Chinese cyberspies have had access to the private email accounts of Obama administration officials and “top national security and trade officials” for at least five years, NBC has reported, adding to the long list of data breaches suffered by the US government at the hands of China in recent months and years.
What the Chinese found in the private email accounts of top US officials — vacation plans, notes to friends, and other everyday correspondences that pass through personal inboxes — likely bordered on the mundane.
But the fact that the hackers were able to breach the accounts in the first place and the potential fallout make it clear that the breach shouldn’t be taken lightly.
Here are 3 reasons why:
Administration officials are falling for phishing attempts
The email breach shows that government employees are still the administration’s weakest link in terms of cybersecurity.
At the highly technical Infiltrate hacking conference, a professional penetration tester for a major company in Silicon Valley told Business Insider that the easiest way to infiltrate a system is to bait an employee into clicking on an infected link in a seemingly innocuous email.
“People love to click on that blue line,” Ray Boisvert, a veteran of Canada’s intelligence services, told Business Insider at the conference.
From there, the hacker for hire can acquire the employee’s username, passwords, and other sensitive information — which can lead a hacker into the larger system.
This tactic, known as “phishing,” can be executed by unskilled scammers. When executed by a professional, however, phishing becomes a highly targeted tool that can trick even the savviest employees, let alone administration officials in their 50’s and 60’s whose work has only recently transitioned into the cyber realm.
Even if an individual has been trained by his or her agency to identify and avoid phishing scams, one cybersecurity course will not be enough to make that person change his or her behaviour in the long run, especially if it’s their personal email and their guard is down, cybersecurity expert Joe Loomis of Cybersponse told Business Insider.
“Statistically, if employees are not retrained to avoid phishing scams within 90 days, they start to click [on the malicious links] again,” Loomis said, citing data provided by the cybersecurity company Phishbite.
Hackers may have access to far more than just email accounts
Moreover, by unknowingly clicking on malicious links in emails, officials likely gave hackers access to far more than just the contents of their inboxes.
The information that can be gleaned from someone’s personal inbox goes beyond the mundane correspondences that often fill it, Loomis noted, especially when you have that person’s passwords and, consequently, the keys to unlocking other areas of their digital lives.
“And it only takes one email to compromise the entire computer,” he said. “These hackers cast a very wide net when choosing who to target, so that ultimately it becomes like shooting fish in a barrel.”
“It’s better to assume they have gotten a lot of intelligence this way than to say they haven’t been successful,” he added.
A political nightmare for Hillary, even if her private emails were secure
In March, Hillary Clinton admitted that she had used her private email address for work-related correspondences while serving as Secretary of State from 2009-2013.
Clinton’s use of a private email address was not illegal, but it drew intense criticism from politicians and experts who feared she had been sharing sensitive national security information via the seemingly insecure clintonemail.com server. The server is now being investigated by the FBI.
“In many ways, Hillary’s private system would have been safer purely because it’s a smaller target,” Loomis noted. “Only she and a few other people are using it, she had a whole IT security team monitoring the system for breaches.”
(In fact, Clinton has never provided details about her security team. A statement released by her team in March stated only that “robust protections were put in place and additional upgrades and techniques employed over time as they became available, including consulting and employing third party experts.”)
“Still, other candidates will probably jump on this and create a lot of fear and uncertainty about it,” Loomis added. “It’s an unfortunate example of being in the wrong place at the wrong time.”
Presidential candidate Jeb Bush, one of Clinton’s top GOP rivals, has already gone on the attack, tweeting that Clinton “should have known” better than to use a private email address for work.
“Even if Clinton did nothing wrong, she’ll be guilty by association at this point,” Loomis said. “It’s a political nightmare.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.