We are all risky actors, we are all at risk, but what are we doing about it?
By Laura Haight
First, in the interest of transparency, Let me say I am a full-throated supporter of Hillary Clinton. At the same time, I agree, the whole email scandal is an unforced error on Hillary's part. It was a bad idea not even well executed.
But this post is not about that. I would not have even touched this subject until FBI Director James Comey said "...we assess it is possible that hostile actors gained access to Secretary Clinton’s personal e-mail account."
Much will be made about this speculation because it stands in stark contrast to the rest of Comey's compelling presentation of facts and findings.
Taking Director Comey's own previous comments about the prevalence of cybercrime in the world today into account, one could say of anyone with an email account that "it is possible hostile actors gained access to" your email account.
If you are a large business, take note that the director has said "There are only two kinds of businesses: Those that have been hacked and those that don't know it yet."
If you are a small business operating with your own servers or in the cloud, nearly 60 percent of you were hacked in 2014. The vast majority were exposed via actions taken by trusted employees in relation to their email. Employees who click on something they shouldn't, go somewhere they shouldn't be, download something or otherwise fall victim to phishing scams and open the door to malware, hacking, data loss and ransomware.
In another statement during his unprecedented press conference, Comey says: "We do assess that hostile actors gained access to the private commercial e-mail accounts of people with whom Secretary Clinton was in regular contact from her personal account." More precisely, that means people Clinton knows had been hacked. That hardly makes Clinton unique. There's an excellent chance, based on the FBI's own assessments of the veracity of cybercrime and hacking, that all of us are in communication with people whose email has been hacked.
That, in and of itself, does not make it any more likely that your email will be hacked. It may make it more likely that you will be targeted, that you will get an email ostensibly from your friend or business contact that includes dangerous malware just waiting for you to click on. But whether you click on it or not is in your hands. Do we know if Clinton did release malware into her email system? We do not. And statistically, the odds are on her side. Nationally, the Verizon 2015 Data Break Investigation found that 23 percent of users will open a phishing email and 11 percent of those will click on an attachment or link.
Government servers breached at least 13 times in 2 years
And then there's the whole question of the security of government information in the first place. The entire tenor of the director's grilling at the hands of the House Oversight Committee on Thursday implies that none of this would have happened if only Clinton had been on government servers. Not so.
Confidential and sensitive information has been exposed through hacks of government servers many times in recent years. In 2014, the Office of Personnel Management, the federal agency that is central to all hiring and employment in the federal government that includes background checks and investigation suffered a critical breach. In all, the personnel records of at least 21.5 million individuals were lost. Those records – of federal agents, CIA employees, from lawyers to clerks, and in agencies from the departments of state to education – included fingerprints, psychological evaluations, employment histories, evaluations of performance, histories of illness or drug/alcohol use.
That information is enough to provide plenty of fodder for "hostile actors" looking for blackmail targets inside the federal government. The agency has - necessarily - been mum about the extent of breached data, but the SF-86 form data that was compromised also includes information gathered, particularly from diplomats and other State Department employees, on contacts with foreign nationals.
Despite having this treasure trove of extremely sensitive information, the OPM didn't even have any IT security until 2013 (that was a year after Clinton left office) – a fact that was the subject of a scathing Inspector General's report in 2014.
The OPM is not alone in its exposure to hackers, cybercrime and data loss. Since 2014, 12 other federal agencies were hacked including the White House, the State Department's email servers, the Defense Department and, as we know, the IRS. Russian hackers were responsible for the hacks to State and Defense.
Congress is not immune
And what about our stalwart members of Congress? Back in May, the US House of Representatives banned members' use of Yahoo! Mail after several members were hit with ransomware traced back to a hacked Yahoo app. Even the government hacks into the government with the CIA admitting it had hacked into Congressional servers in July 2014 to gather information about a probe of interrogation techniques.
Trey Gowdy, the chairman of the House Select Committee investigating Benghazi, has himself used a private email address (treygowdy.com). Given his demands that Clinton turn over her servers for Gowdy's committee inspection, AlterNet and Correct the Record requested that Gowdy set the example by releasing all his own emails, provide information on how he segregates work and personal email, and detail on the location and security of the private email server. There has been no response. It is not unusual for elected officials to maintain separate domains for political purposes vs. governance. But what is more difficult is ensuring that both are clearly segregated and that there are no linkages, interfaces, connections between the two. Many elected officials, including the vociferous Gowdy, could find themselves running afoul of the same regulations were they to be subjected to the same intense scruitny as Secretary Clinton.
The bottom line? We have all been hacked. You can be on a hacked on gmail, hacked on cloud apps, hacked in federal government servers, hacked on the most secure of servers on some of the nation's largest companies - from health care to banking.
Our reliance on systems to protect us, is the real risk here. The FBI did a thorough, professional and nonpartisan job in investigating what happened. The results illustrate the risks that every business, agency and individual who controls information and shares it with others over digital networks and mobile devices needs to be aware of. But before we use this information to further partisan political goals, let's take a fiercely honest look at our own behaviors.
The takeaway should be how vulnerable are we all and what as a technology-enabled culture are we doing about it.