Sorry for the pun based on a movie that is 20-plus years old, but that’s what came to mind when I considered the recent revelations surrounding CIA Director David Petraeus' sex scandal. If you’re unfamiliar with the story, in 2010 then General Petraeus allowed fellow West Point graduate Paula Broadwell to travel with him while he was leading our efforts in Iraq, and then when he was transferred to Central Command to lead our efforts in both Afghanistan and Iraq, so that she could write a book on his leadership style. The book was published in January 2012 as "All In: The Education of General David Petraeus." At some point after the married Petraeus left Afghanistan, he says the two started an affair. The affair came to light when Broadwell allegedly started sending anonymous, harassing emails, from various email accounts, to a woman she saw as a rival for the General’s affections. This rival reported these emails to the FBI, an investigation ensued, the married Broadwell was identified, the affair exposed, and Petraeus stepped down as CIA Director citing his unbecoming moral behavior.
Now to the point of this post - it was revealed that those involved used the cloud-based email application Google Gmail. This was for two reasons that I gather from reading the papers:
First, to correspond using in-the-cloud personal email accounts, instead of network-based, professional email accounts, to hide the “email paper trail” of these dalliances. In fact, Petraeus and Broadwell often used a shared Gmail account, so that they could each log in and view messages in the “drafts” folder, and not actually send emails at all, reducing the footprint even more.
Second, Broadwell purportedly took advantage of the ability to set up email accounts without having to use your real identity to send emails anonymously, and thus bother someone she thought could jeopardize her relationship with Petraeus without incrimination.
Both of these goals failed. Miserably. Identities were discovered and email files were exposed to authorities, and in some instances to the general public via the press.
As usual, full disclaimer – I’m not a cyber-security professional, a privacy lawyer, or a 12-year-old girl, so I’m not an expert in the above email tricks and activities.
Obviously the problem isn’t with Gmail, its security worked fine – this time. The problem lies, as more often than not, with people. More specifically, how people use technology. Its often been said that the biggest vulnerability to a network is the people who use it – we leave files open on our screen when we take a break, tape our password to our computer monitors, and click open emailed files from people we do not know.
With cloud services, many government-based individuals believe that because this data isn’t on their government-issued hard drive, the government cannot trace it to them, and there isn’t a record of it anywhere. And of course this isn’t true. We need to learn to take those security guidelines mandated by our government IT departments to heart, and remember that they should apply to our interactions with ALL computers and networks, not just the ones at work. Don’t get me wrong, I’m in no way saying these guys should have been more careful. Well, I guess I kind of am. But what I really want to do is point to this as an example that you should not assume your information will remain private – whether you’re logging into your agency’s VPN, doing online banking or shopping, or checking your child’s soccer schedule. Even if you’re on the up and up, you have to be careful, as hackers can find you without you having done anything unsavory.
Besides, if you’re going to great lengths to hide something, chances are you shouldn’t be doing that thing. The more you know…