A top government official is using personal accounts for government business and Congress is worried hackers could spy on sensitive or classified communications.
This time, it’s presidential adviser and son-in-law Jared Kushner who’s in Congress’s crosshairs for using the messaging tool WhatsApp – including, possibly, communicating with world leaders on the app -- according to a Thursday letter to the White House from House Oversight Committee Chairman Elijah Cummings (D-Md.).
And Kushner isn't the only one creating a security headache by using insecure tools for communications -- first daughter and presidential adviser Ivanka Trump uses and continues to use her personal email account for official business, the letter states. Oversight has also obtained documents showing that then-deputy national security adviser K.T. McFarland and then- White House strategist Steve Bannon used personal email accounts during their time in office, the letter states.
The committee is asking the White House for a full accounting of all official business conducted on personal accounts by April 4 – and threatening subpoenas if it doesn’t get it.
The controversy highlights how cybersecurity precautions that are perfectly sufficient for average citizens can still fall short when it comes to highly sensitive information held by top government officials.
WhatsApp, for example, is widely viewed as one of the most secure commercial messaging systems because it uses end-to-end encryption by default – that means the messages are scrambled into gibberish during the journey between the sender and the recipient and no one can unscramble them, including the company itself.
But no company’s security is perfect, and top hackers could discover an unknown bug that allows them to get around the WhatsApp encryption system. Indeed, on Thursday, cybersecurity reporter Brian Krebs revealed a security flaw at WhatsApp parent Facebook that left hundreds of millions of user passwords exposed to Facebook employees.
There are also other ways a highly sophisticated hacking group could spy on Kushner’s WhatsApp messaging.
For instance, if hackers compromised his phone through another channel, they could install a tool that recorded everything he typed into it. That would make hacking into the app itself unnecessary, Tom Suder, a specialist in government mobile technology and president of the Advanced Technology Academic Research Center, a government-industry partnership, told me.
Or, someone could steal the device itself. If Kushner is using WhatsApp on a personal device, that would make it unlikely that security officials could remotely wipe its contents to ensure thieves didn’t get access to sensitive information contained within, Nabil Hannan, managing principal for financial services at the software firm Synopsys, told me.
“Tools like WhatsApp can be pretty effective for providing solid and secure end-to-end encryption for private citizens,” Richard Ford, chief scientist at the cybersecurity company Forcepoint, told me. “However, the people we’re talking about here are not your average Joes, but face a very different threat profile.”
The security concerns are the same as when Secretary of State Hillary Clinton used a personal email server while in office, experts told me. President Trump made Clinton's private email server a persistent theme of his 2016 campaign, calling for an investigation and prompting supporters to yell "Lock her Up!" at the former first lady.
The new information illustrates a continuing problem in the Trump administration of officials playing fast and loose with cybersecurity. Trump himself has refused to adhere to some security protocols on his White House cellphone, according to a 2018 Politico report.
Officials’ use of personal accounts may also run afoul of government recordkeeping requirements, as my colleagues Tom Hamburger and Josh Dawsey reported. Kushner’s lawyers said he adheres to records requirements by taking screenshots of his WhatsApp conversations and sending them to his White House email or to the National Security Council.
Personal devices and commercial email and chat tools don’t have nearly as many security protections as the versions used by large enterprises – especially hypersecure systems like the White House, security experts said.
White House security officials are also likely to do a far better job monitoring devices, and email and chat tools, for suspicious activity than individuals, they said.
And the danger of possible breaches is far higher if you’re a top government official dealing with sensitive issues that major hacking groups, including foreign intelligence services, want access to – like, say, if you’re negotiating Middle East peace.
“If you’re sitting in a sensitive position in government, you’re definitely a target,” Tony Cole, chief technology officer at Attivo Networks and a former FireEye, Symantec and McAfee executive, told me. “That’s why it’s critically important to stick to government systems. If you don’t, you’re putting everyone at risk.”
Kushner’s personal counsel Abbe Lowell told House Oversight leaders in December that Kushner uses WhatsApp for official White House duties -- including communicating with people abroad. Lowell, however, would not say definitively whether Kushner uses the app to communicate with foreign leaders, according to the letter.
A key line from the letter to Cummings: “When asked whether Mr. Kushner has ever used WhatsApp to discuss classified information, Mr. Lowell replied, ‘That’s above my pay grade.’”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Countries around the globe are taking advantage of supercheap spyware tools to conduct surveillance on adversaries and internal dissidents, according to a New York Times deep dive from Mark Mazzetti, Adam Goldman, Ronen Bergman and Nicole Perlroth.
“Today even the smallest countries can buy digital espionage services, enabling them to conduct sophisticated operations like electronic eavesdropping or influence campaigns that were once the preserve of major powers like the United States and Russia,” the Times reported. “Corporations that want to scrutinize competitors’ secrets, or a wealthy individual with a beef against a rival, can also command intelligence operations for a price, akin to purchasing off-the-shelf elements of the National Security Agency or the Mossad.”
The article focuses on two well-known spyware providers — the Israeli company NSO Group and the Emirati firm DarkMatter — and describes the Middle East as the “epicenter” of a $12 billion hackers-for-hire industry.
“NSO and DarkMatter also compete fiercely with each other, paying handsomely to lure top hacking talent from Israel, the United States and other countries, and sometimes pilfering recruits from each other, The Times found.”
PATCHED: Facebook kept hundreds of millions of customer passwords stored in plain text so they were visible to the company’s employees, cybersecurity blogger Brian Krebs reported Thursday. Some of the passwords had been stored unencrypted since 2012, Krebs reported.
An internal “investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees,” an anonymous Facebook insider told Krebs.
Facebook plans to alert the affected users but won’t require them to reset their passwords, Krebs reported. There’s no evidence Facebook employees did anything nefarious with any passwords, the company told Krebs.
Here’s from my colleague Tony Romm, who reported on the mishap: “Facebook’s mishandling of users’ passwords adds to a litany of recent privacy and security mishaps at the company, some of which have triggered investigations in the United States and European Union and could carry the risk of steep fines and other punishments.”
“Most affected were users of Facebook Lite, the company said, a stripped-down version of the social network that’s largely in use in countries with lower Internet-connection speeds,” Romm reported.
Here's an explainer from cybersecurity expert Robert Graham:
2/ The analogy is that Facebook has all the proper locks on the doors -- but somebody left the window open.— Robᵇᵉᵗᵒ Graham (@ErrataRob) March 21, 2019
PWNED: The division that does most of the Homeland Security Department’s cybersecurity research needs to do a better job coordinating its efforts, according to a watchdog report from the Government Accountability Office.
The DHS Science and Technology Directorate hasn’t convinced all DHS divisions to participate in its efforts to coordinate research priorities and it stores information about those efforts in too many different places, the report found.
The directorate also isn’t gathering enough feedback from the groups that are supposed to benefit from its research.
In addition to cybersecurity research, the directorate funds research focused on border security, disaster resilience and other topics.
Cybersecurity news from the public sector: