Diplomatic tensions escalated Thursday as China angrily denied it was behind a high-level breach of Google’s e-mail accounts.
But as U.S. officials said they were investigating the episode that hit senior government and military personnel, new questions emerged about just how much freedom the nation’s leaders should have on the Web.
A rush by government officials to use the hottest new gadgets and Internet services could be making them easier targets for hackers and others who want access to sensitive data, security experts say.
“The trade-off of user-friendliness and ease of use is less security wrapped around it,” said Wayne Matus, a partner at Pillsbury Winthrop and an expert on Internet security law. “Two locks around your door make it harder to get in, which is a pain, but that’s the point.”
Google said the breach was targeted and part of a phishing scam that duped victims into giving user names and passwords to hackers in the eastern Chinese city of Jinan. The hackers, according to Google, were then able to monitor the users’ correspondence and forward e-mails from the affected accounts to another account.
The Lanxiang Vocational School, which trains some computer scientists for the Chinese military, is in Jinan, where the latest attack appeared to originate. The school was implicated in last year’s hacking attack on Google.
The Chinese government denied the claims on Thursday, with a foreign ministry official calling Google’s accusations that the breach stemmed from China “a fabrication out of thin air.” It was the second time Google had blamed Chinese-based sources for attacking its services, and security experts say dozens of other companies, such as Yahoo and Microsoft, have been affected by similar attacks.
Secretary of State Hillary Rodham Clinton said in a news conference Thursday that Google’s allegations are “very serious” and that the FBI is investigating.
White House officials have said government e-mail systems weren’t breached, but it is unclear whether any of the material the hackers obtained contains sensitive information.
The company said the episode doesn’t mean Gmail is more vulnerable than other corporate or government e-mail systems. Google’s e-mail and other services are called “cloud” applications because they reside on multiple servers located around the world and are accessed through the Internet.
“Account hijacking occurs on all major Internet services, but Google continues to offer new security protections that influence other efforts across the industry,” a Google spokesman wrote in an e-mail. “The cloud is not to blame.”
But the rising use of cloud-based services by government officials and even journalists raises new issues about access to information.
Journalists routinely take notes on cloud-based applications, such as Gmail and Google Docs. If a reporter stores information from a government source on a cloud service hosted by Google or Microsoft, a court would not have to subpoena the journalist to get hold of the documents — it could subpoena Google or Microsoft.
“Any information on Gmail can be requisitioned through the appropriate legal process,” said Joshua Gruenspecht, a cybersecurity fellow at the Center for Democracy and Technology.
Press secretary Jay Carney said in a briefing that White House employees are instructed to conduct all work using government accounts as part of the Presidential Records Act.
But government employees, including those in the White House, can have personal e-mail accounts.
“If you’re talking about private use, that’s just different from work use,” Carney said. “I’m not aware of any law or rule that suggests that government workers cannot have separate private e-mail accounts.”
Staff writer Ellen Nakashima contributed to this report. Wan reported from Beijing.