Cybereye | IT security in the executive suite
- By William Jackson
- Sep 22, 2008
The campaign of Alaska Gov. Sarah Palin was shocked'shocked!'to learn that hacktivists had broken into a private Yahoo e-mail account belonging to the Republican vice presidential nominee and posted some of the contents on the Web.
'The matter has been turned over to the appropriate authorities and we hope that anyone in possession of these e-mails will destroy them,' said McCain campaign manager Rick Davis in a written statement.
Imagine how shocked we were to learn that the nominee to the second highest office in the land, who if elected would be privy to all sorts of highly classified information, was silly enough to use an unsecured private Web-based e-mail account to conduct official business.
It is another example of how IT security breaks down at the executive level because those at the upper end of the organizational chart assume that they are too important or busy to worry about security, and that the rules don't apply to them anyway. Corporate IT administrators and security officers have complained for years of the difficulty in enforcing security policy at the CXO level of their organizations. The discovery that former Attorney General Alberto Gonzales failed to properly secure highly classified documents is an example of the same problem in government. And now we have Sarah Palin, who is touting her experience as chief executive of the nation's largest state as qualification for national office, exhibiting the same behavior.
In the past, IT administrators could take some comfort in the fact that many executives were too computer illiterate to use technology such as e-mail, reducing the risk of digital exposure. But as executives become more familiar with the technology and the technology becomes easier to use this last layer of security is disappearing.
Palin reportedly has a perfectly good official e-mail account that is secured by the state's IT department and that would presumably have been harder to break into. But she appears to occasionally have turned to a couple of unsecured Yahoo accounts for some state business in an effort to shield the exchanges from open records laws. As of this writing, it is not known how the account was breached or whether the breach indicates any other compromise of the governor's IT security. But it would be simple enough for someone to find or guess the user name and attack it with a brute force password attack.
The legality of Palin's behavior still is in dispute. The wisdom is not. It was stupid of her to use those accounts for any state business.
Davis probably was right when he called the breach of Palin's accounts a violation of law, and the incident is being investigated by the FBI and Secret Service. But that does not make what she did right. She should have known better than to put anything she considered private on a public Web server secured with only a password. The behavior is all the more inappropriate given that she is engaged in one of the most closely watched and hotly contested national political campaigns in recent memory. If she can lay claim to any political expertise at all, she should be aware that in a race like this one, everything is fair game and that nothing she has ever said, done, committed to paper or put on a hard drive is sacred or immune from exposure.
The lesson to be learned from this incident is that if security is to work, policy must be enforced uniformly at all levels, not just for serfs, peons and drudges. The concept of 'too big to fail' may apply in high finance, but not in IT security.
William Jackson is a Maryland-based freelance writer.