Department of Homeland Security Secretary Jeh Johnson yesterday confirmed that he and 28 senior staffers have been using private web-based email on work computers for the last year.
Private email was banned from DHS computers in April 2014—after Office of Personnel Management (OPM) computers were breached.
Now that he’s been caught by media for bending the rules, Johnson said that he plans to use his smartphone to access his personal Gmail account from now on.
Speaking at a Politico event, Johnson said that he had obtained a waiver from DHS' chief information officer to do continue accessing webmail from work.
“At my desktop at work, I was, via the Internet, accessing my personal email account, so I could see who was sending me stuff on my Gmail, my personal account," he said. "Not to be confused with my DHS account, which I use all the time."
This, despite the fact that email is one of the leading exploited entry points into organizations via the phishing attack. All that has to happen is for a user to click a wrong link or open a bad attachment—regardless of whether the email account is used strictly for personal use—and the network walls have been breached.
After cybersecurity experts pointed out this and other holes in the defense that such a practice introduces, he said that he has had a proverbial come-to-Jesus moment.
"To be perfectly honest, this is something that I had for a while. And when I read the story, I said, you know, 'Whoops, this is not a good practice, so I should discontinue it,'" he explained. "So, I’m suspending that. Probably should have done it sooner."
He added that he “hoped” the other staffers would follow suit.
Kevin Foisy, chief software architect and co-founder of STEALTHbits Technologies, said via email that Johnson’s special dispensation isn’t that uncommon—but it could be characterized as irresponsible.
“It’s not unusual for senior people in an organization to be exempted from normal IT security practices; management clout sometimes tends to overrule the best IT security,” he said. “But in the case of DHS and access to external email, this is a bit surprising.”
He added, “By DHS allowing unguarded access to external email systems, a gaping hole is potentially opened for hackers—it’s a big wide-open back door.”
Brian Vecci, VP of product management at STEALTHbits, added that the practice also represents a classic shadow IT issue.
"Third-party email use has traditionally been disallowed for a simple reason: any system that’s not under the control of the organization is a risk,” he said. “When someone sends an email using Gmail or yahoo, that information isn’t monitored by the organization, bypassing the policies and controls used to protect information. Just because Gmail itself hasn’t been hacked doesn’t mean that information is protected, since any individual user could have their account compromised and all of their email stolen. Since it’s outside the network and control of the organization, it’s extremely difficult for them to identify and mitigate any kind of breach. You can’t manage what you don’t monitor, and when your users are using Gmail to communicate, you can’t monitor anything."