Like any large modern organization, the executive branch of the U.S. federal government relies on technology to get its work done. That technology includes mobile devices, Wi-Fi networks, email servers, databases, and other IT solutions that would be familiar to any enterprise CIO or CSO.
The fledgling Trump administration has, inadvertently or not, engaged in some practices that most IT security professionals would consider risky.
Here’s a quick look at those risky behaviors and the lessons they offer for enterprise IT professionals managing data security for their own organizations.
Risk #1: Using old, unpatchable mobile devices.
President Trump’s phone of choice – the instrument for his polarizing tweets – is an out-of-date Android smartphone. During his meeting in February with Japanese Prime Minister Shinzo Abe at Mar-a-Lago, the president’s golf resort in Florida, administration officials received news of a missile launch in North Korea. The president’s phone was likely present for some of the sensitive discussions that followed.
Writing at Lawfare Blog, Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California, worries about the security risks of the president using an out-of-date Android smartphone:
Lost amid the swirling insanity of the Trump administration’s first week, are the reports of the President’s continued insistence on using his Android phone (a Galaxy S3 or perhaps S4). . . . President Trump's continued use of a dangerously insecure, out-of-date Android device should cause real panic. . . .
A Galaxy S3 does not meet the security requirements of the average teenager, let alone the purported leader of the free world. The best available Android OS on this phone (4.4) is a woefully out-of-date and unsupported. The S4, running 5.0.1, is only marginally better. Without exaggerating, hacking a Galaxy S3 or S4 is the type of project I would assign as homework for my advanced undergraduate classes. . . .
Once compromised, the phone becomes a bug . . . able to record everything around it and transmit the information once it reattaches to the network.
The president and his staff should be using devices with military-grade security. (President Obama used BlackBerry smartphones, including the BlackBerry Curve 8900, when he was in office).
Lesson #1: Set and enforce policies keeping unsafe devices off the network.
Here are three things enterprises should do to reduce the risk of older, vulnerable smartphones connecting to their networks:
Risk #2: Using AOL or similar free services for official communications.
Government officials are usually legally required to use their official email accounts when conducting business. Restricting official communications to government email accounts serves two purposes: 1) it simplifies archiving and record keeping and; 2) it reduces IT security risks.
In March, The Indianapolis Star announced Vice President Mike Pence routinely used his personal AOL account for state business was governor of Indiana. According to the paper:
Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe. In one email, Pence’s top state homeland security adviser relayed an update from the FBI regarding the arrests of several men on federal terror-related charges.
IT security experts have good reason to believe using free email services is risky as these services typically lack adequate security controls. Sure enough, Pence’s AOL account was hacked in June 2016, probably with rudimentary hacking techniques, and a scammer used the account to impersonate Pence, saying that he and his wife were stranded in the Philippines and needed money.
(It’s worth noting, though, that Pence did not necessarily break the law by using his AOL account. According to the Indianapolis Star, “Indiana law does not prohibit public officials from using personal email accounts, although the law is generally interpreted to mean that official business conducted on private email must be retained for public record purposes.”)
Lesson #2: Use email products with a good reputation for security
Enterprise organizations should select a secure email solution that includes rigorous protection against spam and other forms of inbound attacks. Some enterprises do use Gmail for business, but they usually pay for an enterprise version of the service. To avoid the sort of hacking that Vice President Pence fell prey to, enterprises should:
Risk #3: Using unsecure Wi-Fi to transmit sensitive information
There have been anonymous reports (such as this tweet from a supposed White House staffer) that the Wi-Fi networks at President Trump’s Mar-a-Lago resort are not secure.
In an interview about President Trump’s use of an older smartphone, Nathan Wenzler, chief security strategist at ArsTech, noted: “If [the President is] using Wi-Fi at Mar-a-Lago, it's possible that the traffic could be intercepted during transmission to the access point and compromised.”
Lesson #3: Train users to avoid dangerous networks and build security into content management systems
Enterprises face a similar risk with their employees use of Wi-Fi. Even if an organization’s own Wi-Fi networks are configured with encryption and other security features, employees still might connect to insecure or even dangerous networks at remote locations such as cafes, restaurants, hotels, trains—and even golf resorts.
How should enterprises respond to this risk? For starters, enterprise IT organizations should:
Risk #4: Dispensing with a Chief Information Security Officer (CISO)
Just days before President Trump took office, Retired Brig. Gen. Gregory Touhill resigned from his job as the CISO for the federal government, a job he had assumed only six months earlier. The White House has its own CISO, Cory Louie, however the Trump administration fired him in early February without explanation.
As Paul Innella, CEO of TDI Security, told SC Magazine, with the loss of both Touhill and Louie, “we don't have two very critical CISOs that should be watching the house," leaving cyber experts "a little trepidatious about what[‘s] going to happen next, mostly in terms of how this is going to affect national security."
Lesson #4: Appoint a CISO who is empowered to oversee data security strategies and tactics at the executive level
In today’s world of relentless data security attacks, the role of the CISO is essential. As Christopher Burgess explains in a blog post for IBM Security:
The key value provided by a CISO is in the role of business leadership, as the CISO must drive the information technology and security education of the workforce. In so doing, the efficacy of the various information security policies becomes clear, and the journey toward moving the workforce into a collaborative engagement with respect to information security begins.
At the same time, the CISO should ensure that security never compromises productivity. Like other executives chartered to contribute to the overall success of the organization, the CISO should lead security initiatives that protect data and operations, while ensuring that those initiatives also contribute to the organization’s effectiveness and efficiency.
The Trump administration is still in its early months and may evolve into an exemplar of IT security practices. In the meantime, enterprise IT organizations can use these news stories as gentle reminders to focus on protecting data, educating users, and empowering CISOs to lead initiatives that keep organizations productive and secure.