Et tu, Q? CIA Chief’s AOL Account Underscores Security Culture Gap
The claim by a self-described teenage “stoner” that he was able to compromise the personal email account of CIA chief John Brennan underscores the huge cultural challenge that even security-conscious organizations face.
What was more surprising: the claim that the CIA Director John Brennan had his personal e-mail account hacked by a self-confessed teenage “stoner,” or the fact that the Director of the U.S.’s lead intelligence agency was still sporting an AOL account – an accouterment that just screams “1995”?
In my opinion, it was probably the latter. Indeed, the path by which the alleged hacker, who uses the Twitter handle @phphax, compromised Brennan’s account is well trodden. According to reporting by the New York Post, the teen apparently used “social engineering” to get Verizon workers to provide personal details about Brennan’s account. He then used the information provided by Verizon to fool AOL’s password recover challenge/response questions and reset the password to the CIA Director’s account in an attack earlier this month. The account has since been deactivated.
Once inside, the hacker discovered a wealth of sensitive data, though it doesn’t appear that any of it was classified. Among the documents, which he said were stored as attachments to about 40 emails copied to the AOL account, were Brennan’s copy of the SF86 Questionnaire that Brennan filled out before assuming his position as CIA Director, as well as a draft of an Intel Position Paper and a draft of a 2009 document making recommendations to the incoming president on how to deal with Iran. Copies of those documents – and others – are now posted online on the site Wikileaks.org.
Brennan wasn’t the only victim, either. The hacker also claims to have compromised an account used by Department of Homeland Security Secretary Jeh Johnson – though it is unclear if it was an e-mail account the Secretary used.
Needless to say: the FBI is investigating. But the implications of this incident extend far beyond the particulars of what @phaphax and his stoner friends did – or didn’t do.
The blurry line between official and personal e-mail is nothing new. After all, official Washington has been embroiled in a controversy over former Secretary of State Hillary Clinton’s use of a private email server for months now. But the dire lack of security and oversight concerning the personal account of such a senior intelligence official is breathtaking. At the very least, Director Brennan should have enabled two-step verification for his account, a feature AOL has offered for more than a year. That would have required a would-be assailant to retrieve and enter a unique code sent to Brennan’s cell phone to get access to his account.
Even better: ditch AOL altogether for one of a long list of secure email providers like ProtonMail, which offer robust message encryption and access control that make them almost hack-proof. Many of these have sprung up in the wake of the Edward Snowden leak, allowing Brennan to ride the wave of backlash caused by snooping by intelligence services like the one he heads.
The bigger challenge for security-conscious firms and public agencies, however, is tackling the security culture gap that make so many employees blind to the risks of moving data around carelessly between protected and unprotected environments. That’s an even bigger issue now than in the past, given the ease of copying data from protected networks off to cloud-based e-mail services and storage systems like Dropbox.
Simply put: most workers – regardless of age – fail to appreciate the degree to which their personal and professional lives are intertwined, and the degree to which they have come to rely on infrastructure that is not under their direct control. Lax control at any point along the line can lead to a kind of cascading compromise.
More than three years ago, Wired writer Mat Honan gave a perfect illustration of this dynamic, writing about how a compromise of his personal email account led to a wholesale attack on the rest of his online identity, including photos, personal information and so on. The same is true of government officials like Brennan, though, of course, the stakes are much higher.
What is the lesson of the Brennan incident? Where does one even start?
Given the prevalence of targeted “spear phishing” campaigns and other advanced attacks on senior government officials, it is unimaginable to me that the Director of the CIA would have been allowed to have a personal AOL account that was not at least secured using multi-factor authentication and closely monitored (that is: password change generates an out of band notification). After all: the danger of a compromised account isn’t just to Director Brennan, it is also to any contact with whom he communicated using his personal account, who can then become targeted by the attackers in control of the account.
It is unimaginable to me that the CIA would not have at least asked the director to review any personal email accounts for files and attachments that could be sensitive and to delete those.
Also unimaginable is the fact that the CIA failed to audit the activities of senior leadership and to note and monitor their use of non-CIA and government assets and services. Such an audit would have certainly zeroed in on the lightly protected AOL account and resulted in more security around that.
It’s a truism that employees are the biggest source of cyber insecurity within organizations – clicking on dodgy email attachments and web links, falling for cute puppy pictures and thoughtlessly emailing documents home to work on off hours. That means that the biggest challenge to organizations in securing their environment is cultural rather than technical. It comes in getting employees to see how the very tools they rely on to communicate and shop and be productive can undermine the integrity of the network they use, or be used against them. That’s a big hill for any corporation to climb. As the Brennan incident indicates, it is a challenge for the world’s most security-conscious organization, too.