An official website of the United States government
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

The Cyber Defense Review

Senior Leader Vulnerabilities

By CPT Blake Rhoades, MAJ Jim Twist | October 30, 2015

“Teenage kid hacks into the CIA directors email.”  It sounds like a faux headline from a 1980s Matthew Broderick film. In the age of sophisticated Intrusion Detection Systems, and a billion-dollar cybersecurity industrial complex that is present to prevent such absurdities, one would hope that such taglines are only something that a Hollywood writer could drum up.

Unfortunately, these types of breaches have become commonplace: senior government leaders are subject to real attacks that target their personal and work-related data on a regular basis. As a recent Wired magazine article shows, CIA director John Brennan’s personal AOL email account was hacked by an individual or group that uses the ‘cracka@phphax’ as a twitter alias. One of the hackers – who self-identified as a teenage kid – anonymously told Wired magazine that he gained access to Brenan’s account by using social engineering methods to gain access to the AOL account. The result – on Wednesday, WikiLeaks posted several documents (of both personal and official nature) taken from Brennan’s account; none of the information was reported to be classified.[i]

Director Brennan is not the only high-ranking government employee whose data has fallen prey to hackers. The recent controversy surrounding former Secretary of State Hillary Clinton’s personal email server, for instance, produced evidence of Russian-based hacker attempts to infiltrate her network.[ii] What’s more, in a separate incident earlier this year, the US government disclosed that  senior military leadership had been targeted when Russian-based malware was found in the Office of the Chairman of the Joint Chief of Staff’s (OCJCS) email at the Pentagon.[iii] Both Clinton and the OCJCS network were targeted by malicious emails  specifically designed to target senior leaders.

Director Brennan, OCJCS, and former Secretary Clinton were targeted due to their placement, access, and prestige. Clinton and the JCS were reportedly targeted with “Whaling”, an evolution of spear-phishing that targets systems and data of high-ranking individuals because of their placement and access to highly sensitive information. In all of these cases, the hackers attempts are not necessarily designed to trick the specified high-profile target, but may be directed at those who support a senior leader (i.e. the internet companies that serviced Brennan’s email account) or those who directly work for them (i.e. the staff officers on the JCS). In all of these cases of social engineering and spear-phishing attacks, hackers exploited a human flaw to trust the false information that was delivered to them to the detriment of their organization’s network security.

With cybersecurity month now upon us, we as leaders at all levels should take time to recognize the threat that both “whaling” and social-engineering poses, and to remind our employees of their responsibility to (1) avoid clicking on suspicious emails and (2) to report mistakes as they happen. In the case of social-engineering, such attempts could easily be stopped by diligent employees who take the time to verify the identities of anyone who makes inquiries about sensitive information that relates to the organization or its personnel.

  

[i]http://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/

[ii]http://www.bbc.com/news/world-us-canada-34411472

[iii] http://thehill.com/policy/cybersecurity/250730-pentagon-restores-hacked-email-system



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.