US Capitol Rioters Pose Cybersecurity Threat Due to Device Access, Theft

Cybersecurity experts say U.S. Capitol rioters pose a threat to national security because they accessed and stole government officials’ devices.

And it’s not yet known what all the rioters got their hands on or saw.

Kevin Coleman is executive director of the National Cyber Security Alliance. He said Capitol rioters stole U.S. Sen. Jeff Merkley’s laptop. And any rioters ransacking House Speaker Nancy Pelosi’s office could have seen or accessed sensitive information.

The silver lining is that lawmakers’ classified information typically is stored on sensitive compartmented information facilities (SFICs), he said.

NCSA’s Kevin Coleman

“But the dangers and threat vectors that surface from unprotected physical devices are still very prevalent,” Coleman said. “We’ve seen screenshots of Pelosi’s email inbox already posted to Twitter, which means that perpetrators could have accessed email lists and records that can potentially be used to conduct phishing attacks.”

Don’t Underestimate the Rioters

Understating the capabilities of individuals among the Capitol rioters would be a mistake as well, Coleman said.

“It’s impossible to know at this point if any were aligned with opposing nation-state interests or if any devices that weren’t stolen might have been targets for malware installations,” he said. “Conversely, a stolen device no longer belongs to its original owner.”

Due to a lapse in device security, thieves shouldn’t have any difficulty combing through the entirety of an endpoint’s hard drive, Coleman said.

This potential security breach could compound government vulnerabilities beyond the SolarWinds hack, he said.

“While reports have asserted that any accessible data that could potentially have been stolen was unclassified and relatively low level in terms of sensitivity, this event will certainly be another wakeup call for government security teams,” Coleman said. “SolarWinds was a proof point that third-party supply chain attacks — although not incredibly sophisticated — can be devastating. It called into question how government IT teams were vetting third-party partners, how they were collecting and storing sensitive data.”

And the targeted federal organizations will have to overhaul their entire security playbooks moving forward, he said.

The Capitol riot data thefts likely won’t be anywhere near as disastrous as SolarWinds, Coleman said. But they add to the mix of security issues the government will have to sort out.

“While SolarWinds was a backend system vulnerability, yesterday’s incident proves that a lack of sufficient endpoint security can be a problem, and that continued awareness and education for staffers about not leaving key information on an idle device will be equally important moving forward,” he said.

Better Protection Could Have Been in Place

Better device security could have been in place to minimize the risk, Coleman said.

“It’s impossible to have a foolproof plan,” he said. “But it is possible to minimize risks with a layered approach that consists of better device security software, better data monitoring and storage policies, and continued education for staffers about the dangers of unprotected data.”

Jerry Ray is SecureAge‘s COO. He said Wednesday’s Capitol rioters brought an “empirical and tangible threat” to systems and data throughout the Capitol.

SecureAge’s Jerry Ray

“Whether an unsuspecting and gleeful Trump supporter lost in the moment and running in for the selfies, or a trained agent of a foreign government sporting a MAGA hat and face gaiter armed with USB flash drives, malicious dongles or peripherals to attach to systems, the mere presence of unauthorized people in the offices of legislators renders every system and every file compromised and dirty,” he said.

Any digital device within those Capitol office spaces and exposed to intruders now poses a threat, Ray said.

“Even a quick grab of a sticky note with a handwritten password on it opens up entire networks of information with national security implications to compromise,” he said.

Less Obvious Threats

Personal information left behind during the evacuation poses less obvious threats, Ray said.

“Using that information for identity theft is just as likely as it is for sophisticated phishing attacks or unsophisticated blackmail attempts for monetary or espionage purposes,” he said.

All account names, passwords, keys, directory path and file names need to be changed, Ray said.

The long-term strategy includes a lengthy and comprehensive sweep of all devices, Coleman said. In the short term, Capitol IT teams will have to prioritize any glaring vulnerabilities before combing through other devices.

“Additionally, we’re not truly privy to how exhaustive the IT team’s network monitoring and policy management protocols are,” he said. “Is there a detailed record of every login attempt? Can they cross-reference timestamps of any attempts to determine unauthorized access? And do compromised devices have encryption automatically enabled? These are all very important questions that government security teams and officials will need to reassess.”