The US Capitol was breached by rioters. What has to happen next?

When drawing up plans for IT security in the US Congress, Congressional tech employees most likely didn’t have an attack by hundreds, if not several thousand, irate supporters of Donald Trump who have been called “insurrectionists” and “terrorists” in mind. Yet a stunning security failure by police forces meant to quell crowds that gathered in the nation’s capital last night have resulted in just that. 

Marauding mobs of protesters went door to door throughout the US Congress in the late hours of January 6, ripping signs off walls and taking mementoes of the occasion, which will live in infamy. Many were armed with cell phones, with which they snapped photographs of themselves, feet up on the desks of some of the country’s most famous politicians. Others shared photos online of the email inboxes of Congressional staffers.

Information security professionals are worried that Congressional systems could have been breached as a result of the attack, as CyberNews has previously reported. But if they have, what are the next steps?

A full audit will be needed

“My heart goes out to the unsung IT heroes at the Capitol tonight,” tweeted Kimber Dowsett, director of security engineering at Truss Works. “My guess is they’ve never had to run asset inventory IR before - a daunting, stressful task in a tabletop exercise - and they’re running one (prob w/o a playbook) following a full on assault of the Capitol.”

That “asset inventory IR” means an asset inventory incident response, or a wholesale rebuilding of all networks and IT infrastructure, because they don’t know what could have been compromised. “Honestly, everything with enough silicon to store a worm, starting with some of the charging cables, that was left insecure or plugged into the network since should be scrapped,” tweeted Joe Helfrich. 

“Even if you think the odds of someone using this to insert an attack is small, the risk is huge.”

 Joe Helfrich

There’s precedent for this kind of thing: in 1991, the KGB sent spies to look around the US embassy in Moscow when it suffered a fire

Meticulous monitoring and destroying of material

“They’re probably going to have to throw every computer in the shredder,” added one senior infrastructure administrator at a financial services company. “Can’t trust that somebody didn’t leave something behind.”

They pointed out that a similarly destructive attack – by a tornado on a tower block in Fort Worth, Texas that the FBI operated out of – resulted in documents scattered all over the city’s streets. 

“They called in a bunch of agents from other offices, and some who had retired to go through the city and pick up every scrap of paper. They couldn’t risk any of it leaking, and they couldn’t use any of it as evidence anymore, so it all had to be destroyed.”

Some images have been shared on social media of conversations where mob participants claim to have taken hard drives, though those claims are unsubstantiated – and the people who have made them are supporters of a US president who has no qualms about lying. 

A silver lining?

There is, however, a silver lining to take from the disruption to democracy that occurred, and the information security nightmare that it could have caused. The wholesale rework of IT systems and equipment, if pursued properly, could throw up any pre-existing hardware implants that foreign governments may have surreptitiously installed. 

While many of those drunk with power who roamed the corridors of Congressional buildings yesterday likely won’t have realised what a treasure trove of information and data they likely could have accessed, they may have unwittingly helped force one of the biggest governmental IT audits in history – which could be beneficial in the long run.