Cybersecurity and the Occupation of the Capitol

On Jan. 6, a large number of pro-Trump rioters occupied portions of the U.S. Capitol building to protest and disrupt the counting and certification of electoral votes from the November 2020 election.  The significance of this event for American democracy, the rule of law, and the depths of extremism in the U.S. populace will be addressed by others  but I am compelled to point out this siege has created potentially serious cyber risks for Congress and other affected offices.

To any computer security professional, maintaining physical security over computers and other devices is a condition for maintaining cybersecurity.  What happens when a threat actor has compromised this essential aspect of cybersecurity?

These concerns arose during a conversation with my long-time cyber colleague Eugene Spafford at Purdue University —what devices and computers did the mob physically access during their breach of the countless desks and offices in the Capitol? And how did they use that access?  Have listening devices been planted in these offices?  Have USB sticks been used to download data from House or Senate computers, or worse, to upload “back doors” that would enable subsequent unauthorized remote access?  

To the best of my knowledge, only the Capitol was breached—personal and committee offices in the various House and Senate office buildings remain secure.  But members often have offices in the Capitol as well.  It is thus a matter of the highest operational priority for those who provide cybersecurity support for the House and Senate to ascertain the nature and extent, if any, of cybersecurity compromises resulting from the occupation.  Every office with a computer and every telecommunications closet accessible from public corridors (whether or not behind a locked door) will have to be scanned and swept for malware and additional but unauthorized hardware (e.g., a USB device that is not supposed to be attached that might be used as a covert channel for exfiltrating information). 

And it is not only a technical scan and sweep that are necessary— user passwords are often written on sticky Post-it notes; even worse, they are often reused on different computers.  House and Senate staff should *immediately* change all passwords on all computers, ensuring of course that they use different passwords for different accounts.

As for passwords that may have been used by the mob already, House and Senate staff should check to see if any of the file dates and times listed in various directories correspond to times when their offices may have been occupied.  If so, the associated file was probably modified.  (Alas, it will be much harder if not impossible to tell if the file has been accessed or copied.)
These are just some of the very basic things that need to be done, and any serious cybersecurity person with operational responsibilities will have more suggestions for things to do.  But the bottom line is that from a cybersecurity perspective, who’s to say that someone from the hacking arm of Russia’s foreign intelligence service (APT29 or Cozy Bear, allegedly behind the SolarWinds hack) wasn’t also among the occupiers?  This potential breach of cybersecurity warrants prompt and intensive attention now to determine what, if anything, was improperly accessed and what has been left behind that could compromise Congressional operations.