As this is written, Debbie Wasserman Schultz, chairwoman of the Democratic National Committee, has resigned under pressure and effectively been forced off the stage of her party’s convention.
But the release of thousands of emails from the DNC showing how the party leadership conspired to keep Sen. Bernie Sanders from winning the presidential nomination is not all bad, because it revealed the fact that the breach took place.
While the leak is a huge embarrassment for the party as it prepares to nominate its presidential candidate, it’s really mainly a problem for a few people who were most responsible and, therefore, probably deserved it.
What would have been worse is a breach that went undiscovered while the depths of the DNC’s email were secretly mined indefinitely for information useful by its opponents, foreign or domestic. But perhaps more serious is the ongoing myth that email is somehow private or secret.
So let’s put that misconception to rest immediately. Email is not secure and it’s not private, and acting as though it is will only get you into a world of hurt. The DNC should have figured this out from the woes of Hillary Clinton and her now-public emails that gained her a shaming from the director of the Federal Bureau of Investigation (FBI).
In that case, former Secretary of State Clinton set up her own email server at her home, in an apparent effort to bypass federal archiving rules and to make her immune from Freedom of Information Act requests by the news media.
That effort backfired, and while her emails may not have been taken by hackers, they were taken by the FBI and subsequently released. While this was going on the DNC was operating its own email server and, as the released documents from WikiLeaks show, party officials were plotting the downfall of Clinton’s only serious challenger. This time the email wasn’t taken by the FBI but apparently by the Russian government, although so far that hasn’t been proven entirely.
But the real issue isn’t who took the emails, but rather the fact that they were taken. Once their contents were released it was clear the information in those emails had been treated with little respect by the people who compiled that archive of messages. Apparently, both the DNC and Clinton had just assumed that they would never come to light. So they had done nothing to protect them.
This is the lesson for everyone in government, business or private individuals. These two examples should show just how insecure email is and how badly it can affect your organization when it turns out that you guessed wrong about email security.
Fortunately, there are things you can do that will prevent email leaks that could embarrass you or damage your organization.
DNC Email Scandal Shows What Must Be Done to Prevent Breaches, Leaks
First, never assume that email is private. Even though you may trust the recipient, there’s nothing to prevent them from sharing your email with others. There’s also very little to prevent your email from showing up in the discovery process if you’re involved in a legal dispute, or from law enforcement from finding it—or, for that matter, a hacker.
Second, try to find some means of communications besides email. But just know that instant messaging isn’t secure, either. Once, when I was on assignment somewhere in eastern Europe shortly after the Soviets pulled out, my approach was to hold sensitive discussions while walking in the woods. You may not need to hike the Transylvanian hills, but face-to-face discussions are less likely to be intercepted than email. Just hope the other person isn’t recording you.
Third, since you’re going to use email no matter what I suggest, don’t discuss things that will land you in trouble if anyone finds out, because you have to assume they will find out. As Debbie Wasserman Schultz has discovered, they always find out.
Finally, if you absolutely must discuss sensitive information by email, then at least use encryption. Ray Rothrock, CEO of security vendor RedSeal, suggests sending email using encryption, but then sending the key using some other means. This is an instance when you could send the key via Facebook Messenger’s encrypted message service to decrypt sensitive email.
Of course, encryption only goes so far; if it’s a court or law enforcement, you may be compelled to provide the key. And if the email you’re sending exists in non-encrypted form somewhere on your computer, you can assume a hacker or the FBI (or both) will find it.
What else can you do? You need to protect your network so you can minimize the success of a hacking attempt. Rothrock said, “Start with good hygiene and policies, and then test everything to make sure it works.”
Rothrock ‘added it’s also important to make sure that exfiltrating information is very difficult through proper network design and management, as well as through the use of the right security products.
Unfortunately, for any of this to matter, policies must be in place to support the people who are protecting your email and policies about what can and what cannot be sent via email.
And there must be some effort to help people understand that the price of laziness, arrogance and stupidity is very high. It can cost your job and it may hurt even worse when it damages the organization. Allowing laziness or inattention to keep you from being secure is beyond stupid, as the soon-to-be former head of the DNC has just found out.