Among the unanswered questions to follow last week’s assault on the U.S. Capitol Building is whether any sensitive information was compromised. Widely circulated photos show rioters posed not only in the House Chambers, but also sitting at a desk within House Speaker Nancy Pelosi’s office.
Other government offices were breached during Wednesday’s riot within the Capitol Building, and it remains unclear if anyone attempted to gain access to any lawmakers’ or staffers’ computers or other connected devices, including the government’s classified SIPRNet, which provides access to secure computers and servers used by the Department of Defense (DoD), Department of State and other government bodies. SIPRNet is used to transmit classified information to those in government. Following the breach Thursday the network was shut down for a security update.
The cybersecurity fallout may be significant, but it may not have been just what was on the actual computers that should be a concern.
“The IT implications are staggering,” explained Jim Purtilo, associate professor of computer science at the University of Maryland. “Imagine what mischief someone might cause simply by snagging the ‘Post-it notes’ with passwords on them from desk pull outs or sides of screens!”
According to reports, a SOFREP (Special Operations Forces Report) source inside the DoD said several classified Secret devices – which have access to the SIPRnet – were logged in at the time of the breach.
On Friday, the operations center of the United States Army Special Operation Command (USASOC) announced via an email to all personnel that any SIPRNet computers that were unaccounted for by the end of the day would be dropped from the network. The Department of Justice (DoJ) has also warned that some Secret information could have been compromised.
As SOFREP.com reported, every Secret computer used to access SIPRNet is secured with a token or password, but is also encrypted. In order to access the computer that was logged off, an individual would need to bypass the token or password as well as the encryption. While difficult, for those with the right skillset it wouldn’t be impossible.
However, far more worrisome is whether any of the computers were logged in, in which case the data could be easily accessed. (And suddenly, a lot of government employees are remembering to take their CAC with them when they go to the restroom).
While the breach of the Capitol Building was contained by Wednesday afternoon, it could have a lasting impact.
“Security officers will need to buy their aspirin in the large economy size since just creating an inventory of possible exposures will create headaches for the foreseeable future,” Purtilo told ClearanceJobs.
It isn’t just the missing laptops but any that may have been logged in at the time the rioters entered a lawmaker’s office. There are concerns about whether sensitive data was backed up, and whether it was secured.
“Did rioters snatch thumb drives, external disks or network gear? What digital content might have just run out the door?” Purtilo pondered. “It gets worse. It only takes a moment to hard reset a network switch to factory default, dropping a firewall with it, so while the mob might be cleared from the Capitol, that doesn’t mean a new back door wasn’t left for later. And nobody can afford to overlook what might have been left by rioters, too.”
This could include a key logger on a device, and while that likelihood is low – that isn’t the same as impossible.
“Any serious student of counterintelligence operations would presume the mob contained actors working for other nation states,” warned Purtilo. “Access to an opponent’s inner sanctum would be the ultimate target of opportunity.”
For those with the right IT skills, having such open access to SIPRNet would truly be akin to being handed the keys to the kingdom. Information could be downloaded or the aforementioned malware/viruses uploaded.
Given that it took well over two hours to clear the building, that was certainly enough time for someone with the right skills to gain access to the otherwise secure network. While irreparable harm likely wasn’t done, this should serve as a warning to anyone with access to such classified data.
Computers and other devices with sensitive information need to be locked or otherwise secured if not attended.
“This serves as yet another reminder to industry of the importance of sound digital practices and disaster preparation,” suggested Purtilo. “Defense in depth means not just erecting a high castle wall, but ensuring the kingdom isn’t lost should an aggressor unexpectedly get free access to the interior. Assurance means maintaining integrity in our operations even when part of the infrastructure is temporarily unavailable, whether due to fire, natural disaster or occupation of the facility by some mob. Resilience is what we exhibit when our early planning enables confident restoration of full services.”