We tend to focus a great deal more on blame rather than root cause analysis and this is largely why we are really good at flaming people that make mistakes but not very good at mitigating or avoiding making them in the first place. Let’s take Hillary Clinton’s email server. There is a huge push to put her in jail or trivialize the problem, even the Post, which generally supports her, doesn’t on this, but this takes our eyes from the questions we should have been asking. I think there is a far bigger problem.
This should be the biggest question. How was an unsecured, unauthorized email server put onto the government network and why wasn’t it automatically identified and eliminated within hours rather than remaining in place for years? The Inspector General flagged this as a blatant security failure and alleged a far bigger problem before the FBI investigation. This should really trouble more people than it does because a common practice in penetrating networks is to replace a known safe device with an unsafe one while making it so the network can’t tell the difference. Particularly with Internet of Things (IoT) devices like networked printers, it is very easy to do and you can do it in a way that ensures your tracks are covered.
The process that Qualcomm demonstrated when I last visited is to mirror a secure wireless access point with a more powerful rogue, broadcast disconnect commands until one takes, then allow the printer to reconnect to the rogue access point (printers have been a target before), and finally pull off the security information from the printer. You can attach anything you want to the network and, unless you have a data platform that monitors traffic and reports anomalies, you won't know that it was done and the printer that was initially hacked will have no record of the event.
So, if government security can’t identify a rogue email server in a timely manner, how many other things are connected into the government network that are not only unsecure but might even be owned by hostile foreign governments?
It is assumed that Clinton’s server was compromised. If so, it would have not only been a massive source for confidential information but it would have detailed private conversations to a degree where an outside entity could effectively pose as someone inside and trusted, one common form of identity theft. In effect, it would be an ideal source of information for those attempting to phish or spearphish government officials. But is anyone looking for who and what was compromised?
Even politically, the real power in this information isn’t that a breach was likely. Rather, it would be what damage happened, is likely still happening, and what is being done to both quantify the damage and stop it from recurring. Other systems have been penetrated and everyone should have been notified that a phishing attack is likely.
The FBI seemed to believe that the email server should have been illegal, but wasn’t under the law. So why hasn’t the law regarding intellectual property been changed to make any future use of a personal system to store secure documents illegal? Clinton aside, if the government doesn’t want this to happen again, what has been done by the Republican-controlled Congress to make something like this actionable so the next time someone does it, they go to jail? The implication is that this is only a problem if the other party does this.
Clinton isn’t known as a techie, which means someone likely suggested the idea of a personal email server to her. It is certainly possible that that person wanted to create a breach they could exploit. So why don’t we know who came up with the idea and have they been fully vetted to make sure they weren’t operating as an agent of a foreign government?
Even if this isn’t the case this time, it sure points to the possibility of a close advisor to a candidate or elected official being in a position to create a breach. Finding out how this came about could provide the foundation for a vetting policy to help ensure that a future advisor won’t compromise the integrity of the office.
It is rare that a breach of this magnitude is an isolated incident (some are now roughly connecting this to the DNC hack). The fact that the email server existed for years in the first place showcases what was likely just the tip of the iceberg when it comes to bad security practices. By focusing on the email server and the politician who owned it, it is very likely that the bigger problem has been missed and that a full corrective action hasn’t, and won’t, be implemented. As a result, not only will the full damage from the breach likely never be known, but additional attacks may go undiscovered and unmitigated as well.
The lesson here is to step back from the event, look to see what the broader problem is and, rather than focus on blame, focus instead, at least initially, on making sure that not only is the full exposure mitigated, but the process that caused it and any collateral damage is corrected as well.
Sometimes it is way too easy to miss the forest by focusing too much on one tree.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+.