Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Protecting Obama's Emails from Hackers
Experts: Treat Sensitive Data as If It Were ClassifiedA report that Russian hackers read President Obama's email correspondence raises further questions about White House cybersecurity, IT security experts say.
See Also: Gartner Market Guide for DFIR Retainer Services
"If this is what was detected and reported, what wasn't detected?" asks Purdue University Computer Science Professor Gene Spafford. "For every intrusion - commercial, user, government - we should ask ourselves, 'What else don't we know about?'"
Some of Obama's emails were swept up by Russian hackers last year in a breach of a White House's unclassified computer system that was far more intrusive and worrisome than had earlier been publicly acknowledged, The New York Times reports, citing senior American officials briefed on the investigation.
A White House spokesman declined to comment on the report.
The previously reported breaches occurred in October, with hackers - believed to be Russians - accessing White House and State Department systems (see State Department, White House Hacks Linked).
Obama's BlackBerry Secured
The hackers did not appear to have penetrated closely guarded servers that control the message traffic from Obama's BlackBerry, which he or an aide carries, the newspaper reports. But the officials told The Times the hackers obtained access to the email archives of individuals inside the White House, and perhaps some outside, with whom Obama regularly communicated. From those accounts, they reached emails that the president had sent and received, according to officials briefed on the investigation.
Although classified information was not exposed, sensitive information, such as the president's schedule, might have been accessed, and that could cause problems for the U.S. government.
"While the White House and Department of State unclassified systems do not contain officially classified information, they often do contain very sensitive data, which can reveal U.S. plans and policy intentions," says Robert Bigman, a former chief information security officer at the Central Intelligence Agency. "The data can be used for foreign counterintelligence purposes by revealing information regarding, for example, the travel of government officials. This type of information can also potentially impact personal safety if it ends up in the wrong hands."
Damaging to National Security
"Surviving Cyberwar" author Richard Stiennon picks up on Bigman's theme: "One of the most important goals of nation-state espionage is the determination of intent; aside from capabilities, deployments, etc. Knowing what a leader intends is critical valuable. To the extent that President Obama revealed his intentions in emails to staff, State Department officials and Department of Defense members, the stolen email communications could be extremely damaging to national security."
Spafford sees another type of harm: Making it easier to employ spear phishing within the government. "In general," he says, "information of any sort collected against a target is of some value."
Bigman says the U.S. government should start managing sensitive, unclassified networks by taking the same steps used to protect classified networks, including isolating software and data servers from the Internet and placing them in a "demilitarized zone" external domain that restricts data flow. Also, he says, the White House should enforce encryption and establish data firewalls within the internal network domain. "The government needs to issue new policy regulations that specify security measures for all networks [used for] processing 'unclassified/for official use' information," Bigman says.
More Breaches Likely?
But rejiggering sensitive but unclassified systems could prove difficult, Spafford says. "The best methods would involve rearchitecting systems and removing most interconnections," he says. "However, that would be expensive, and it would involve having people learn new systems. Thus, it is unlikely to happen. Until security is viewed as something really important and worth the cost, we will continue to see incidents such as this and maybe, worse."
The White House breach was consistent with operations attributed to a cyber-espionage operation conducted by Russian actors dubbed TEMP.Monkey, according to iSight Partners, a cyberthreat intelligence analysis and research firm.
"While we cannot confirm whether the president's unclassified email was accessed by these actors, publicly available information correlates with the timing, targeting and probable motivation of cyber-espionage operations performed by TEMP.Monkey," an iSight Partners statement says. "The group is known for their use of Cozycar malware, which has been used in targeting U.S. and European victims."
And it's not just the White House and State Department that apparently has been victimized by Russian hackers. Last week, Defense Secretary Ashton Carter described an incident earlier this year in which DoD sensors detected Russian hackers accessing a Pentagon network, but they were immediately kicked off when identified (see Pentagon Updates Cyberdefense Strategy).
Still, one expert questions whether the hackers found any damaging information. "If there had been anything juicy," says Jim Lewis, the cybersecurity expert at the think tank Center for Strategic and International Studies, "the Russians would leak it."