New York, United States – Back in May 2009, a freshly inaugurated US President Barack Obama launched a crackdown on “spoofing and phishing and botnets” in a government-wide web security overhaul.
Six years later, analysts say it is not going well.
This week, the US government faced its latest cyber-shame with the contents of CIA Director John Brennan’s hacked personal email account plastered about the internet – apparently the work of a high school student who was irked by US policy towards Palestinians.
While analysts blame Brennan for being sloppy, they also highlight a growing threat from disgruntled hackers, often partly motivated by politics, who can use relatively basic hacking techniques to cause widespread alarm and controversy.
|Sky News admits to hacking emails|
“It’s shocking that people at such high levels are not better briefed on securing their communications. Private sector workers would be loath to take such a risk for fear of losing their jobs,” Dan Patterson, a TechRepublic journalist, told Al Jazeera.
“For Brennan, was it negligence, hubris, or a belief that the rules didn’t apply to him? Of all people, he should know that there’s a silent, secret cyber war happening right now involving not just millions, but billions of accounts.”
The hacker told The New York Post he had used a tactic of “social engineering” that involved duping workers at Verizon, a mobile phone operator, into providing Brennan’s personal data and then tricking AOL, the email provider, into resetting his password.
Once in control of Brennan’s account, the hacker – who described himself as a non-Muslim US teenager – took files and contacts and then released some via the @phphax Twitter account. He called himself “Cracka”, saying he was part of a group called Crackas With Attitude (CWA).
The hackers reportedly contacted Brennan, and the CIA director asked them what they wanted, to which they replied: “We just want Palestine to be free and for you to stop killing innocent people.”
On Wednesday, the anti-secrecy site WikiLeaks began publishing documents from “Brennan’s non-government email accounts”, presumably supplied by CWA. They appear to date back to 2007-09, when Brennan worked in the private sector.
They include Brennan’s security clearance application form, documents on Iran, CIA interrogation practises, and advice on handling Pakistan and the war in Afghanistan, together with personal information about his associates.
“WikiLeaks was intended to be a clearinghouse for journalism and modelled on the principles of freedom of speech,” Daniel Castro, vice president of the Information Technology and Innovation Foundation, told Al Jazeera.
“Posting documents with social security details, phone numbers and other information about Brennan’s family and friends online – that’s crossing a line from free speech into aiding criminal activity.”
The CIA said the hacker acted with “malicious intent”, and the leaked documents did not appear to be classified. The FBI and US Secret Service have opened criminal probes into the attack.
This is not the agency’s first embarrassment. Brennan was appointed CIA director in 2013 after General David Petraeus resigned over an extramarital affair with Army Reserve officer Paula Broadwell, which was in part exposed by email exchanges.
People linked to the Islamic State of Iraq and the Levant (ISIL) hacked US military social media sites in January. In July, it was revealed that hackers had nabbed private data from more than 21 million people via the federal government’s Office of Personnel Management.
WikiLeaks has posted masses of embarrassing US diplomatic cables and other leaks online over the years. Edward Snowden, a former National Security Agency contractor, lifted the lid on the agency’s mass surveillance of civilians in 2013.
Hillary Clinton’s presidential aspirations are threatened by a scandal over her use of a private email system when she was secretary of state.
David Fidler, of the Council on Foreign Relations think-tank, distinguishes between Chinese, Russian and American cyber-attackers who follow “ground rules” and work “quietly” from the so-called hacktivists who like to cause a stir.
Last month, China and the US agreed to not support the cyber theft of corporate secrets or information. No such deal seems likely with CWA or such hacking collectives as Anonymous, which publicise their exploits and draw attention to their causes.
Adrian Shahbaz, a researcher on the annual Freedom on the Net report, which will be released by Freedom House next week, monitors the “low-cost and low-skill level” antics of increasingly active hacking groups in the Middle East.
|Nasty Chinese bug lets hackers into Apple computers|
The Syrian Electronic Army, a hacker collective that supports Syrian President Bashar al-Assad, has attacked Western media outlets. The Yemeni Cyber Army has reportedly hacked a Saudi-backed newspaper to protest the kingdom’s war in Yemen.
In 2012, an Israeli released information of Saudi credit card holders in response to a similar attack that had been attributed to an Arab hacker.
“With so much emphasis on sophisticated Chinese cyber-attacks, we miss the bigger security risk of social engineering,” Shahbaz told Al Jazeera.
“Young hackers in Yemen, Saudi Arabia, Iran and Egypt are launching tit-for-tat attacks against each other and, in some cases, perhaps motivated by high-profile groups like Anonymous, being associated with a political cause, and having a message to spread.”
For Fidler, the United States is in no shape to solve this. Snowden’s revelations of US’ global cyber-snooping hurt government relations with Silicon Valley tech firms and Western allies so badly that it will spend years rebuilding trust before it can fix the problem.
Before then, thousands of staffers will start work for a new administration in January 2017 – making plenty of new email accounts fodder for hackers, he said. “We may be seeing stories worse than this in five years’ time,” Fidler said.
Castro called for a paradigm shift. The US and other cyber-spying governments use their resources looking to exploit cracks in their rivals’ systems rather than finding and patching their own vulnerabilities.
“This result is insecurity for everyone. No country solves a security issue on its own, and everyone ends up getting hacked,” Castro said.
“If all the governments and private sectors around the world invested money and cooperated on cyber-security and actually provided this as a public good like we do with national security, we could change the trajectory.”
Follow James Reinl on Twitter: @jamesreinl