The beginning of the end came for CIA Director David Petraeus when Paula Broadwell, a younger married woman with whom he was having an affair, "or someone close to her had sought access to his email," according to the Wall Street Journal's description of an FBI probe. Associates of Petraeus had received "anonymous harassing emails" that were then traced to Broadwell, ABC's Martha Raddatz reported, suggesting she may have found their names or addresses in his e-mail.
The e-mail account was apparently Petraeus's personal Gmail, not his official CIA e-mail, according to the Wall Street Journal. That's still a big deal: Some of the most powerful foreign spy agencies in the world would love to have an opening, however small, into the personal e-mail account of the man who runs the United States' spy service. The information could have proved of enormous value to foreign hackers, who already maintain a near-constant effort to access sensitive U.S. data.
If Petraeus allowed his Gmail security to be compromised even slightly, by widening access, sharing passwords or logging in from multiple addresses, it would have brought foreign spy agencies that much closer to a treasure trove of information. As the Wall Street Journal hints, investigators were concerned about Petraeus's Gmail access precisely because of the history of foreign attempts to access just such accounts:
Security officials are sensitive to misuse of personal email accounts—not only official accounts—because there have been multiple instances of foreign hackers targeting personal emails.
A personal e-mail account like Petraeus's almost certainly would not have contained any high-level intelligence; he probably didn't keep a list of secret drone-base coordinates on his Google docs account. But access to the account could have provided telling information on, for example, Petraeus's travel schedule, his foreign contacts, even personal information about himself or other senior U.S. officials.
Private e-mail services like Google's, though considered significantly more secure than most, still have susceptibilities to foreign intrusion. And it happens. Technology writers have sometimes discussed what one writer called the "password fallacy," the false sense of safety created by access systems such as Google's that balance security against ease of use. Even with Google's extra security features, the company must also avoid making security so onerous as to drive away customers, making it an easier target for foreign hackers even before Petraeus possibly started sharing access and thus diluting the account's integrity. And, as a Wired magazine investigation demonstrated in August, personal e-mail accounts often allow hackers access to other personal accounts, worsening both the infiltration and the damage.
All of this might sound a little overly apprehensive – really, U.S. national security is compromised because the CIA director's personal Gmail account might have been a little easier to hack? – until you start looking at the scale and sophistication of foreign attempts to infiltrate U.S. data sources. Chinese hacking efforts, perhaps the best-known but nowhere near the only threat to U.S. networks and computers, suggest the enormous scope and ferocious drive of foreign government hackers.
Some Americans who have access to sensitive information and who travel to China describe going to tremendous lengths to minimize government efforts to seize their data. Some copy and paste their passwords from USB thumb drives rather than type them out, for fear of key-logging software. They carry "loaner" laptops and cellphones and pull out cellphone batteries during sensitive meetings, worried that the microphone could be switched on remotely. The New York Times called such extreme measures, which also apply in other countries, "standard operating procedure for officials at American government agencies."
Even still, the publicly reported incidents of successful Chinese hacking – such as a March intrusion that stole a $1 billion, 10-year research project overnight – suggest that the efforts might be near-continuous and the successes rampant. A 2010 Chinese infiltration of the U.S. Chamber of Commerce ended up funneling weeks of corporate data; even after the chamber thought it had reestablished security, it discovered that an office printer and a corporate apartment thermostat were still sending data – who knows what kind? – back to China. You have to wonder what a similar infiltration into the private e-mail account of the director of the Central Intelligence Agency might have turned up.
Of course, the CIA director is not the Chamber of Commerce, which may explain why the FBI's counter-intelligence monitoring is so sensitive that just Broadwell's access to his Gmail account triggered an investigation. But the fact that the FBI looked so hard and so carefully – and that Petraeus lost his directorship of the CIA over an intrusion that many of us might consider minor or even routine – underscores the potential risk to U.S. intelligence entailed in Petraeus's, or Broadwell's, alleged misuse of his personal account.