When The People In Charge Of U.S. Cybersecurity Get Hacked
ARI SHAPIRO, HOST:
A few days ago, the director of National Intelligence, James Clapper, admitted that he had been hacked. No state secrets or classified intelligence went missing. It was his personal email and phone accounts that were hacked by a teenager. The revelation came just months after the CIA director's personal email was also targeted. It got NPR's Mary Louise Kelly wondering who's next.
MARY LOUISE KELLY, BYLINE: When you start calling around security experts, asking what they make of the news that the top intelligence official in the country has been hacked, you hear - well, you hear chuckles.
AMIT YORAN: (Laughter) Sure. Clearly these types of compromises are an embarrassment.
KELLY: That's Amit Yoran. He's former director of cybersecurity for the Department of Homeland Security. As you can hear, he appreciates the irony that the people charged with protecting the nation's cybersecurity can't protect their own. But Yoran, who's now president of the network security company RSA, says on another level, it's no laughing matter. Even if national security weren't compromised, hackers still may have gleaned valuable information.
YORAN: So what is the tone in various communications? Who's inside his circle of trust? You know, what are his family interests and things like that which doesn't seem to have a whole lot of, you know, value at its face, but when you dig in, there's actually stuff which can be used down the road.
KELLY: Stuff which can be used down the road - that's exactly what CIA Chief John Brennan said he was worried about when his private AOL account was breached last October and details like his wife's Social Security number ended up online.
(SOUNDBITE OF ARCHIVED RECORDING)
JOHN BRENNAN: I was certainly outraged by it. I certainly was concerned about what people might try to do with that information.
KELLY: This prompts the question. Should officials operating at the very highest levels of national security be using private email accounts? Robert Knake was, until last year, the director of cybersecurity policy for the National Security Council at the White House. He argues spy chiefs like Brennan and Clapper don't have much choice.
ROBERT KNAKE: If you're a government employee, you're not supposed to be using your DNI or CIA or Department of Homeland Security email address for anything other than business purposes. What it would introduce is a situation in which you would be making government records out of your mortgage statements.
KELLY: That's right, mortgage statements, birthday messages to nieces and nephews. Knake points out that senior government officials have personal lives like the rest of us, which means they should try, like the rest of us, to follow the golden rule of the Internet era. Don't type anything you wouldn't want to see on the front page of the newspaper tomorrow.
KNAKE: A harder lesson is don't receive anything that you wouldn't want on the front page tomorrow.
KELLY: Meaning even if officials practice scrupulous online security - and there's no suggestion that Clapper or Brennan did otherwise - they can't control who emails them. Knake, now at the Council on Foreign Relations, says that's one way cyber intruders can get in. One possible solution - quitting free email providers like Yahoo and Gmail and moving to paid services that use voice or facial recognition. The days of using passwords to protect data may be numbered.
But public figures like the head of the CIA will be targets no matter what precautions they take, says Tony Cole. He's the global government chief technology officer at FireEye, a security company. Cole says hackers are always eyeing the next big prize - OK, like who?
TONY COLE: I wouldn't be surprised if someone hasn't tried diligently to go after the NSA director and others at that level, maybe in the White House.
KELLY: The National Security Agency and the White House surely know this and are working just as hard not to become the next spymasters to be spied on. Mary Louise Kelly, NPR News, Washington.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.