The Cyber Risk Management Challenges After Capitol RiotRisks Include Compromised PCs, Stolen Data, Malware Intrusions
After the occupation of the U.S. Capitol by pro-Trump rioters Wednesday, an emergency response plan to ensure federal computers were locked down apparently was not activated, some experts say. As a result, federal security teams are likely scrambling to detect and repair any damage done.
News reports about stolen computers as well as protesters occupying offices in which computers were left on are raising serious security concerns.
"I was very disappointed to see that the computers in [Speaker of the House] Nancy Pelosi's office were left on and were unlocked,” says retired Air Force Brigadier Gen. Gregory Touhill, former U.S. CISO and now CEO of Appgate Federal. “That is an incredibly poor security practice. You would have thought that they would have unplugged them as they evacuated the offices."
Tom Pendergast, chief learning officer at the cybersecurity and privacy education firm MediaPro, adds: "We should be very worried. While the apparent amateurism of the visible protestors might lead us to conclude they are unsophisticated, we know that our enemies are willing to use any opportunity to launch cyberattacks and should investigate this incident as thoroughly as we go after the SolarWinds breach."
Videos and photographs of the rioters illustrate the potential cybersecurity problems that could arise from the building's occupation, says Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting. For example, PCs left unattended and logged in, as shown in photos, could allow for malware to be installed or data to be removed.
"From a cybersecurity point of view, the adage that a device an unauthorized person has had physical access to should be considered to be compromised holds true in this scenario,” Honan says. “So the respective cybersecurity teams should now approach each device and their network as being compromised and conduct appropriate investigations to ensure the integrity of their systems."
Images of trashed offices, rioters carrying off objects and a protestor sitting in Vice President Mike Pence's Senate chair demonstrate that the insurrectionists spent a considerable amount of time in the Capitol. So those in charge of the cyber investigation had a lot of urgent “triage and damage assessment" to conduct Thursday, Touhill says.
"After returning to some sort of normalcy, physical walk-throughs of all network devices should have occurred,” says Joseph Neumann, a former network operations and cyber effects officer with the Army National Guard who’s now director of offensive security at the consultancy Coalfire. “Left behind compromised devices and thumb drives are a distinct possibility. Along with the protesters, there’s a possibility of nation-state actors or agents being mixed in.”
That’s why it’s so important to not only log what’s missing but also determine what was left behind, says Dirk Schrader, vice president at cybersecurity and compliance software maker New Net Technologies. Leave-behinds could include installers or malicious files on computers or malicious USB drives left in drawers, he notes.
"The work to be done is to check logs and to assess file access and registries on machines, on servers - especially on email servers - to see if confidential information was sent outside from a legitimate account during this raid," Schrader says.
"Consideration should also be given that electronic listening devices could have been left behind by some of those who entered the building," Honan adds.
Breakdown of Plan Execution?
Some cybersecurity professionals say that although Capitol officials likely conducted training and had a response plan for crisis situations, the panic that ensued as the rioters ran through the halls of the Capitol may have caused the plan to breakdown.
"Clearly, in the chaos of the situation, that planning was not executed as desired, and the retrospectives on this event will need to address this failing," Pendergast says.
"I can only imagine the difficulty of training congressional representatives and their ever-shifting staff on cybersecurity controls, given that their focus is clearly on other matters," he adds.
Others stress that Capitol security staffers had to focus first on protecting lives in the chaos, rather than protecting computers and data.
"In circumstances where the physical safety of employees is more important than cybersecurity, it is vital to have automated features enabled," Schrader says.
Automation Is Vital
Because it’s unrealistic to depend on those fleeing a dangerous situation to remember to take the time to turn off or lock their computer, automated systems need to be in place to render devices inaccessible, Neumann says.
"Process, policies, procedures and technology should be used to auto-lockdown the systems," Neumann says. The security operations center should push notifications of a breach, setting off a remote command to restart all systems, he adds. "This along with full disk encryption should be enough to secure the endpoints to a degree."
But Schrader says simply setting a device to shut down automatically after a few minutes of not being in use can play a critical role in protecting data.
Managing Editor Scott Ferguson contributed to this report.