Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks
Rioters Open Capitol's Doors to Potential CyberthreatsSecurity Experts: Federal Computer System in Capitol Building Is Endangered
The massive pro-Trump demonstrations that saw large crowds riot and then occupy the U.S. Capitol building in Washington on Wednesday pose a significant cybersecurity risk, some experts say.
The insurrection left four people dead and led to Washington imposing a curfew and calling in the National Guard. Violent protesters gained access to the Senate chamber as well as at least one lawmaker's office, along with computer systems and other devices.
Rioting protesters' unfettered system access opens up a range of security issues, according to cybersecurity executives and analysts. These range from protesters potentially acting as a cover to launch a cyberattack to individuals having gained physical access to critical federal computer systems located in the Capitol building, among other risks.
"Any malicious actor can walk in there with the others with a thumb drive and access a computer. Every system in there will have to be checked," says Frank Downs, a former U.S. National Security Agency offensive threat analyst and now director of proactive services at the security firm BlueVoyant.
One image that captures this particular concern began circulating on social media Wednesday, showing a Trump supporter sitting on Speaker of the House Nancy Pelosi's desk, next to an unlocked office computer.
A supporter of President Trump sits inside Speaker Pelosi's office. pic.twitter.com/xyhj0Lziro— NBC News (@NBCNews) January 6, 2021
The violent protesters were able to gain access to the Capitol building following a pro-Trump rally that was held in Washington on Wednesday. President Donald Trump appeared at the rally, continued his demands that the election results be recounted and pushed for Vice President Michael Pence to reject key electoral votes, which Pence refused to do, according to The New York Times and other news media reports.
At the time the Capitol was occupied, both houses of Congress were in session and in the process of certifying the Electoral College votes that would eventually make Joe Biden officially president. The building was evacuated, with lawmakers and others locked away in offices until police regained control of the building later Wednesday night. After Congress resumed its session, it approved the states' count of Electoral College votes, formalizing Biden's victory.
"Violence has absolutely no place in our democracy. I applaud the men and women of law enforcement and the National Guard, who are working to restore order and protect our institutions. Our country is better than what we saw today at our Capitol."- NSA Robert C. O'Brien— NSC (@WHNSC) January 6, 2021
Mike Hamilton, a former vice-chair of the Department of Homeland Security's State, Local, Tribal and Territorial Government Coordinating Council and now CISO with security firm CI Security, says that the protests and the ensuing distraction from the riots provided an open door for threat actors.
"This is a really great time for another country to exercise access they may have that may be dormant and waiting for an opportunity like this - for example, Senate and House communication systems. It's not like people aren't monitoring, but their gaze is definitely averted right now," Hamilton tells Information Security Media Group.
Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting, noted on Twitter that it will take several days for the Capitol Hill IT and security staff to not only check all PCs and devices, but also to ensure that no rogue devices, such as USB drives, were left behind.
There will be a lot of work over the coming days in ensuring every electronic device in the Capitol buildings has been wiped and cleared as they cannot now be trusted. Also, need to ensure no rogue devices have been left behind— BrianHonan #BLM He/Him (@BrianHonan) January 6, 2021
"From a cybersecurity point of view, the adage that a device an unauthorized person has had physical access to should be considered to be compromised holds true in this scenario," Honan tells ISMG. "So the respective cybersecurity teams should now approach each device and their network as being compromised and conduct appropriate investigations to ensure the integrity of their systems."
In terms of physical security, Honan notes that lawmakers' staff will also have to examine any files or letters that have been tampered with during the riot. What remains unclear is the extent to which offices may have to be disinfected as well, over concerns that any rioters who were infected with COVID-19 may have left traces of the coronavirus inside the Capitol.
Long-Term Cybersecurity Concerns
Several cybersecurity experts noted that while it will take several days to recover and assess what happened on Wednesday, there are also long-term concerns to consider.
Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former member of the National Security Agency's elite hacking team, believes that nation-state actors likely monitored what was happening Wednesday and would want to collect intelligence about what had transpired as well as take advantage of some of the chaos.
"Nation-state adversaries will take advantage of distractions in our attention and certainly foreign governments will be interested in collecting intelligence on what precisely is happening in D.C.," Williams tells ISMG. He notes, however, that most organizations are not at any increased cybersecurity risk.
Tom Kellermann, who served as a cybersecurity adviser to President Obama and is now head of cybersecurity strategy at VMware, is also concerned about what could transpire in the coming days, especially for anyone who might have access to cyber capabilities and was inside the Capitol building.
"I am concerned that cyberattacks from domestic groups will spike over the next 14 days. A handful of these fringe groups are cyber capable," Kellermann tells ISMG.
Other security experts are worried that the riots and their aftermath might help spread disinformation, as well as open up victims to potential phishing and other attacks as threat actors look to take advantage of the confusion caused by the day's events.
"There is likely an elevated cybersecurity threat level, as some may try to take advantage of disruption," says Phil Reitinger, president and CEO of the Global Cyber Alliance and the former director of the National Cybersecurity Center within the Department of Homeland Security.
"However, I'm far more worried about cyber activity directed toward people, including greater efforts at disinformation, to exacerbate divisions and to phish people seeking rapid news and an explanation about what is happening," Reitinger tells ISMG. "My standard advice of 'be cautious' applies more than ever now."
Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Security Agency who was fired by Trump just after the November 2020 election, took to Twitter on Wednesday and said that much of the disinformation surrounding the vote directly led to Wednesday's violent protests.
We called out #disinfo repeatedly before & after the election. Yet the President & his campaign/lawyers/supporters fanned the flames for their own selfish reasons culminating with today's objections followed by his video message. WHAT DID THEY THINK WOULD HAPPEN? They own this.— Chris Krebs (@C_C_Krebs) January 6, 2021
Late Wednesday, both Twitter and Facebook suspended Trump's accounts after the president condoned the violent events of the day and spread additional misinformation about what had happened during the November election. While Facebook suspended his account for 24 hours, Twitter suspended the president's account for 12 hours and threatened to block it permanently if there were further violations of the platform's rules.
As a result of the unprecedented and ongoing violent situation in Washington, D.C., we have required the removal of three @realDonaldTrump Tweets that were posted earlier today for repeated and severe violations of our Civic Integrity policy. https://t.co/k6OkjNG3bM— Twitter Safety (@TwitterSafety) January 7, 2021
In a Thursday blog post, Facebook CEO Mark Zuckerberg says: “We believe the risks of allowing the President to continue to use our service during this period are simply too great. Therefore, we are extending the block we have placed on his Facebook and Instagram accounts indefinitely and for at least the next two weeks until the peaceful transition of power is complete.”