The Complex

Should our top spies be using Gmail?

In light of the Gmail-related scandal involving former CIA chief David Petraeus, one has to wonder if, given the relative ease by which an intelligence agency — or just about anybody — can break into a private email account, government officials entrusted with the nation’s most sensitive information should be allowed to keep personal email ...

Wikimedia Commons
Wikimedia Commons

In light of the Gmail-related scandal involving former CIA chief David Petraeus, one has to wonder if, given the relative ease by which an intelligence agency — or just about anybody — can break into a private email account, government officials entrusted with the nation’s most sensitive information should be allowed to keep personal email accounts while in office?

True, Petraeus’ email was never actually broken into or hacked by the FBI. Agents gained access to his naughty notes by monitoring Paula Broadwell’s email and then asking Broadwell if she was having an affair with Petraeus. She fessed up and gave them access to her computer and with it, even more of his emails. Nevertheless, the very revelation that our nation’s top spy used at least one relatively unsecure Gmail account has prompted people to raise the above question.

I recall being surprised whenever one of Petraeus retired predecessors would reply to my emails from an AOL email account (insert ‘they still exist’ joke here) or something equally pedestrian. It just seems a little odd that people with access to incredible secrets use the same email services the rest of us do. (Granted, the former officials I email with have been out of office for years, sometimes decades. But don’t you just expect former spy chiefs to use some tricked out, semi-creepy, super-secret email? Maybe that’s just me.)

If hacked, these emails could reveal plenty about the personal lives of their owners who hold high office. Hackers probably wouldn’t find state secrets, but they could find plenty of personal information — travel plans, info about friends and family, online purchases, bank accounts, the list goes on and on. As Google knows for business purposes, a look at someone’s email can paint a pretty valuable picture of who they are. Google uses this information to sell ads tailored to your interests. You can imagine what spies would do with it.

Still, there are questions about what type of service officials could use — perhaps something like Hushmail or TigerText or some NSA-furnished email — and how effective it would be. Would these texts and emails be monitored by the FBI for intrusions? (This would raise some interesting privacy issues, especially for the acquaintances of the government officials.) Even if top U.S. government officials use secure services for their personal emails and texts, is it realistic to assume that their personal information could be kept safe if their acquaintances are using unsecure email and texting services?

One noted IT security expert familiar with the intelligence world that I spoke with said that while it’s surprising that officials such as CIA directors use Gmail and similar email clients, it would be challenging to develop a secure method for them to transmit private information.

"I don’t really think the government has the ability to deploy something like that, and one of the reasons why people use these [private] systems is they don’t want that same level of monitoring going on with their private emails that they would get under any government supplied system," said the expert.

The expert recommended that CIA directors and the like take a page from private business executives’ playbook and use Gmail’s two-step authentication system, which is, according to him much more secure than competitors such as Yahoo (the result of a major hack Google suffered in 2009), and then hire an outside company to scan their laptops, smartphones, and tablets for intrusions every few days. "You tell ‘em, ‘Don’t log into the hotel PC, don’t log into the airport kiosk, none of that kind of stuff.’"

These frequent scans are vitally important since they will be one of the only ways to protect against spear-phishing attacks by foreign intelligence agencies that have hijacked the email accounts of a VIP’s acquaintances.

At the end of the day, the expert reiterated, public officials should simply keep sensitive info out of their email.

"What could somebody find if they just logged into your email one day," he said. "Is your social security number in any of the emails, your tax return? I go through periodically and I just purge everything I can find."

One government official who seems to get this is Department of Homeland Security Secretary Janet Napolitano, who doesn’t use email, partially out of concerns about its vulnerability to hacking.

In light of the Gmail-related scandal involving former CIA chief David Petraeus, one has to wonder if, given the relative ease by which an intelligence agency — or just about anybody — can break into a private email account, government officials entrusted with the nation’s most sensitive information should be allowed to keep personal email accounts while in office?

