720-891-1663

Best Practices, Breach

What Does Mike Pence’s Use of A Personal Email Account Teach Us?

Leave a comment

The Washington Post is reporting that Vice President Mike Pence used a personal email account to conduct government business when he was Governor of Indiana.

The Veep says that his use of a personal email account is different than Clinton’s use of a personal email account and I do not want to turn this into a political blog.  Pence said he didn’t break the law and I believe him.  That doesn’t mean that doing what he did wasn’t extremely reckless.  There were emails between him and Homeland Security regarding very sensitive terrorism matters that have no place being discussed on AOL.

There are some similarities that can’t be ignored:

  • Both used personal email accounts for government business
  • It appears that neither one violated the law at the time by using personal email accounts.
  • Emails from both accounts were publicly disclosed – one by a hacker and one after the fact by the government.
  • Emails in both accounts contained sensitive information, although, some of Clinton’s emails may have contained classified information even though none were marked with classified markings (either of which is a problem!)
  • Both email accounts contained emails, the content of which, according to each owner, was too sensitive to release publicly.

One thing that is different is that Pence’s email was known to be hacked while Clinton’s email is only speculated to possibly have been hacked.

So what can you or I learn from this situation and what might we do differently?

The first thing is to understand that normal email – in VP Pence’s case, it was an AOL account and in Clinton’s case it was a personally managed email server – is likely not very secure. Period.

Second is that if you plan to use email for sensitive information – which apparently both people did – you need to take extreme measures to protect it – which apparently neither person did.

Third, when it comes to the intersection of security and convenience, if you are going to use email for sensitive communications, security needs to win.  In neither case did that happen.

In THEORY (but only in theory), the privately run email server of Hillary Clinton COULD HAVE BEEN more secure than a public email server run by AOL because AOL has designed it’s email service to be used by grandma to get pictures of her grand-kids and a private email server can be designed to do whatever the owner decides is important.

If you are an executive of a company, of a state or of a country, you need to either understand enough about cybersecurity to make critical decisions (which is unlikely to be the case) or consider security important enough that you have people on your team who you can trust and count on to do that for you.

Public email servers like Google, Microsoft and AOL will NEVER be able to do that – it isn’t what you are paying for (which is pretty much zero).   You do, in fact, get what you pay for in this case.

While the Veep likely broke no laws by using a personal email account, if those emails were too sensitive to publicly release,  then the use of a public, consumer grade email solution shows, at a minimum, extremely poor judgement.

Executives need to become modestly technically adept and surround themselves with people who have the appropriate technical skills.  Then they need to do what those people tell them to do.

It seems like neither Pence nor Clinton did that.

For executives in private industry, it is unlikely that they will have classified emails in their inbox, but it is highly likely that they will have emails that are too sensitive for public release.

So why the <bleep> are they sending that kind of stuff over public email.  Regardless of what Google or any other general purpose public email provider might say, in reality, with the exception of a handful (literally) of security oriented email providers – all very small – no commercial email is encrypted in a way that you should consider safe from compromise and disclosure.

THAT is the message I want to deliver today.  It has nothing to do with either Pence or Clinton.  They are just the opportunity to discuss the issue.

So, executives —

SECURITY or CONVENIENCE – pick one.  And if you pick convenience and your emails show up in Wikileaks or the New York Times, don’t say you were not warned.

Consider yourself warned.

 

Information for this post came from the Washington Post.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy