Personal emails vs. national security

The Washington Post and New York Times /

Published Nov 11, 2012 at 04:00AM

The beginning of the end came for CIA Director David Petraeus when Paula Broadwell, a younger married woman with whom he was having an affair, “or someone close to her had sought access to his email,” according to the Wall Street Journal’s description of an FBI probe. Associates of Petraeus had received “anonymous harassing emails” that were then traced to Broadwell, ABC’s Martha Raddatz reported, suggesting she may have found their names or addresses in his email.

The email account was apparently Petraeus’ personal Gmail, not his official CIA email. That’s a big deal: Some of the most powerful foreign spy agencies in the world would love to have an opening, however small, into the personal email account of the man who runs the United States’ spy service.

The information could have proved of enormous value to foreign hackers, who already maintain a near-constant effort to access sensitive U.S. data.

If Petraeus allowed his Gmail security to be compromised even slightly, by widening access, sharing passwords or logging in from multiple addresses, it would have brought foreign spy agencies that much closer to a treasure trove of information.

The FBI investigation that led to Petraeus’ sudden resignation as CIA director on Friday began with a complaint several months ago about “harassing” emails sent by Broadwell, Petraeus’ biographer, to another woman who knows both of them, two government officials briefed on the case said Saturday. When FBI agents following up on the complaint began to examine Broadwell’s emails, they discovered exchanges between her and Petraeus that revealed that they were having an affair, according to several officials who described the investigation on the condition of anonymity. They also discovered that Broadwell apparently had acquired some classified documents, and considered whether Petraeus might be the source, one official said.

A personal email account like Petraeus’ almost certainly would not have contained any high-level intelligence. But access to the account could have provided telling information on, for example, Petraeus’ travel schedule, his foreign contacts, even personal information about himself or other senior U.S. officials.

Web-based email like Gmail and Yahoo Mail can be quite vulnerable to hacking. Technology writers have sometimes discussed what one writer called the “password fallacy,” the false sense of safety created by access systems such as Google’s that balance security against ease of use. Even with Google’s extra security features, the company must also avoid making security so onerous as to drive away customers, making it an easier target for foreign hackers even before Petraeus possibly started sharing access. And, as a Wired magazine investigation demonstrated in August, personal email accounts often allow hackers access to other personal accounts, worsening the damage.

Chinese hacking efforts, perhaps the best-known but nowhere near the only threat to U.S. networks and computers, suggest the enormous scope and ferocious drive of foreign government hackers. Some Americans who have access to sensitive information and who travel to China describe going to tremendous lengths to minimize government efforts to seize their data. Some copy and paste their passwords from USB thumb drives rather than type them out, for fear of key-logging software. They carry “loaner” laptops and cellphones and pull out cellphone batteries during sensitive meetings, worried that the microphone could be switched on remotely.

FBI investigators were not pursuing evidence of Petraeus’ marital infidelity, which would not be a criminal matter. “Alarms went off on larger security issues,” one official said.