How can a random teenager break into the CIA director’s private email? The problem isn’t technical.
The Defense Department will spend more than $5 billion this year to keep digital information from Iran, Russia, and China. But can it withstand the wily intelligence-gathering jujitsu of a stoned American teenager who goes by the name “Cracka”? That remains to be seen. The teen in question, who may have broken into the personal AOL account of CIA director John Brennan, today threatened to do the same to Deputy Defense Secretary Bob Work: to “Jack his account, leak his call logs, and, if there’s an email connected to it, we’ll just jack that, too,” the New York Post reports.
The Pentagon’s response: Worry not for Mr. Work. “At this time, nothing has been found that substantiates [the] claims,” said Lt. Cmdr. Courtney Hillson from Bob Work’s office, “We will monitor the networks for signs of suspicious activity and continue to mitigate any identified risks as we continue to work with law enforcement.”
The CIA has deferred the matter to the FBI. Cracka’s Twitter account, at the time of this writing, has been disabled.
For the rest of us, the question becomes how is it possible that, in 2015, a random teenager can break into the private email account of the director of the CIA? For the short answer, check out Wired has a play-by-play of what happened.
Cracka allegedly pulled it off without bypassing a single firewall. Rather, he and his associates simply got in contact with Brennan’s phone company, Verizon, misrepresented themselves as Verizon employees and wheedled personal information related to the spy chief’s credit card. He then contacted Brennan’s email service provider, AOL, and misrepresented himself as John Brennan in order to have the password reset. Making fun of AOL is easy. But it has surprising endurance among the national security community; a former deputy director of the NSA and a former DARPA director both have AOL email accounts, two people you could assume, like Brennan, would know better.
Finding a critical vulnerability in a firewall is just one way to steal data. A more reliable, inexpensive, and generally effective method is to exploit the human tendency to trust information provided as accurate. In other words, the way you get to the CIA director’s email is to convince a Verizon employee to give you John Brennan’s personal information just because you may be a Verizon employee.
In accomplishing this feat, Cracka has demonstrated excellent spy work and intelligence gathering. He’s also probably committed a prosecutable act of fraud — specifically, aggravated identity theft under Section 1028A of 18 U.S.C. The minimum sentencing guidelines suggest Cracka could be going away for two years or longer, a mandatory minimum sentence that “occurs when an individual knowingly possesses, uses, or transfers the means of identification of another person, without lawful authority to do so,” according to a recent report from the Congressional Research Service. Prosecutors could prosecute the fraud as aggravated identity theft with the intent to commit terrorism, in which case, Cracka would receive a sentence of at least five years.
Whatever it is, it doesn’t rise to the level of a nation-state hack. “There's a difference between hacking and taking over an account like what is reported to have happened with DCIA and simply having rival intel services reading private emails. The issue of spear phishing and social engineering is way more prevalent now than just a few years ago,” Patrick Skinner, a former CIA operative, told Defense One in an email.
How can intelligence agencies prevent this kind of this in the future? For starters, they could require all intelligence personnel to use only email service providers that feature two-factor authentication. Other than that, you can hire only spies who don’t create any personal digital information at all. But in a day and age where the average American produces more than 5,000 megabytes of data every 24 hours, the equivalent of nine CD-ROMs a day, the guy who isn’t making digital information is the outlier. Consider Dan Geer, the head of In-Q-Tel, the venture capital arm of the CIA — a man widely considered one of today’s leading minds on intelligence and technology — who doesn’t own a cellphone.
The way Skinner sees it, the CIA is probably not to blame for the hacking of its director. “I think the agency probably does a decent job with instilling some baseline cyber security for officers' home life. The trick is that they spend so much time being alert to nefarious activity at work where no one cuts corners, the private non-work stuff might slip under the radar,” he said.
He did add that simple cyber hygiene wasn’t the sort of thing stressed by the CIA as an institution. “I don't recall much concern over hacking private emails of officers, mostly because we assumed, at least overseas, that private email was in no way private,” he said.
Clearly, that would have been a healthy assumption for Mr. Brennan.