Longer-Term Cybersecurity Implications of the Occupation of the Capitol—Beware of Fake Leaks

Last week, I wrote about cybersecurity issues raised by the loss of physical control in the U.S. Capitol during the occupation. Since then, it has become clear that a number of devices are missing and presumably taken by the occupiers. The rioters took laptops from the offices of House Speaker Nancy Pelosi and Sen. Jeff Merkley. These devices are now in the physical possession of people who can be considered adversarial threat actors, and those actors now have the opportunity to take their time in trying to penetrate them and see what data is available on those machines. 

One would hope that connections associated with these machines have been terminated, so that, for example, these devices can no longer be used to access the email accounts or network drives associated with their owners. And perhaps there wasn't very much sensitive information locally available on those laptops, though I would not count on that for a minute.

But a much larger issue is how the fact of possession can be leveraged in the future to the advantage of the occupiers. Specifically, those who took the laptops are now in a position to create messages or files containing any kind of content and then claim that they were retrieved from one of these devices. If such faked content is released to the public, how will the owners of those devices refute what that content purports to reveal? The possibilities for mischief and worse are endless.

Technical forensics may be of some limited assistance in showing that these files and messages were created after the occupation, but the bigger question is whether forensic evidence would matter in changing public perception. How easy will it be for bad actors to ignore the forensics or claim the forensics are themselves forged?

I have no solution to this problem, but the device owners should start thinking very hard about what they will do and how they will respond when such fakery emerges.