According to the New York Times, government officials have revealed that President Obama’s email correspondences were included in the October breach of the State Department’s unclassified email server. While White House officials were quick to point out that no classified networks had been compromised, it is believed that Russian hackers gained access to an email archive containing messages from Mr. Obama to various people both inside and outside the White House.
Media outlets reported on the breach as early as last November, but the probability that even the president’s email was compromised is a recent finding. It begs the question: how hard is it to hack the White House, and what could possibly be done to thwart these cybercriminal operations?
To understand how to prevent email breaches not only on a national level, but also on a personal level, it’s important to know how the hackers operate.
How the Email Leak Happened
Because of the sensitive nature of the government being digitally infiltrated, the White House has been understandably mum on the intrusion, not even disclosing the nationality of the hackers (that they are likely working for the Russian government was disclosed by “others familiar with the investigation,” says NYT.) What we do know is that the hackers gained remote access to a server containing unclassified email messages whose content included some potentially sensitive pieces of information, including discussion about legislation and personnel changes.
There is no evidence that the president’s email account itself, or his personal BlackBerry device, have been hacked. As we learned from Hillary Clinton’s email snafu in March, the email accounts of federal officials are pretty well locked down. But when it comes to email communications, it’s not just the person’s account you have to worry about: it’s also the server that email is archived on, as well as the accounts and email servers of everyone with whom that person has exchanged email messages.
Because the endpoint is just as important as the account sending the message, only true client-side email encryption can keep messages safe.
Could Client-Side Email Encryption Have Prevented the Leak?
It hasn’t yet been reported whether the archive containing the unclassified emails was encrypted or not, but what we know for sure is that had the email servers employed client-side encryption, this would be a much harder operation to pull off. Encryption renders documents, files and email messages unreadable to anyone who doesn’t have the key to decrypt the data. That means that if an intruder hacks into a system, whether by stealing or brute forcing a password or by employing some sort of exploit, the data they steal is virtually unusable unless they also managed to gain access to the encryption key, which is much harder.
While breaking into a White House server certainly involved a sophisticated attack, if the server was unencrypted, those emails basically were easy pickins for potential data thieves.
Of course, while encryption should be a staple in any information security policy — especially a policy that guards national secrets — there are other potential places where security best practices might not have been followed. Because the emails the intruders got a hold of were unclassified, and classified networks were spared, it follows that security protocols protecting the highest clearance levels were adequate, but that lower levels required more protection. One of the most important security best practices is to audit your policies every time you encounter a breach, and revise. Perhaps some of the policies that protected Mr. Obama’s BlackBerry device and personal email account should be considered for implementation for unclassified networks and servers.
How Virtru Makes Client-Side Email Encryption Possible — And Simple
While client-side email encryption sounds like the sort of security measure it would take a tech expert to accomplish, that’s no longer the case. By requiring email recipients to verify their identities prior to decrypting and reading the email messages and attachments you send, Virtru provides true client-side email encryption, all with the flip of the switch. Plus, Virtru works seamlessly with the email provider you’re already using, so there’s no adjustment period. All you have to do is download a browser extension and click a button to protect your privacy.
Ready to get serious about email security? Download Virtru for free today.