be taken in the aftermath of a physical breach like last week’s.
According to Moore, every office in the Capitol building must assume their IT infrastructure has been compromised until a full audit or replacement can be done.
“Because there are also reports of technology being stolen, it is important for offices to take the appropriate steps to secure devices. In the meantime, it is important to emphasize that all communications and collaboration — everything from file sharing to video calls and messages — must happen in a separate, end-end encrypted environment to maintain the highest level of operational security,” he said in an email to SearchSecurity.
Krehel agreed that mitigation steps need to be taken, including surveying the damage, recording the details and deploying an around-the-clock Digital Forensics and Incident Response (DFIR) team.
“Detection and monitoring — strong network and endpoint solutions should be implemented to seek any connections that could be malicious and enriched with threat intelligence data for real threat actors, including nation-states, cyber extortion groups and financial criminals,” he said. “Every computer system should be replaced, and every connected cable, including wall jacks, should be reviewed.”
According to Clements, the approach of replacing every device is an extreme one but may be necessary. “Sort of a thorough review of the computers down to the individual components, this may be the most direct way of ensuring a safe operating environment.”
While Wright said the computers should be replaced, he doubts they will due to the lack of resources and time. “It’s a bureaucracy and it takes forever to replace all that stuff. Even though that’s what they should do, what they end up doing is a function of time, budget, protocols, rules, administrative procedures and simply the business of government has to get on. How long did we know the state department computer system had holes, but they still operated on it? I think they will continue to operate on it until such time that a vulnerability or something is discovered.”
Additionally, Wright said many times the government recycles old cybersecurity approaches, which have proven ineffective.
While the situation is not great and there may have been some data loss, Martin said it’s important to keep things in perspective. “When the history of this shameful episode is written, cybersecurity isn’t going to be a big part of the story.”