As governor of Indiana, Mike Pence conducted state business using his personal email account. An AOL account. So of course someone hacked it. With a phishing scam.
This story offers no end of rolling punchlines, the kicker being the vitriol the vice president showed during the campaign toward Hillary Clinton’s use of a private email server. More importantly, as the Indianapolis Star first reported, it represents a troubling security lapse by a high-ranking public official. The batch of emails released by the state of Indiana reveals that Pence’s AOL inbox hosted plenty of sensitive material, up to and including the arrests of terror suspects.
You can pull any number of threads here, split all kinds of hairs about the relative vulnerabilities of private servers and personal accounts, and crack endless “you’ve got mail” jokes. But the biggest thing to remember has little to do with Pence: From a security standpoint, email is fundamentally broken. Until that changes, expect email hacks and scandals aplenty.
You’ve heard about so many email hacks that recapping them feels redundant. The Democratic National Committee got hacked, of course, and so did the Democratic Congressional Campaign Committee. And try finding someone who hasn’t read at least one of the 20,000 pages of private emails from Clinton campaign chairman John Podesta’s inbox dumped online just before the election.
Security experts largely agree Russia perpetrated those hacks in a bid to derail Clinton’s campaign. But beyond Russia’s involvement, the hacks aren’t unusual. Sarah Palin’s Yahoo account leaked in 2008. Someone hacked the Bush family’s AOL accounts in 2013. Sony Pictures saw all manner of internal communications stolen in 2014. You don’t have to be a politician or multinational company to get hit, either. Countless people find themselves targeted by hackers and phishers every day.
If anything, Pence got off easy. The attackers, who ultimately used their access to try scamming money out of Pence’s contacts, may not have realized the trove they’d accessed—or, more likely, saw more value in the cash than the political gamesmanship. Their motives are beside the point. What matters is hacks like these aren’t the exception to the rule, but the rule: If you use email, you will get hacked eventually.
Let’s start with the obvious: Personal email has no place in government business. Legally speaking, all state and federal employees must maintain a record of their communications. Transparency demands it. A government email account provides a digital paper trail, and something the public, or journalists, can demand access to. Personal accounts do not, because you may not even know they exist.
Equally important, they don’t offer the security of a .gov account. From a basic security perspective, no one earning a government paycheck should use Yahoo, or Gmail, or AOL, or anything else because, honestly. Despite this, public officials continue using personal email. So do you. So do I, switching back and forth between work Outlook and personal Gmail. We all do it, for the same fundamental inalienable reason: We find it so much easier. That’s doubly true for people toiling away in tightly controlled environments, where draconian restrictions on access and attachments can make logging onto work emails literally more trouble than it’s worth.
“If I make it very difficult to access work email, or I make it difficult to send large files or sensitive files, there’s a pretty good chance that as a savvy user I’ll just use my Gmail account, or I’ll forward it to myself.” says Forrester Research security analyst Joseph Blankenship. “Now you’re outside the security policies—and you’re also outside protections that are there.”
VPN? No thanks. New password every three months? Nah. Mandatory two-factor? You’re kidding. Are you kidding? It feels like you’re kidding. The motivation for ditching a work-sanction email system rises in direct proportion to the security measures in place. And so human nature takes its course, for CEOs, politicians, and regular Joes alike.
So, sure, you can see why politicians hop onto Gmail and Yahoo and, yes, even AOL. And once that happens, the risk rises exponentially.
You’ve Got Hacks
Gmail and Outlook and all the rest employ the latest tools and sharpest minds to protect you from hackers. They do a good job, too, even as Yahoo’s breaches highlight their limits. But the excellent record of, say, Gmail, can also provide a false sense of security. Individual users can face immense risk, especially high-profile users. Like, say, a governor.
“Take any of the free email platforms out there. They all have a web interface. For the most part, they don’t require any sort of authentication beyond user name and password,” says Blankenship.
For a dedicated hacker or social engineer, a user name and password presents only the slightest hassle. And they have no trouble finding plenty of password fodder for public figures—names of family members, favorite sports team, birthdays, and so on. And however secure a platform like Gmail is on the back end, its ready accessibility from any web browser means anyone can take a crack at invading anyone else’s account.
Yes, many services offer optional two-factor authentication. Remember, though, that the main appeal of a personal email account lies in the looser restrictions they offer over official channels. And politicians too often know woefully little about infosec. Trump’s press secretary Sean Spicer even inadvertently tweeted what appeared to be his password. Twice.
And all before you even get to the even easier ways hackers can compromise an email account. In a sophisticated phishing attack, you can mistake a malicious email for something from a trusted friend. Your entire security posture might depend on whether you click that link. In a rush, you might click it.
For all these reasons, don’t expect to see the flood of hacked email accounts slow to a drip anytime soon. Public figures will always use email. And email will always be a rich target. So yes, call Pence out for his hypocrisy. Giggle at his using an email provider best remembered for its CD-ROMs. But remember that the age of the email hack is only getting started, and won’t end until we fix email. Or fix ourselves.