There’s a certain irony to the way the U.S. government approaches encryption and data privacy for its citizens, while simultaneously falling victim to major data breaches itself through embarrassing security lapses.
Up until recently, law enforcement agencies like the FBI had lobbied hard for companies like Apple and Google to be forced to program encryption “backdoors” into their services, like iMessage, so that they could listen in on the otherwise-blocked communications of suspected criminals or terrorists. Silicon Valley’s response (and what the White House eventually sided with) was that opening a “backdoor” for law enforcement is tantamount to ultimately opening a backdoor for anyone. The FBI and NSA counter-argued that they would be in control of the keys to those doors, and that user data would be safe with them.
That was a hard argument for privacy advocates to accept then, and it’s even less likely to win over anyone now in light of a new data breach scandal. The Guardian recently reported that a pair of hackers managed to access the personal AOL email account of John Brennan, director of the CIA. Not only that, but the data that was compromised through the breach – which included the names, contact information, security clearances and Social Security numbers of around 20 CIA employees – was leaked and published to Twitter.
While the contents of these emails were, in Fortune’s words, “mundane” and “peanuts as far as actual revelations and public interest is concerned,” the fact remains that a pair of reportedly teenage hackers managed to hack into the email account of the U.S. Director of Central Intelligence. The joke practically writes itself.
What isn’t funny, though, is the frequency of these stunning lapses of cybersecurity that expose sensitive information – in this case, that of just 20 people, but in the case of the OPM breach, over 22 million.
That the hackers were able to access Brennan’s email account through some simple social engineering is especially alarming. How does the director of the CIA, in this day and age, not have his email account protected with at least two factors of authentication? As Jasper Graham, former technical director for the NSA, tells The Guardian: “I’m sure if [Brennan] had gotten a text message saying ‘do you want to reset your password?’ he would have said no.”
Although the hacking of Brennan’s email account may not necessarily have caused any serious widespread damage (save for, perhaps, a heightened identity fraud risk for those 20 individuals), it does cast a spotlight on the need for multi-factor authentication and VPN. It’s simply not enough to trust email and sensitive information to be locked safely behind a simple user name and password anymore.
Whether it’s through remote access VPNs and/or multi-factor authentication, the fact is that anyone handling confidential data needs to adopt more sophisticated security measures to ward off potential cyberattackers and defuse illicit access – as John Brennan could have done here.
Want to learn more about two-factor authentication? Download our whitepaper “Two-Factor Authentication for VPN Access” to find out more.
In “Two-Factor Authentication for VPN Access,” we cover:
– The methods of authentication
– Common authentication combinations
– Criteria for balancing security and simplicity