Cyber Defense Review

Senior Leader Vulnerabilities

By CPT Blake Rhoades, MAJ Jim Twist | October 30, 2015

“Teenage kid hacks into the CIA directors email.”  It sounds like a faux headline from a 1980s Matthew Broderick film. In the age of sophisticated Intrusion Detection Systems, and a billion-dollar cybersecurity industrial complex that is present to prevent such absurdities, one would hope that such taglines are only something that a Hollywood writer could drum up.

Unfortunately, these types of breaches have become commonplace: senior government leaders are subject to real attacks that target their personal and work-related data on a regular basis. As a recent Wired magazine article shows, CIA director John Brennan’s personal AOL email account was hacked by an individual or group that uses the ‘cracka@phphax’ as a twitter alias. One of the hackers – who self-identified as a teenage kid – anonymously told Wired magazine that he gained access to Brenan’s account by using social engineering methods to gain access to the AOL account. The result – on Wednesday, WikiLeaks posted several documents (of both personal and official nature) taken from Brennan’s account; none of the information was reported to be classified.[i]

Director Brennan is not the only high-ranking government employee whose data has fallen prey to hackers. The recent controversy surrounding former Secretary of State Hillary Clinton’s personal email server, for instance, produced evidence of Russian-based hacker attempts to infiltrate her network.[ii] What’s more, in a separate incident earlier this year, the US government disclosed that  senior military leadership had been targeted when Russian-based malware was found in the Office of the Chairman of the Joint Chief of Staff’s (OCJCS) email at the Pentagon.[iii] Both Clinton and the OCJCS network were targeted by malicious emails  specifically designed to target senior leaders.

Director Brennan, OCJCS, and former Secretary Clinton were targeted due to their placement, access, and prestige. Clinton and the JCS were reportedly targeted with “Whaling”, an evolution of spear-phishing that targets systems and data of high-ranking individuals because of their placement and access to highly sensitive information. In all of these cases, the hackers attempts are not necessarily designed to trick the specified high-profile target, but may be directed at those who support a senior leader (i.e. the internet companies that serviced Brennan’s email account) or those who directly work for them (i.e. the staff officers on the JCS). In all of these cases of social engineering and spear-phishing attacks, hackers exploited a human flaw to trust the false information that was delivered to them to the detriment of their organization’s network security.

With cybersecurity month now upon us, we as leaders at all levels should take time to recognize the threat that both “whaling” and social-engineering poses, and to remind our employees of their responsibility to (1) avoid clicking on suspicious emails and (2) to report mistakes as they happen. In the case of social-engineering, such attempts could easily be stopped by diligent employees who take the time to verify the identities of anyone who makes inquiries about sensitive information that relates to the organization or its personnel.