The overrunning of the U.S. Capitol on Wednesday may be one of the most serious cybersecurity events ever, potentially on par even with the ongoing SolarWinds hack. The riot has potentially given some of the most sophisticated cyber-threat actors unrestricted access to one of our government’s most critical networks for four hours.
This situation is a lot like SolarWinds: we know at least some of what has happened and we can extrapolate what may have happened. Another way this is like SolarWinds: it may take some time for us to truly know the full extent of what happened, if we ever do.
We can see in the many pictures and videos that what happened was an unauthorized, uncontrolled group of unknown people had complete, unrestricted physical access to the Capitol for nearly four hours. This in turn gave them complete, unrestricted access to the computers, devices and the physical networks in those buildings for that time.
An important rule in my world is one of the “Ten Immutable Laws of Security.” Law 3 states: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
This means for four hours on Wednesday, every device, computer, server, network outlet, WiFi hotspot, router, and internet connection in the Capitol and Congressional office buildings weren’t controlled by the U.S. government — they were in the hands of the rioters.
Using the scale I proposed for the SolarWinds event, the potential impact of four hours of unrestricted physical access like this is potentially the most serious, a Stage IV event.
But that’s not the end of the story. We have to think about who could have been in the Capitol and their capabilities.
It’s important to remember that some of the best cyber-threat actors are attached to full-scale intelligence services. For instance, the Russian SVR is believed to be behind the SolarWinds attack and can be thought of as similar to the CIA. Cyber-operations are only a part of intelligence agencies overall toolkits: they have physical (kinetic) as well cyber capabilities and blend them easily, enabling them to use boots-on-the-ground strategies as part of their cyber operations.
We know that legislatures are prime targets for attackers. The parliaments of both Norway and Finland were attacked as recently as September and December 2020, respectively. So the Congress is also a prime target.
Finally, foreign governments have strong physical presences in Washington D.C. in the form of their embassies; intelligence agencies and personnel are frequently attached to embassies. Even if there weren’t operatives in the crowds at the beginning of the events, it would take literally a few minutes to insert operatives into that chaotic environment.
Connecting the dots, we see that high capability cyber-threat actors with foreign intelligence services had means, motive and opportunity to carry unrestricted physical attacks in the U.S. Capitol for four hours.
We really have to let that sink in because it’s truly unprecedented. It’s never happened before.
With that in mind, looking at the potential ramifications of this event are staggering.
To grasp what these might entail, we should first think about the concerns of a Stage IV hack, similar to what the SolarWinds victims are going through right now. In these cases, attackers could access and copy emails and files, implanting malware, create their own accounts on the network, and get administrative access to devices, computers, servers and network devices.
In other words, the attackers would be able to get at the data they want, build their own accounts to build new, unknown paths into the network, and bury themselves deep into the network in ways that would make it very difficult to detect them and even harder to fully remove them.
Here though we have to expand our scope of possible “worst case” scenarios because the possibility that some of the most advanced intelligence agents had unrestricted physical access to the systems and network. This takes those possibilities and amplifies them exponentially. These attackers could plant physical listening devices not just in offices but on the network itself. They can physically compromise the computers, devices, network and servers in ways that may be hard or even impossible to detect because it could be new, state-of-the-art technology that we don’t even know how to look for.
There is one positive in this: there’s no indication that the Sensitive Compartmented Information Facility (SCIF) within the Capitol was breached or compromised. This is a specially-designed facility where the most critical secret information is housed and processed. However, the Capitol SCIF was breached by Republican lawmakers protesting impeachment in 2019, so there is reason to be concerned for its integrity in this latest event.
The physical Capitol was secured Wednesday night. The odds are that the digital Capitol has not been fully secured and won’t be for some time. Pretty much every office will need to be systematically swept for surveillance devices, the physical systems checked for signs of intrusion (or just completely junked and replaced wholesale), and the digital assets scoured closely for any signs of malware, unauthorized accounts and access. And there will need to be ongoing increased monitoring moving forward.
A final note: this isn’t happening in a vacuum. We have to remember that this is all happening at the same time we’re continuing to unravel the SolarWinds event. It’s too early to know what the ramifications of either are, let alone how they related to each other or be combined. But we shouldn’t lose sight of the fact that each of these events has the potential to be used in conjunction with the other.
With the Capitol event we are in the same “wait and see” space as we are with SolarWinds. For now though, it’s important to understand that there’s an important cybersecurity aspect to this event that is already momentous in our history.
