Who knew people still used AOL?
This was among the head-scratchers to emerge from the news this week that teenage hackers had gained access to CIA director John Brennan’s unfashionable email account, yielding more than 2,500 email and instant message addresses for high-ranking government officials. But the more important question is why the boundaries between personal and work email accounts appear to be so porous in the upper echelons of the government.
There are plenty of reasons to care when government officials use their personal email accounts for work-related activities, particularly when it comes to transparency and accountability. Journalists may not be able to gain access to emails sent from personal accounts under the Freedom of Information Act, and communications meant to be public record can stay under wraps. This has been one of the main criticisms lobbed at Hillary Clinton for using a private server for much of her work-related email during her Secretary of State.
But do Clinton and Brennan’s use of personal email accounts endanger national security? It’s worth asking whether Brennan’s contacts—or the contents of his email—would have been measurably more secure had they been stored on servers operated by the CIA. For that matter, is any of the information stored on Clinton’s personal server more easily accessible than it would have been on a State Department server?
Those are hard questions to answer conclusively, since we’re still learning information about the security measures protecting each official’s accounts. The Associated Press reported earlier this month that Clinton’s server, running on Microsoft’s software, “appeared to allow users to connect openly over the Internet to control it remotely,” without an encrypted connection. This would make easier for hackers to gain access from afar. But there are still plenty of unknowns about what other protections may or may not have been in place.
But we do know that the computer security measures offered by many government agencies are nothing to write home about. The past few years are littered with examples of the US government failing to protect sensitive and personal information about its employees, from the breach of millions of Office of Personnel Management records to the series of unauthorized intrusions into the State Department email system.
So while it may be fair to criticize Clinton’s use of a personal account on the grounds of transparency and federal record-keeping, it’s a little odd to take her to task for undermining the security of her emails. The Wall Street Journal’s L. Gordon Crovitz did just that earlier this week, urging lawmakers who questioned her on Benghazi to press her to assess “how much harm would be done if Chinese and Russians were able to gain access to the emails of the country’s top diplomat.” But the State Department’s own email server was apparently routinely accessed by Russian hackers.
Similarly, the Journal, in reporting on the alleged hack of Brennan’s personal account, notes that “Mr. Brennan’s personal email account … wouldn’t be subject to government security protocols,” suggesting that this somehow makes the account more vulnerable.
Yet it’s perfectly possible—likely, even—that the security protocols in place for popular email services like AOL, Google’s Gmail, Yahoo! Mail or Microsoft’s Outlook web service far outstrip most of what the government has in place. After all, for technology companies, building usable and secure services is a central component of their mission and focus. For government agencies, it’s an afterthought.
It’s tough to make email secure. We want to be able to access it quickly, wherever we are, often on multiple devices. This often means that an adversary who can guess or phish a password has everything they need to gain complete access to a protected account.
Corporate email services have been ahead of the curve in raising the barriers to these types of breaches, implementing services like two-factor authentication and flagging log-ins from unusual geographic locations and inconsistencies based on the IP addresses used to access accounts. Researchers at Google and the University of California San Diego have even tried to profile the activity of hackers by looking at what words they search for and the volume of emails they send. This information could help email service providers flag suspicious activities.
There are many reasons why government officials may be using personal accounts instead of their official ones. Perhaps they have sinister motives: they want to hide correspondence or keep their secrets off of official records. Perhaps they’re using personal email for more practical reasons, such as ease of use and the ability to search through messages quickly. Or maybe—just maybe—some of them actually believe that a personal email account is just as safe as one on a server maintained by a government agency IT team. That’s not an excuse for breaking rules related to official government records. But it may not be wrong, either.