The U.S. government, it seems, has a major security problem. Cybersecurity, specifically.
Within the past year, unclassified computer and email systems from the smallest federal agencies to the largest departments have all been compromised by activist hackers, government spies and organized criminals.
The State Department. The White House. The Joint Chiefs of Staff. The Office of Personnel Management. Even the IRS and the U.S. Post Office have had their systems breached and, in most cases, millions of private files and emails stolen.
In response to these attacks, U.S. officials and cybersecurity experts have mostly pointed the finger at Russian and Chinese state-sanctioned groups, although officials admit that hacks come from all over the world — even within the United States. For their part, Moscow and Beijing consistently deny any involvement, saying that they are, in fact, frequent targets of U.S.-sponsored hacking.
The number of successful hacks indicates Washington is doing a poor job securing its computer systems. Secretary of State John Kerry acknowledged as much in a recent TV interview when he said it was "very likely" some of his emails sent while in office have been read by the Russians and Chinese.
'Anyone could read it'
The basics of what we’ve come to think of as email — services like Gmail or Yahoo Mail, for example — are decades old and out of date, says Birger Christiansen, chief operating officer at the GhostMail privacy platform.
"That’s the crazy part; it’s such old technology," he told VOA. "POP3, SMTP — this stuff is 30, 40 years old. Everything else is new and super advanced, but not email."
Email servers pass data pass data back and forth with other servers, and then store it for specific account holders. Servers come in all shapes and sizes, from the mammoth operations of Google to Hillary Clinton’s controversial private server that was housed in her home in Chappaqua, New York, while she was secretary of state.
Messages that users send may have privacy protection, such as SSL encryption, Christiansen said. However, once that email leaves the sender’s server to find the recipient’s server — say from Gmail to Yahoo Mail — the information could be intercepted or "sniffed" without the sender or recipient having any indication that someone was eavesdropping.
"Whatever happens between those two providers, nobody really knows," he said. "And if nobody knows, then nobody knows how many routers and hubs this is being passed through and who is sniffing that data. That really makes it not like a letter at all but a postcard, because at that point anyone could actually look at it and read it."
Clearly, this and other flaws in email design can be fixed. For years, information classified by the U.S. government has been routinely sent from and to specific accounts using trusted hardware and secure lines — keeping communications away from prying eyes. And a growing number of firms, such as Christiansen’s GhostMail, now offer consumers end-to-end encryption and other measures that fix email’s fundamental insecurities.
But that security only exists when both sender and receiver are using the same secure platforms and servers — meaning once a user sends data to anyone outside that platform, the insecurities return.
"That we just haven’t figured out yet," said Christiansen.
Email: Path of least resistance
It isn’t just the structure of email that’s old and insecure; it’s often the network systems connected to the email servers themselves.
"I don’t think there’s a lot of examples of email servers truly being compromised," Christiansen said. "I think most hacks are actually within a network." And once a network is breached, so too is its email server.
Martin McKeay, a longtime cybersecurity analyst and editor of the Network Security Blog, agrees.
"Securing an end point, whether it’s the email server or system you’re using to connect to that, is difficult," McKeay said. "It can be done, but it requires not only configuring every single piece of equipment properly, but also maintaining it against hidden vulnerabilities you might not know about."
McKeay said it’s "impossible" to build a perfectly secure system, so businesses and governments run cost/benefit analyses to determine how much risk they’re willing to live with compared to the costs of security.
"Businesses have to analyze the risks in order to mitigate them," McKeay said. "But they still have to be aware [that] no matter how much they do, there’s still a certain amount of risk that will always remain, so that hackers will have access to that email."
People are networks’ weakest links
While McKeay said there will always be vulnerabilities that remain unknown until hackers find and use them — often called "zero-day exploits." But cyber analysts say there's a much larger network vulnerability: people opening email they shouldn’t.
"For the last 10 or 15 years, everyone has tried to build a moat around their network and block things from coming in," says Bob Stasio, a fellow with the Washington-based Truman National Security Project."“So the only things that are really allowed to go in and out of network now are email and Web traffic. That’s why hackers are using those mechanisms to get in and out of networks."
According to a Verizon data-breach report, email spear-phishing attacks — malicious emails disguised as legitimate messages — are the single most common means of delivering viruses, trojans and other malware into private networks. Authorities investigating the U.S. government computer hacks have also pointed to email spear-phishing as a likely culprit.
"Some of the hackers are doing their homework to such a degree that spear-phishing emails look like they’re coming from someone or an organization you should trust," said McKeay.
"When the bad guys are compromising the systems of someone you trust, they use that system, and get you going to click on things you shouldn’t. They find someone who is low on the trust chain and start building up to the person they want."
In the end, all the analysts VOA spoke with agree that U.S. government email and networks can be made more secure. But at least one questioned whether the will to do so exists.
"I don’t think they’re actually interested in it," said GhostMail's Christiansen. "Is the government truly interested [in securing the Internet]? Or are they like the NSA, interested in seeing as much of what’s going on if they can?"