It's unlikely these people installed malware on computers, experts say, but the event proves legislators need better cybersecurity training.
To keep sensitive information safe, computers should have some sort of "pull-the-plug" protocol in place to make the data inaccessible.
On Wednesday afternoon, when a mob of people supporting President Donald Trump breached the U.S. Capitol Building in Washington, D.C.—home to both bodies of Congress, the Senate and the House of Representatives—legislators quickly abandoned potentially confidential paperwork on their desks. Some even left their computer screens aglow.
That much is made evident in the images that have circulated since—including a now-deleted Twitter photo that showed a computer in Speaker of the House Nancy Pelosi's office with email still pulled up on the screen. Those mistakes, while innocent, could have dire cybersecurity consequences, experts warn. The event should be a wake-up call for all companies to put emergency protocols into place.
"When I was in the military, we always had emergency evacuation procedures ... it's not just in case there's falling rounds coming into the camp," Gregory Touhill, former Federal Chief Information Security Officer of the United States, tells Popular Mechanics.
"One of the first things you do is lock your keyboard and get your butt out of there. If you don’t have time to unlock your keyboard, you unplug it," Touhill says.
Although that image from Pelosi's office appears to depict a staffer's desk and computer monitor—not her own—it still proves they "clearly lost control of the integrity of the computer systems," Touhill says. Shutting down your computer when you leave is basic cybersecurity hygiene, just like brushing your teeth, he says.
Every. Single. Piece. Of. Hardware. In. Congress. NEEDS. to. be. replaced.
Nothing can be trusted.
— Gillis Jones (@Gillis57) January 6, 2021
The ransacked office of the Senate Parliamentarian: pic.twitter.com/E7PsSgoAEX
— Ali Zaslav (@alizaslav) January 7, 2021
Software does exist that allows security operations managers to remotely shut down computers within a network, Touhill says, but it's unclear if the Capitol uses that kind of technology. Emco Software offers an aptly named product called Remote Shutdown that can shut down all PCs on a network from a central location, manually or on a schedule. Similar products are available from other software vendors.
Still, you're your own most effective tool, Touhill says. "The security operations center is not in the Capitol Building, and [the operations managers] may not be watching CNN and be aware of the breach itself," he explains. "The time lag between the breach and turning off the computers is likely unacceptable, so you need a layered defense."
Even if Congress had avoided this snafu, Sergeant at Arms Paul D. Irving—who is responsible for law enforcement and security protocol on the House side of the Capitol—and the Senate's Sergeant at Arms, Michael C. Stenger, would still have their work cut out for them. They will need to send forensics teams into each office to take a look at the inventory "to see if anyone took the five-finger discount," Touhill explains.
It's already clear that some hardware has gone missing. In a video posted to Twitter on January 6, U.S. Senator Jeff Merkley (D-OR) said rioters made off with a laptop from his office.
The trail of destruction and looting. What happened today was an assault by the domestic terrorists who stormed the Capitol, but it was also an assault on our constitution.
[sound on] pic.twitter.com/BrELF7cMz1
— Senator Jeff Merkley (@SenJeffMerkley) January 7, 2021
We don't know if Merkley's laptop was encrypted, meaning the computer scrambles snippets of data, rendering it completely useless without a decryption key, which can unshuffle the jargon and restore the original contents. The Senate Committee on Rules and Administration did make the decision to require encryption on all new Senate laptops and computers in 2018, but if this particular laptop was purchased before then, it's entirely possible it wasn't secured in that manner.
There's even less obvious hardware that investigators will have to closely examine. "A lot of folks don't think to purge memory, and a lot of printers have volatile memory [like RAM on a computer, which gets deleted upon shutoff] as well as memory that sticks with you for a while," Touhill says. "You have to start with the assumption that you’ve been breached and work your way backward."
Fortunately, there's a good chance it's impossible to install malware, spyware, or ransomware on Congressional computers through USB drives—especially because of what happened during "the most significant breach of U.S. military computers ever."
In 2008, the Department of Defense fell victim to a cyberattack that compromised its classified military computer networks, and it all began when an employee based in the Middle East inserted an infected USB drive into their computer.
"[A foreign intelligence operative] sprinkled out a bunch of thumb drives outside of U.S. military installations in Afghanistan, in the parking lot," Touhill explains. "They basically said, 'Hey, you can buy a thumb drive here for 50 cents, best friend price,' and it turned out that they were really sniffing devices that basically pointed in at your backdoor ... they just cracked open the network."
The military unilaterally halted the use of USB drives, and it's possible the House and Senate followed suit, Touhill says. Vinny Troia, a former Defense Department cybersecurity contractor and founder of NightLion Security, told Fortune that all government offices did, in fact, disable USB drives following the Edward Snowden leaks.
The real chances of a cyber nightmare begin with the less high-tech techniques the mob could have used, Touhill says; it's not all about attempting to access a network.
Specifically, investigators will need to sweep all offices for listening devices and other surveillance tools, he says. Law enforcement and security personnel can use use special RFID detectors to pick up on radio frequency signals that listening devices rely on for communication.
"So, you can have this antenna tuned and identify anything operating in the bandwidth of cellular phones," says Touhill. "And then you can hook up another antenna that finds things in the WiFi bandwidth. You tune your antennas to look for things at different slices in the spectrum.”
Perhaps most importantly, though, the debacle creates ripe new opportunities for foreign adversaries to use social engineering against lawmakers. In theory, a bad actor could pose as one of the mob, storm the Capitol Building, and find a sticky note with Pelosi's computer password on it. Touhill doesn't discount the possibility that something like this could have already transpired.
All it would take is a few minutes online to find the plans to storm the Capitol. From there, a foreign intelligence operative could pose as a Trump supporter and break into the building to gather intel.
"There are foreign intelligence services that are extremely adept at manipulating what we in the military call PSYOPs [psychological operations] and certainly I would say that I could not rule out highly skilled actors having a play in amplifying things yesterday and even well beyond," Touhill says.
While it's not exactly likely that this mob took any of the aforementioned steps, it goes to show that hackers may find it easier than expected to gleam intelligence from legislators' offices in the Capitol.
"There's a lot of unintended consequences when you have a breach where sensitive information is processed," Touhill says. "This is going to cost an awful lot of time and treasure and manpower to recalibrate and reset the integrity of the information technology ... and the burden goes onto the American taxpayer for that."
🎥 Now Watch This:
You Might Also Like