The Perfect Cover for a Congressional Hack?

(This article originally appeared on the Medium page of my podcast, A Techno-Legal Update. Please give it a follow and subscribe to the show for more analysis of topical vignettes from the intersection of law and technology.)

I have a question about the terrorist attacks (yes, that is what they are) of the last 24 hours against the US Capitol:

Anybody reckon there were hackers (eg state-backed or ransomware initial access facilitators) who slipped in among the terrorists and would have surreptitiously inserted some lovely USB drives into Congressional computers or servers onsite to gain access to certain networks?

Surely, the chaos of terrorist violence would provide the perfect cover to access and compromise hardware with a malware-laced USB? Depending on the capability of that malware — which would be (partly) influenced by whom the hacker was working for — the hacker could, in addition to breaking into the machine itself, bypass network access controls and/or thwart network compartmentalisation controls to expand the scope of their data-collection efforts. In terms of physical OPSEC, the hackers could wear camo gear and Trump face masks to blend in on entry and exit from the buidings and frustrate identification attempts via CCTV and social media images.

As a matter of context, note that Congressional networks carry tons of information which would be of tons of value to any foreign SIGINT agency, given: the nature of the folks using those networks (eg staffers and politicians sitting on the intelligence, armed services and foreign affairs committees); and the data that those folks are exchanging (eg classified policy documents, personal information that could be used to help recruit users as agents by foreign foreign intelligence services). Compromising the computer/phone of just the ‘right’ staffer or parliamentarian could be the perfect springboard for a foreign power to use to conduct even more serious espionage against the US and her interests. (For a look from 2010 on cyber risks faced by the US Congress, check out this article. Also, note that Russia has some alleged form in the targeting of overseas parliaments, seemingly for espionage purposes.)

That all said, my self-rebuttal is that I don’t know if any juicy Congressional networks are actually airgapped (ie not connected to the Internet), which would necessitate physical access to target machines. The Capitol is not like Natanz, is it? For a bit of context, Natanz is a key Iranian uranium enrichment site which was targeted in a cyber attack by Israeli and American intelligence across the Bush and Obama Presidencies. The attack involved a delightful worm — Stuxnet — which, in a nutshell, caused centrifuges that enrich uranium to spin at unsafe speeds and thus seriously damage themselves. Since those centrifuges were connected to an airgapped network, the attackers had to use (a) local mole(s) to introduce the virus into the network, and then the centrifuges, via a USB drive. I am guessing, however, that the office computers of members of Congress are unlikely airgapped, meaning that they could potentially be hacked by malicious actors offsite.

Perhaps the SCIFs — ’Sensitive Compartmented Information Facilities’ — inside the Capitol were targets of our potential USB-wielding hackers. Such facilities are used to handle some of the most highly sensitive intelligence and have similarly sensitive national security conversations. Each SCIF is specially designed (to put it mildly) to protect the secrets dealt with inside of it, and USB drives are regarded by the Office of the Director of National Intelligence as undermining said protection. Any computers inside a SCIF would be likely airgapped, with an adversary thus requiring access to a device inside the SCIF (like a USB drive or a smartphone) to compromise the computers and exfiltrate data. It was little wonder that veterans of the US national security community were up in arms when Republican members of Congress stormed a Capitol SCIF without surrendering their phones beforehand inside the Capitol during the impeachment investigation, which was potentially a felony offence.

That said, I don’t imagine that a Capitol SCIF is a worthwhile target for any hackers physically present in the Capitol over the last 24 hours. This is because it is highly unlikely that rank outsiders can just ‘break down the door’ of a SCIF, given the: specific ‘criteria’ to be met just by the door of a SCIF before the facility can even operate; presence of a security guard outside each SCIF in the Capitol; and other security controls regulating entry to a SCIF.

It will be interesting to see, though, if any interesting USG files somehow leak onto the Internet — particularly, Twitter and right-wing platforms like Parler — in the coming weeks and months. Will they be distributed through WikiLeaks? Perhaps then we would have a better idea regarding whether there really were hackers posing as Trump supporters and wielding lovely USBs?

Food for thought.

P.S. I second the screenshotted tweet.