Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks

Rioters Open Capitol's Doors to Potential Cyberthreats

Security Experts: Federal Computer System in Capitol Building Is Endangered
Rioters Open Capitol's Doors to Potential Cyberthreats
Source: C-SPAN

The massive pro-Trump demonstrations that saw large crowds riot and then occupy the U.S. Capitol building in Washington on Wednesday pose a significant cybersecurity risk, some experts say.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The insurrection left four people dead and led to Washington imposing a curfew and calling in the National Guard. Violent protesters gained access to the Senate chamber as well as at least one lawmaker's office, along with computer systems and other devices.

Rioting protesters' unfettered system access opens up a range of security issues, according to cybersecurity executives and analysts. These range from protesters potentially acting as a cover to launch a cyberattack to individuals having gained physical access to critical federal computer systems located in the Capitol building, among other risks.

"Any malicious actor can walk in there with the others with a thumb drive and access a computer. Every system in there will have to be checked," says Frank Downs, a former U.S. National Security Agency offensive threat analyst and now director of proactive services at the security firm BlueVoyant.

One image that captures this particular concern began circulating on social media Wednesday, showing a Trump supporter sitting on Speaker of the House Nancy Pelosi's desk, next to an unlocked office computer.

The violent protesters were able to gain access to the Capitol building following a pro-Trump rally that was held in Washington on Wednesday. President Donald Trump appeared at the rally, continued his demands that the election results be recounted and pushed for Vice President Michael Pence to reject key electoral votes, which Pence refused to do, according to The New York Times and other news media reports.

At the time the Capitol was occupied, both houses of Congress were in session and in the process of certifying the Electoral College votes that would eventually make Joe Biden officially president. The building was evacuated, with lawmakers and others locked away in offices until police regained control of the building later Wednesday night. After Congress resumed its session, it approved the states' count of Electoral College votes, formalizing Biden's victory.

Mike Hamilton, a former vice-chair of the Department of Homeland Security's State, Local, Tribal and Territorial Government Coordinating Council and now CISO with security firm CI Security, says that the protests and the ensuing distraction from the riots provided an open door for threat actors.

"This is a really great time for another country to exercise access they may have that may be dormant and waiting for an opportunity like this - for example, Senate and House communication systems. It's not like people aren't monitoring, but their gaze is definitely averted right now," Hamilton tells Information Security Media Group.

Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting, noted on Twitter that it will take several days for the Capitol Hill IT and security staff to not only check all PCs and devices, but also to ensure that no rogue devices, such as USB drives, were left behind.

"From a cybersecurity point of view, the adage that a device an unauthorized person has had physical access to should be considered to be compromised holds true in this scenario," Honan tells ISMG. "So the respective cybersecurity teams should now approach each device and their network as being compromised and conduct appropriate investigations to ensure the integrity of their systems."

In terms of physical security, Honan notes that lawmakers' staff will also have to examine any files or letters that have been tampered with during the riot. What remains unclear is the extent to which offices may have to be disinfected as well, over concerns that any rioters who were infected with COVID-19 may have left traces of the coronavirus inside the Capitol.

Long-Term Cybersecurity Concerns

Several cybersecurity experts noted that while it will take several days to recover and assess what happened on Wednesday, there are also long-term concerns to consider.

Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former member of the National Security Agency's elite hacking team, believes that nation-state actors likely monitored what was happening Wednesday and would want to collect intelligence about what had transpired as well as take advantage of some of the chaos.

"Nation-state adversaries will take advantage of distractions in our attention and certainly foreign governments will be interested in collecting intelligence on what precisely is happening in D.C.," Williams tells ISMG. He notes, however, that most organizations are not at any increased cybersecurity risk.

Tom Kellermann, who served as a cybersecurity adviser to President Obama and is now head of cybersecurity strategy at VMware, is also concerned about what could transpire in the coming days, especially for anyone who might have access to cyber capabilities and was inside the Capitol building.

"I am concerned that cyberattacks from domestic groups will spike over the next 14 days. A handful of these fringe groups are cyber capable," Kellermann tells ISMG.

Disinformation Threat

Other security experts are worried that the riots and their aftermath might help spread disinformation, as well as open up victims to potential phishing and other attacks as threat actors look to take advantage of the confusion caused by the day's events.

"There is likely an elevated cybersecurity threat level, as some may try to take advantage of disruption," says Phil Reitinger, president and CEO of the Global Cyber Alliance and the former director of the National Cybersecurity Center within the Department of Homeland Security.

"However, I'm far more worried about cyber activity directed toward people, including greater efforts at disinformation, to exacerbate divisions and to phish people seeking rapid news and an explanation about what is happening," Reitinger tells ISMG. "My standard advice of 'be cautious' applies more than ever now."

Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Security Agency who was fired by Trump just after the November 2020 election, took to Twitter on Wednesday and said that much of the disinformation surrounding the vote directly led to Wednesday's violent protests.

Late Wednesday, both Twitter and Facebook suspended Trump's accounts after the president condoned the violent events of the day and spread additional misinformation about what had happened during the November election. While Facebook suspended his account for 24 hours, Twitter suspended the president's account for 12 hours and threatened to block it permanently if there were further violations of the platform's rules.

In a Thursday blog post, Facebook CEO Mark Zuckerberg says: “We believe the risks of allowing the President to continue to use our service during this period are simply too great. Therefore, we are extending the block we have placed on his Facebook and Instagram accounts indefinitely and for at least the next two weeks until the peaceful transition of power is complete.”

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.