PERSPECTIVE: Democracy watchCybersecurity and the Occupation of the Capitol

Published 7 January 2021

On 6 January, a large number of pro-Trump rioters occupied portions of the U.S. Capitol building to protest and disrupt the counting and certification of electoral votes from the November 2020 election. Herb Lin writes that the significance of this event for American democracy, the rule of law, and the depths of extremism in the U.S. populace will be addressed by others, “but I am compelled to point out this siege has created potentially serious cyber risks for Congress and other affected offices.”

On 6 January, a large number of pro-Trump rioters occupied portions of the U.S. Capitol building to protest and disrupt the counting and certification of electoral votes from the November 2020 election. Herb Lin writes in Lawfare that the significance of this event for American democracy, the rule of law, and the depths of extremism in the U.S. populace will be addressed by others, “but I am compelled to point out this siege has created potentially serious cyber risks for Congress and other affected offices.”

He adds:

To any computer security professional, maintaining physical security over computers and other devices is a condition for maintaining cybersecurity.  What happens when a threat actor has compromised this essential aspect of cybersecurity?

These concerns arose during a conversation with my long-time cyber colleague Eugene Spafford at Purdue University —what devices and computers did the mob physically access during their breach of the countless desks and offices in the Capitol? And how did they use that access?  Have listening devices been planted in these offices?  Have USB sticks been used to download data from House or Senate computers, or worse, to upload “back doors” that would enable subsequent unauthorized remote access?  

To the best of my knowledge, only the Capitol was breached—personal and committee offices in the various House and Senate office buildings remain secure.  But members often have offices in the Capitol as well.  It is thus a matter of the highest operational priority for those who provide cybersecurity support for the House and Senate to ascertain the nature and extent, if any, of cybersecurity compromises resulting from the occupation.  Every office with a computer and every telecommunications closet accessible from public corridors (whether or not behind a locked door) will have to be scanned and swept for malware and additional but unauthorized hardware (e.g., a USB device that is not supposed to be attached that might be used as a covert channel for exfiltrating information). 

And it is not only a technical scan and sweep that are necessary—user passwords are often written on sticky Post-it notes; even worse, they are often reused on different computers.  House and Senate staff should immediately change all passwords on all computers, ensuring of course that they use different passwords for different accounts.