Encryption , Mobility , Risk Management
New Clinton Email Shows Bad Advice from Colin Powell Republican Secretary of State Dismissed Security Warnings as 'Nonsense' Former Secretary of State Colin Powell. Photo: DoD News (Flickr/CC)The House Oversight Committee released on Sept. 7 a fascinating email sent by former Secretary of State Colin Powell to Hillary Clinton just prior to her assuming his job in early 2009. The email was released to buttress Clinton's case that other public officials used private email for public work. But in computer security and intelligence circles, it's far more interesting for another reason.
See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics
Powell was secretary of state under President George W. Bush from 2001 to 2005. The friendly email reveals that he used a personal computer to communicate with foreign and government officials. He also fought hard to use a personal wireless device despite security worries from National Security Agency and Central Intelligence Agency officials. The email reveals just how out of touch Powell was with how spies in the internet age work - and how that naivety may have been unwittingly been passed on to Clinton.
In his email to Clinton, posted by CBS News, Powell writes that the State Department's Bureau of Diplomatic Security unit blocked him from taking his PDA (that's his term) into secure zones.
"When I asked why not they gave me all kinds of nonsense about how they gave out signals and could possibly be read by spies, etc.," Powell writes. "Same reason they tried to keep mobile phones out of the suite. I had numerous meetings with them. We even opened one up for them to try to explain to me why it was more dangerous than, say, a remote control for one of the many TVs in the suite. Or something embedded in my shoe heel. They never satisfied me, and NSA/CIA wouldn't back off."
Powell, a former U.S. Army four-star general, should have had a passing familiarity with signals intelligence - a rich source of information for the U.S. Cracking open a device would have been a meaningless demonstration. Perhaps Powell intended to prove there wasn't an obvious tiny microphone. But even back in 2009, the methods had already moved on - it's about compromising software.
There's a reason why Powell's PDA was banned from the State Department's secure suite. It's the same reason that you can't take your personal phone or any other devices into the more secure chambers of a U.S. embassy. The devices could be used as points from which to launch attacks against wireless networks or be left behind as footholds. There's also no guarantee that Powell's PDA might not contain malware that could be used to trigger his PDA's microphone. Powell is exactly right that the TV remote could hold the same risks - especially so with the advent of smart TVs. But it was a poor argument for the right to bring his device into a secure area.
Wireless Risks
The leaks from former NSA contractor Edward Snowden revealed just how fruitful signals intelligence is for the U.S., U.K., Australia, New Zealand and Canada - the so-called Five Eyes nations whose geographic positions all but guarantee wireless communications around the world can be intercepted.
On Sept. 6, the Intercept - which holds Snowden's vast archive - published an in-depth story on Menwith Hill Station, a top-secret facility in North Yorkshire with structures - resembling huge golf balls - containing powerful antennas. Those antennas are part of a system that's designed to capture wireless signals like those transmitted from Clinton's BlackBerry and Powell's PDA. Make no mistake: other countries with well-formed intelligence agencies are doing the same. Encryption is crucial. You can't stop other countries from collecting your signals, but you can stop them - or slow them down - from reading whatever they've collected.
That's why the seeming ignorance around email and signals security of high-ranking U.S. officials is so baffling.
The aim of Powell and Clinton in using private devices was to keep correspondence off State Department servers, preventing their eventual release as part of the public's right of access to government business. But that avoidance - which at least at this time is not illegal - poses a grave risk that it appears is only now being recognized by top officials. Adversaries have likely been reading the correspondence for a long time, ultimately jeopardizing national security. If the Clinton email brouhaha has done anything, hopefully it thwarted the further use of private email and devices by those with access to sensitive government information.