True, Petraeus’ email was never actually broken into or hacked by the FBI. Agents gained access to his naughty notes by monitoring Paula Broadwell’s email and then asking Broadwell if she was having an affair with Petraeus. She fessed up and gave them access to her computer and with it, even more of his emails. Nevertheless, the very revelation that our nation’s top spy used at least one relatively unsecure Gmail account has prompted people to raise the above question.

I recall being surprised whenever one of Petraeus retired predecessors would reply to my emails from an AOL email account (insert ‘they still exist’ joke here) or something equally pedestrian. It just seems a little odd that people with access to incredible secrets use the same email services the rest of us do. (Granted, the former officials I email with have been out of office for years, sometimes decades. But don’t you just expect former spy chiefs to use some tricked out, semi-creepy, super-secret email? Maybe that’s just me.)

If hacked, these emails could reveal plenty about the personal lives of their owners who hold high office. Hackers probably wouldn’t find state secrets, but they could find plenty of personal information — travel plans, info about friends and family, online purchases, bank accounts, the list goes on and on. As Google knows for business purposes, a look at someone’s email can paint a pretty valuable picture of who they are. Google uses this information to sell ads tailored to your interests. You can imagine what spies would do with it.

Still, there are questions about what type of service officials could use — perhaps something like Hushmail or TigerText or some NSA-furnished email — and how effective it would be. Would these texts and emails be monitored by the FBI for intrusions? (This would raise some interesting privacy issues, especially for the acquaintances of the government officials.) Even if top U.S. government officials use secure services for their personal emails and texts, is it realistic to assume that their personal information could be kept safe if their acquaintances are using unsecure email and texting services?

One noted IT security expert familiar with the intelligence world that I spoke with said that while it’s surprising that officials such as CIA directors use Gmail and similar email clients, it would be challenging to develop a secure method for them to transmit private information.

"I don’t really think the government has the ability to deploy something like that, and one of the reasons why people use these [private] systems is they don’t want that same level of monitoring going on with their private emails that they would get under any government supplied system," said the expert.

The expert recommended that CIA directors and the like take a page from private business executives’ playbook and use Gmail’s two-step authentication system, which is, according to him much more secure than competitors such as Yahoo (the result of a major hack Google suffered in 2009), and then hire an outside company to scan their laptops, smartphones, and tablets for intrusions every few days. "You tell ‘em, ‘Don’t log into the hotel PC, don’t log into the airport kiosk, none of that kind of stuff.’"

These frequent scans are vitally important since they will be one of the only ways to protect against spear-phishing attacks by foreign intelligence agencies that have hijacked the email accounts of a VIP’s acquaintances.

At the end of the day, the expert reiterated, public officials should simply keep sensitive info out of their email.

"What could somebody find if they just logged into your email one day," he said. "Is your social security number in any of the emails, your tax return? I go through periodically and I just purge everything I can find."

One government official who seems to get this is Department of Homeland Security Secretary Janet Napolitano, who doesn’t use email, partially out of concerns about its vulnerability to hacking.

John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.

More from Foreign Policy

The Taliban delegation leaves the hotel after meeting with representatives of Russia, China, the United States, Pakistan, Afghanistan, and Qatar in Moscow on March 19.

China and the Taliban Begin Their Romance

Beijing has its eyes set on using Afghanistan as a strategic corridor once U.S. troops are out of the way.

An Afghan security member pours gasoline over a pile of seized drugs and alcoholic drinks

The Taliban Are Breaking Bad

Meth is even more profitable than heroin—and is turbocharging the insurgency.

Sviatlana Tsikhanouskaya addresses the U.N. Security Council from her office in Vilnius, Lithuania, on Sept. 4, 2020.

Belarus’s Unlikely New Leader

Sviatlana Tsikhanouskaya didn’t set out to challenge a brutal dictatorship.

Taliban spokesperson Zabihullah Mujahid

What the Taliban Takeover Means for India

Kabul’s swift collapse leaves New Delhi with significant security concerns.