DHS Officials Put National Security at Risk with Webmail
By Jennifer LeClaire / CIO Today. Updated July 22, 2015.
When former Secretary of State and now Democratic presidential candidate Hillary Clinton used a personal e-mail account at the U.S. Department of State, it caused an uproar and an investigation. As it turns out, she wasn’t the only one to break the rules.
Department of Homeland Security (DHS) Secretary Jeh Johnson (pictured above) and 28 of his senior staffers have been using private Web-based e-mail platforms from their work computers for over 12 months. Cybersecurity experts, as well as advocates of government transparency, criticize such practices -- and it also flat out breaks DHS rules.
"The use of Internet Webmail (Gmail, Yahoo, AOL) or other personal e-mail accounts is not authorized over DHS furnished equipment or network connections,” according to the DHS Sensitive Systems Policy Directive issued in April 30, 2014.
What Went Wrong?
So what happened? Was this blatant rebellion? Hot shots looking to skirt the system for nefarious purposes? Not really. Johnson and his staffers apparently had obtained informal waivers that allowed them to override the directive, according to published news reports quoting a “top DHS official.”
We caught up with Kevin Foisy, chief software architect and co-founder of software security firm Stealthbits Technologies, to get his reaction to the news. He told us it’s not unusual for senior people in an organization to be exempted from normal IT security practices.
“Management clout sometimes tends to overrule the best IT security,” Foisy said. “But in the case of DHS and access to external e-mail, this is a bit surprising. E-mail is one of the leading exploited entry points into organizations: the phishing attack.”
Wide Open Back Door
Indeed, the State Department’s e-mail was hacked in 2014. The agency reported “activity of concern” in parts of its e-mail system, according to several news reports, citing a senior official.
In April, news emerged that Russia may have hacked White House computers in October. Hackers reportedly had access to sensitive information such as real-time, non-public details of the president's schedule.
And just this month, the Office of Personnel Management released the results of a forensics investigation into the recent cyberattack that affected its systems and data, revealing that the personal information of 21.5 million current and former federal workers was compromised.
E-mail is a major attack vector. For this reason IT security puts a great deal of effort into ensuring that malicious e-mail is blocked, preventing the user from being duped into clicking a link or opening an attachment that unfolds into an attack, Foisy said.
“Once the attacker finds a way in, the walls have been breached and the damage starts,” Foisy said. “By DHS allowing unguarded access to external e-mail systems, a gaping hole is potentially opened for hackers -- it’s a big, wide-open back door.”