Saturday, January 09, 2021

Capital Hill Security Failure So Comprehensive It Had To Have Been Intentional

wired |  Unlike a building such as the White House, in which access is very tightly controlled, the Capitol building is often called the "People's House.” Its security is similar to that of a hospital; many spaces are open and accessible if you have a reason to be there, and only some areas are tightly guarded or otherwise access-controlled. Larkin, who also spent years with White House security in the Secret Service and is now vice president of corporate development at SAP National Security Services, says that the Capitol inherently has more entrances and exits than can be simultaneously guarded at normal staffing levels. He emphasizes that failures to contain and secure the situation happened while the pro-Trump mob was outside the building. But Larkin, who retired as Senate sergeant at arms in 2018, adds that cybersecurity is the next priority after physical security.

 In spite of this, the mob Wednesday had ample opportunities to steal information or gain device access if they wanted to. And while the Senate and House each build off of their own shared IT framework, ultimately each of the 435 representatives and 100 senators runs their own office with their own systems. This is a boon to security in the sense that it creates segmentation and decentralization; getting access to Nancy Pelosi's emails doesn't help you access the communications of other representatives. But this also means that there aren't necessarily standardized authentication and monitoring schemes in place. Larkin emphasizes that there is a baseline of monitoring that IT staffers will be able to use to audit and assess whether there was suspicious activity on congressional devices. But he concedes that representatives and senators have varying levels of cybersecurity competence and hygiene.

It's also true that potentially exposed data at the Capitol on Wednesday would not have been classified, given that the mob had access only to unclassified networks. But congressional staffers are not subject to Freedom of Information Act obligations and are often much more candid in their communications than other government officials. Security and intelligence experts also emphasize that troves of unclassified information can still reveal sensitive or even classified information when combined.

Former National Security Agency hacker Jake Williams points out that, while US law enforcement was somehow caught flat-footed, president Donald Trump's supporters (egged on by Trump himself) have repeatedly foreshadowed that something like this could occur.

“You have to step back and realize that foreign intelligence could have looked at this and said, ‘Yeah, this is going to be an opportunity,” says Williams, founder of Rendition Infosec. “I don’t think every office that was entered everything needs to be burned to the ground, but you need to be acknowledging that there’s real intelligence value in learning legislators’ intentions and plans on policy. This security breach is a big deal.”

Even without physical intrusions, foreign adversaries could also use the incident as a jumping off point to launch phishing campaigns against congressional offices or begin spreading disinformation to foment future unrest.

“One thing I can guarantee you is that in Tehran, in Moscow, in Beijing folks are sitting in meetings right now thinking how can we take advantage of this?" says Kelvin Coleman, executive director of the National Cyber Security Alliance, who formerly worked in the Department of Homeland Security and National Security Council.