Cybersecurity and the Occupation of the Capitol

Herb Lin
Thursday, January 7, 2021, 1:02 PM

This siege has created potentially serious cyber risks for Congress and other affected offices.

Rioters hold a stolen sign outside of the Capitol Building, Washington, D.C., Jan. 6, 2021 (Blink O'fanaye/ BY-NC 2.0/

Published by The Lawfare Institute
in Cooperation With

On Jan. 6, a large number of pro-Trump rioters occupied portions of the U.S. Capitol building to protest and disrupt the counting and certification of electoral votes from the November 2020 election. The significance of this event for American democracy, the rule of law, and the depths of extremism in the U.S. populace will be addressed by others but I am compelled to point out this siege has created potentially serious cyber risks for Congress and other affected offices.

To any computer security professional, maintaining physical security over computers and other devices is a condition for maintaining cybersecurity. What happens when a threat actor has compromised this essential aspect of cybersecurity?

These concerns arose during a conversation with my long-time cyber colleague Eugene Spafford at Purdue University —what devices and computers did the mob physically access during their breach of the countless desks and offices in the Capitol? And how did they use that access? Have listening devices been planted in these offices? Have USB sticks been used to download data from House or Senate computers, or worse, to upload “back doors” that would enable subsequent unauthorized remote access?

To the best of my knowledge, only the Capitol was breached—personal and committee offices in the various House and Senate office buildings remain secure. But members often have offices in the Capitol as well. It is thus a matter of the highest operational priority for those who provide cybersecurity support for the House and Senate to ascertain the nature and extent, if any, of cybersecurity compromises resulting from the occupation. Every office with a computer and every telecommunications closet accessible from public corridors (whether or not behind a locked door) will have to be scanned and swept for malware and additional but unauthorized hardware (e.g., a USB device that is not supposed to be attached that might be used as a covert channel for exfiltrating information).

And it is not only a technical scan and sweep that are necessary—user passwords are often written on sticky Post-it notes; even worse, they are often reused on different computers. House and Senate staff should immediately change all passwords on all computers, ensuring of course that they use different passwords for different accounts.

As for passwords that may have been used by the mob already, House and Senate staff should check to see if any of the file dates and times listed in various directories correspond to times when their offices may have been occupied. If so, the associated file was probably modified. (Alas, it will be much harder if not impossible to tell if the file has been accessed or copied.)
These are just some of the very basic things that need to be done, and any serious cybersecurity person with operational responsibilities will have more suggestions for things to do. But the bottom line is that from a cybersecurity perspective, who’s to say that someone from the hacking arm of Russia's foreign intelligence service (APT29 or Cozy Bear, allegedly behind the SolarWinds hack) wasn’t also among the occupiers? This potential breach of cybersecurity warrants prompt and intensive attention now to determine what, if anything, was improperly accessed and what has been left behind that could compromise Congressional operations.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare