Cybersecurity and the Capitol Riot
Numerous congressional IT assets were compromised during the January 6 riot at the US Capitol. At least two members, including Nancy Pelosi, have publicly acknowledged stolen laptops. There have also been reports of missing smartphones, tablets, and flash drives containing government information. Malware may be present on any devices that remain in the Capitol but weren’t locked.
None of this is the fault of Congress or Capitol staff. When faced with a physical threat, the correct response is to seek immediate safety. Securing IT assets is not a priority under these circumstances.
Nonetheless there are lessons all IT security professionals (not just those at the Capitol) can learn from this incident:
1. Over-reliance on physical security. We tend to assume a level of physical security in our cyber defenses. For example, we assume production servers sit in locked cages inside data centers with strong physical access controls (guards, badges, cameras, etc.). We don’t assume as much physical security with portable devices like laptops, but we do tend to expect a stolen laptop will be locked or even powered down, which enables us to rely on defenses like full disk encryption to protect sensitive data. Capitol riot photos show some devices were unlocked and logged on. This is perfectly understandable in a physical threat scenario like a riot, but we can automate device locking by the use of tools like proximity badges and face recognition. At minimum, computers can be configured to auto-lock after a short idle timeout (10 or 15 minutes).
2. Too much insider trust. Reports from European agencies say insiders may have been involved in the Capitol breach, ranging from senior security officials choosing not to order a secure cordon to policemen helping rioters through barriers. A future investigation will tell us if this was an organized conspiracy or a cascade of judgment errors, but it’s a good reminder that we confer a lot of trust on insiders with authorized access to IT systems. For example, we assume data center staff won’t insert flash drives in servers to download data. (Some companies do use DLP tools to detect this, or even plug USB slots with epoxy.) Although challenging to detect or defend, we need to take insider threats more seriously.
3. Failure of imagination. By their own admission, Capitol Police never planned for a violent mob storming the doors. Security professionals tend to focus on yesterday’s threat. For example, after the infamous “shoe bomber”, TSA told us to start taking off our shoes. Our blind spot tends to be tomorrow’s new threat. It requires imagination to predict seemingly improbable “black swan” events. One has adopt the attacker’s mindset (“put on the black hat”) and look for a vulnerability no one has exploited before. Let’s encourage security planners to think outside the box of known threats. Every red team should include at least one imaginative, unorthodox attacker.
Capitol IT staff face a daunting task in the riot’s aftermath. Missing devices must be remotely wiped if possible. Data and credentials they held must be presumed lost. The rest of the network must be swept for malware and indicators of compromise. Passwords must be changed, privileged accounts reprovisioned, devices reimaged, etc.
They deserve our sympathy. But we can learn from what happened here and use it to harden our own networks against physical breaches, insider attacks, and as-yet unimagined black swan events.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.