As former FBI Director James Comey prepares to testify before Congress this week, it is worth reflecting about how poor cybersecurity choices gave rise to today’s current events and our nation’s current crisis. Forget—if you can—who you voted for, the Russians’ role in the election, the FBI’s handling of the Clinton email investigation, and President Trump’s firing of Director Comey. There are three important cybersecurity lessons we can take away from the election and today’s current events.
1. Know Where Your Data Is
We’ve heard about the laptop computer of Anthony Weiner and Huma Abedin. The FBI seized the laptop from Mr. Weiner in connection with their investigation into his sexting episodes and also found emails pertaining to Huma Abedin and Secretary Clinton in it. This led to the FBI’s pre-election notifications to Congress, and subsequent speculation about the impact of this on the election. The facts and timing behind this continue to be scrutinized and evaluated.
According to some reports, Ms. Abedin merely borrowed her husband’s laptop temporarily before returning it, yet somehow over a half-million of her emails came to reside on it. The lesson to focus on is that we are far too casual about control of our data. Sensitive data should be securely deleted from a computer before we give up control of it—assuming we are under no legal or ethical obligation to preserve that data. We should know where our data is, and where our backups are.
If you need to borrow a laptop (even a spouse’s) to check your email or perform certain tasks, be aware of what you are doing, and what you are downloading. Avoid connecting your smartphone to a borrowed laptop, and if you do, don’t let the smartphone back itself up to the laptop, which could leave a copy of all its data on the laptop. If you check your email using a borrowed computer, do it through a web browser (e.g. Chrome, Safari, Edge, etc.) in “incognito” or “private” mode and ensure your browsing history and data is not stored or is deleted. Don’t access your email through an email client software (such as Microsoft Outlook or Apple Mail) because that might download all of your emails from the cloud onto the loaner laptop. Before your return the laptop, ensure the laptop can no longer access your cloud accounts, and that it has not copied or downloaded your data.
2. Be Wary of Shadow IT
There have been recriminations about Secretary Clinton’s use of a personal email account and server while she was Secretary of State, but there hasn’t been enough examination of why Shadow IT is a bad thing. When an employee uses personal IT resources to do their job, that activity and data is out of view of the employer, in the so-called “shadows.” An employer provides computer resources to employees and has a responsibility to maintain the systems, keep track of company data, back it up, secure it, and secure the network and devices. When employees use their personal computers and email accounts for work, it creates security risks. The employer can’t secure systems or data it doesn’t know about, and individuals might have worse cybersecurity practices than the employer. It also means that the employer can’t preserve or provide this data when legally obligated to, such as during lawsuits or when responding to public records requests.
Secretary Clinton’s use of personal email created a steady drumbeat of negative news. After the election, there were reports that Vice President Mike Pence used a personal AOL email account to conduct official business while Governor of Indiana. Politics and current events aside, the broader lesson for all of us is that Shadow IT presents security, compliance, and document retention concerns for any organization. Shadow IT probably cannot be eradicated, so it is essential that employees have good cybersecurity habits both at work and home.
3. Protect Your Email From Hacking
Finally, the hack of John Podesta’s email account revealed emails that spanned a decade and were publicly posted to WikiLeaks before the election. Some emails were damaging to the Clintons and undoubtedly had a negative effect, and reports indicate this hack was conducted or supported by Russia, intended to disrupt or affect the election result. Even if one finds these reports inconclusive, the fact of the hack is clear. Then, it was reported that Vice President Pence’s personal email account had been hacked in the past as well, the personal AOL email account that had reportedly been used for official business.
We must all realize that email hacking is going on continuously and we are all vulnerable. Email hackers might launch inelegant frauds, as they attempted from Vice President Pence’s AOL account, essentially blasting to all of his contacts, “Help, I’m stranded in the Philippines, please wire me money.” Hackers also launch highly sophisticated frauds that collectively steal billions of dollars annually, through what the FBI calls “Business Email Compromise” scams, which affect individuals and businesses of all sizes. Hackers can also use confidential information within an email account for financial or other advantage.
We all must do a better job protecting ourselves and securing our data. A good place to start is with strong and unique passwords plus two-step login, also known as “two-factor authentication.” We should realize that cybercrime goes beyond technical attacks and includes “social engineering” cons, so we should be wary about clicking on links, downloading attachments, or providing information online. Finally, we should educate our children about cyber safety and ensure that they develop good habits for privacy, safety and proper use of the Internet.
None of this should imply that these three choices “caused” the crisis we seem to face today, except in the very limited rubric of what lawyers call “but for” causation. In other words, “but for” the occurrence of these three events, we would not be in the exact circumstance we are now. However, this is merely one small part of the causation test, as the other aspect is legal “proximate” causation. Today’s crisis is a result of a confluence of events and people, far beyond these three cybersecurity choices and resulting events. Nevertheless, the premise holds—cybersecurity choices matter and each of us would do well to make better choices.