FBI Director James Comey delivered a statement this week announcing the FBI does not recommend criminal charges against Hillary Clinton for her use of a private email server during her time as Secretary of State. While the findings of the investigation will be debated extensively, there are five data security lessons contained in the statement that apply to all organizations.
As any executive that has dealt with a cybersecurity incident knows, incident response investigations are complex, time consuming and expensive. The FBI had over a dozen agents working full time for one year on the investigation and countless hours of on-demand technical experts, but even relatively small incidents require a great deal of effort to build a picture of what happened.
The skills possessed by cybersecurity investigators are in high demand and short supply. They take years to hone and require constant maintenance. This means high daily consultancy rates. Detecting, investigating and responding to incidents early will save time and money. Conducting an investigation weeks, months or years later severely impacts the potential for a successful outcome.
Nothing is Certain But Death and Data Breaches
The FBI found no direct evidence that ‘hostile actors’ accessed Secretary Clinton’s email server, but assessed a compromise as ‘possible’. My experience tells me ‘possible’ or ‘probable’ is often as good as it gets.
Investigations often only provide a ‘best guess’. Investigators use their experience to try and complete the jigsaw, but the further back in time the investigation stretches, the more missing pieces there are. Investigators contend with incomplete log files, sub-standard backups of servers and workstations, deleted data and the absence of a ‘corporate memory’. Preparation for breaches and ensuring evidence sources to support investigations are available makes a huge contribution to the quality of investigations. Just because there is no evidence of compromise or data loss, does not mean it hasn’t happened.
A Time and a Place
Director Comey commented that Secretary Clinton used her account for “sending and receiving work-related e-mails in the territory of sophisticated adversaries”, which may refer to the multiple visits she made to China and Russia.
Very few of us have roles or access to data likely to put us on the radar of foreign states and not every visitor to China or Russia is the target cyber attacks. However, business travelers should not become complacent. Ensuring devices are secure when traveling to guard against data loss (as a result of accidental misplacement, theft or espionage) is critical, and for many travelers it may be prudent to leave work devices behind and take a clean phone and laptop with limited functionality. This limits the impact of any incident while overseas.
All organizations should issue clear advice for staff regarding safe and secure use of corporate devices while overseas. Guidance should not obstruct staff unnecessarily and should be commensurate to the threat.
Email as a Critical Data Asset
During the investigation, around 2,000 emails sent or received by Secretary Clinton were ‘up-classified’ from being unclassified to ‘Confidential’. The contents became more sensitive over time.
In my experience of investigating and analyzing state sponsored cyber attacks, attackers do not always steal intellectual property or client databases, but exfiltrating email files was a standard part of the modus operandi of government hackers. File stores contain thousands of documents containing raw data and analysis, but the CEO’s email has a one-page report summarizing everything. Email should never be overlooked when organizations consider their critical data assets.
In the early stages of innovation, legal matters, investment decisions, even cybersecurity incidents(!) emails are freely exchanged without thought to how sensitive an issue could later become, especially if disclosed publicly. Organizations must identify potentially sensitive communications early and apply effective security controls to protect their contents. Relaxing controls later is easier than retrospectively applying them.
The final security lesson concerns policy. All users in an organization must know that using personal email for work is unacceptable and may present data security risks. Users should not forward work emails to personal accounts or save work data to personal online storage. Are users obliged to provide the mobile device they use for work for analysis in the event of an incident? Is an organization confident that it is legally covered for remotely wiping an employee’s mobile device? Policies must clearly set out what is acceptable and what is safe and provide workarounds and advice in situations outside the norm. Equally important, policies also need to communicate what the employee should expect to happen if they fail to comply with the policy.
Organizations unprepared for incidents have ever fewer excuses to fall back on. Where responses to incidents are sub-par we will increasingly see executives lose their jobs. While the CISO must be seen to lead the work, cyber risk can only be reduced where the whole of the leadership team work together and bring their collective might to the challenge.