Security Think Tank: Biden must address insider security threat first

Last year went out with a bang infosec-wise with the SolarWinds and FireEye breaches, and 2021 has come in with a bang given the attack on the Capitol in Washington DC and the inauguration of a new president of the US. What do these events presage for the information and IT security industries and professionals both in the US and internationally?

Although it is still too early in the new US administration to garner firm ideas on what the administration will do vis-a-vis cyber security and international cooperation, the initial signs are positive.

However, there is much to do within the US government itself, given the accepted assumption that there are bad actors within its infrastructure, and that there is no currently available official assessment of what was compromised during the invasion of the Capitol.

My expectation is that there will be a main focus on identifying and recovering from any breaches, followed by work to improve the underlying infrastructure security. There will also be a necessary focus on the US-led cyber industry, particularly given the previous events concerning SolarWinds and FireEye.

Other than the Five Eyes surveillance alliance, I believe that security cooperation with international cyber companies will be a lesser focus, particularly given the role the US cyber industry plays outside the US.

However, there are other lessons to be learnt, particularly in view of the attack on the Capitol. Firstly, there is evidence of insider assistance to those attacking the Capitol. Simply stated, there were insider threat sources and insider threat actors. No cyber professional or anyone in a human resources role should ignore this.

For the new administration, this will necessitate a root-and-branch overhaul of the security vetting procedures, not only for all administration staff and contractors, but also all elected officials and their staff. There will be opposition, particularly from the elected representatives, but given the scale of the Capitol breach, it is something that needs doing, and doing urgently. 

Because the attackers actually got into the Capitol and some items, including laptops, were stolen, plus the building’s IT infrastructure could have been breached under the cover of the attack, that raises the issue of physical security and how staff should react in such a situation.

A full physical security investigation needs to be undertaken, together with the development of a full inventory of what assets were taken, including data and informational assets, not just hardware items.

Social media, both mainstream and private social groupings, played a big role in organising and coordinating the attack on the Capitol and this might indicate that the new US administration will try to put more effort into monitoring these channels.

However, such monitoring raises a question of how social media should be regarded. Is it a common carrier or is the definition of common carrier only applicable to the underlying internet path that a social media communication travels over?

Another aspect of monitoring is the area of freedom of speech and Big Brother-style monitoring. This is a fraught area and one I will not comment on, save to say that there are some companies that offer reputation monitoring services to the commercial sector, although care has to be taken with regard to country-specific regulations and legal obligations including, but not limited to, the Data Protection Act 2018 in the UK, the Investigatory Powers Act 2020 in the UK (similar powers exist under the Patriot and USA Freedom Act), the General Data Protection Regulation across the EU, and, of course, the US First Amendment. Time will tell what happens next.