As lawmakers and law enforcement continue to unravel the events and impact of the crisis at the U.S. Capitol on Wednesday, January 6th, attention is turning to identification and prosecution of those that illegally entered, attacked, and looted the Capitol and the offices of the legislature housed there. We’re learning more about the litany of security failings and it is imperative that we take the lessons offered by this example and make the changes they demand now, at our state capitol buildings, as well as in our businesses.
The same group that breached the offices in our nation’s capital are now in their home states across the country, where according to the FBI they are promising to attempt similar attacks at their state capitols. While most organizations would never consider themselves to plausibly be at risk of a large, overwhelming, physically penetrating attack, there are many lessons to be learned from this incident that can benefit all organizations and we can hold this event up as an example that even in offices with what most would consider the absolute top echelon of security, common vulnerabilities and bad practices can be found. The following are a few things that those protecting our government, and even those that seek to protect their own organizations, could learn from the events of January 6th.
1. Know your vulnerabilities and understand your risk
When considering a cybersecurity plan, it is worth considering what risk your organization carries. As one of the most important buildings in our government, the Capitol carries risk at the highest level, and is of great interest to actors from international governments, both friend and foe. While the attack on the Capitol seemed to initially be an out-of-control protest, it was quickly apparent that there were several layers. The base layer of a “violent mob” made up of ill-prepared protestors helped to cover up and obfuscate the actions of a smaller group of insurrectionists with clear, violent goals and the tools to enable them to do so. It must be assumed, however, that there was likely another layer beyond this, one of D.C.-based foreign intelligence operatives who would have the opportunity and resources to use the attack as cover to penetrate the Capitol and engage in espionage. Under normal circumstances, the threat from a spy might seemingly be the least likely to actually occur, but cybersecurity operations must prepare for their WORST threat, not only the most likely ones.
Security preparations for the state capitol buildings this week, and for businesses in the future, should be prepared for the worst plausible scenario, not merely the one they consider most likely. However, the lack of preparation at the Capitol last week, if it was truly an oversight, can be seen as a failure in threat intelligence. The people attacking the capitol engaged in planning their actions on open forums such as Facebook. Before the attack, there was a large, publicized rally, attended by members of our government, with a clear intent to march on the Capitol. The threat was clear that day, and for long before, and the impact could have been (and still could be in the case of future attacks) mitigated by practicing some of the most basic aspects of good cybersecurity hygiene.
2. Enforce your policies
Understanding your risk is the first step to proper protection, and writing policy is typically the next. The suggestions I make here are honestly not novel, and it is likely that all the potential policy mentioned is already in place. Writing policy is fast, free, and easy. Policy, however, does no good if it is ignored easily, as it often is. Employees “breaking the rules” often do so out of convenience, and without training, may not even be aware of certain policies, especially if it is a policy that the office culture has “trained” employees to ignore. Without automated or manual checks on employee compliance with policy, changes to cybersecurity policy can end up meaning little more than the best intentions of a quickly forgotten New Year’s Resolution.
3. Clean screen and clean desk
Photos published after the attack on the Capitol building include a photo of a computer on an office desk, still logged in, with email open. It’s being used as evidence that the employees had to take unexpected and unusual action and evacuate their office with haste. Access to this computer could be a vector for a great deal of future damage. Malware could have been installed, emails copied and analyzed for sensitive information and for future phishing and social engineering efforts. Files from the computer could have been copied. The truth is that it’s unlikely that doing any of these things mentioned would have left any traceable trail and it may be impossible to confirm if there was a compromise.
A common policy is called the “clean screen” policy, which demands that an employee’s computer be locked whenever the employee is not present and actively using the computer. Your staff’s computers, desktop and laptop, WFH or WFO, should be at a locked screen status whenever unattended. This can be set manually when the employee leaves their desk, but a measure should be in place to do so automatically after a short amount of time. It is not uncommon for an employee to leave their computer open for a short run to the printer or to grab a cup of coffee, but these short trips can turn into longer ones than planned! In case of an emergency situation, it will not matter if the employees had time or remembered to lock their stations. It will have been done automatically. Of course, this policy does little good if it goes unheeded, so random testing or another form of enforcement will go a long way.
A notch up in security would be to institute a Clean Desk policy as well, so that no information is left on a desk overnight, or even for short periods. Desks at the state capitals and computers, though off, are covered in written notes and other information that could be used for social engineering or to otherwise aid cyberattack.
4. Inventory hardware and files
About two hours after the attack, the building was announced to have been “clear”, though it seemed an impossibly short time to confirm that no dangerous people or equipment remained in the building. In terms of physical security, those charged with protecting our congress members decided that the attack was over and the work of confirming President-elect Biden could continue. On the cybersecurity side of things, there was no such official call, though reporters are already referring to the event in the past-tense and downplaying the potential cybersecurity implications of the attack.
Many of the directives coming out now have no hope to prove a negative. Inventory now is only as helpful as the quality of inventory done before the attack. It will likely not be possible to ever know for sure if files are missing, copied, altered, if hardware has been stolen or modified. The best that reporters, and even cybersecurity professionals can do now is to make guesses about vulnerability and hope that the safeguards that were in place were enough to prevent any liability.
The theft of the laptop from Pelosi’s office has been downplayed, as the particular laptop is being characterized as being a piece of projection equipment, something only used to “put your PowerPoint on”. It is not seen as a vulnerability now that it’s missing, and it was likely not treated as sensitive when in use. A policy for removing presentations after they were no longer in use was likely not in place. Presentations given to the Speaker of the House, or even by the Speaker herself, could very likely have remained as forgotten files on this peripheral laptop. It’s also possible this laptop occasionally was used to go online, log into websites, pull files from cloud sources, in the context of a meeting, out of convenience, and then forgotten. As this laptop was likely not considered subject to security policies, it is very plausible that passwords, browsing history, and other PII could be extracted from this laptop. Equipment such as this must be inventoried and the contents should also be tracked, and deleted when appropriate.
5. Have a reasonable remediation plan in place and follow it
Have a business continuity plan. As I mentioned before, it seemed oddly fast that the building was cleared physically after the attack, but that it was (and remains) impossible to have “cleared” the cybersecurity threat. Though the number of devices that could have potentially been compromised is likely low, it is necessary in this situation (as it would be in your organization) to assume that all devices have been compromised. As Congress reconvened without delay to finish the night’s work, it is unlikely that any hardware was replaced, as will likely be part of the ongoing remediation effort. Without the plan or infrastructure to replace this hardware in a quick manner, employees spent the night working on devices that could have been compromised, accessing a network that may have been breached, in a building that could still be hiding an untold number of malicious hacking devices and tools of espionage.
In truth, any cyberattack associated with this massive penetration is likely ongoing and will not be detected for many months, if ever.