Top government officials continue to use personal email accounts to conduct official business even though it comes with significant risk and could possibly violate federal policy, experts say.
High-ranking Trump administration officials have been reportedly relying on a blend of both professional and personal email accounts to send messages to their contacts, according to separate reports by the New York Times and Washington Post. These individuals include the President’s daughter, Ivanka Trump and son-in-law Jared Kushner, both of whom hold official White House positions.
Additionally, National Economic Council Director Gary Cohn and presidential adviser Stephen Miller were also found to be using private email addresses.
Former FBI Cyber Division Chief Technology Officer Milan Patel told CyberScoop that high ranking officials, like Kushner and Miller, run a high risk of being targeted by nation-state sponsored hackers that seek to gather intelligence and personal details. These hackers would, Milan explained, first look to break into old email addresses, connected social media accounts and other digital applications rather than the government systems used by these figures.
Agencies like the FBI, Secret Service and National Security Agency have limited visibility into programs that are not developed or somehow customized internally for use by White House staff. As a result, most intelligence and defense agencies require that employees, especially those in more sensitive positions, isolate their dealings to approved government channels and customized electronic devices, which are designed to account for actors trying to intercept sensitive messages.
“One of the biggest things I saw during my time with FBI, and it’s the issue here as well, is that these personal email accounts usually don’t have two-factor authentication enabled,” said Patel, who now serves as co-head of threat monitoring service BlueteamGlobal. “That was something we always saw … it’s like [Hillary Clinton presidential campaign adviser John] Podesta. If you don’t have two-factor and they’re a persistent threat then they’re definitely getting in.”
During the 2016 presidential campaign, Russian hackers were able to gain access to Podesta’s GMail account as part of a complex and expansive information operation against American citizens.
One reason for that successful breach was that Podesta didn’t have two-factor authentication enabled on his personal account. When established, this security configuration will require for a user to both input a password and provide a randomly generated code that is automatically and independently sent to the account holder when a login is attempted.
“Although it varies somewhat in government, depending on the agencies and its security standards, it would be standard for an official email account belonging to someone like Kushner to have two-factor enabled,” Patel explained. “The other issue is that, you know, the people trying to protect these officials don’t have the same chances of stopping an intrusion if that official is using some random app.”
The news is particularly ironic considering the fact that President Donald Trump lambasted Clinton during the campaign for her use of a personal email account while she was serving as Secretary of State under then-President Barack Obama.
“As a defender, if I don’t know something is out there, I can’t protect it. The use of private emails will only get basic protection that all of us get,” said John Bambenek, a manager of threat intelligence with U.S. cybersecurity firm Fidelis. “Even if the emails are unclassified, infecting the devices they use or gleaning other information is still valuable and puts them at risk.”
While it remains unclear whether Trump’s associates sent or received sensitive or classified material from their personal email accounts, like Clinton had, the latest revelation is nonetheless concerning to information security professionals.
“From a security perspective, private email services lack the visibility and accountability present with government systems,” explained David Smith, a former assistant special agent in charge for the U.S. Secret Service. “By law, all federal information technology systems must have a valid ‘Authority to Operate’ status, which is achieved after a thorough and lengthy review of dozens of security controls … private systems, such as the popular Web mail services, are not required to have this kind of security review.”
The law mentioned by Smith is known as the Federal Information Security Management Act, or FISMA.
“This lack of control of course means that the Federal government is unable to provide any protection for official information, regardless of classification level,” said Smith, who now acts as the chief information security officer of Nuix, a technology firm that closely works with the government.