Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
C. Warren Axelrod

Campaign Lessons Learned—Part 1: Email Security

Author’s note: This is the first of several columns about lessons that should have been learned from cybersecurity mistakes and nefarious activities that dominated, and likely changed the outcome of the 2016 presidential campaign.

If there is one outstanding cybersecurity lesson that the U.S. presidential campaign should have taught everyone it is that you cannot assume that your emails won’t be made public despite your best efforts, intentions and precautions. Yet I’m willing to bet that there will not be much long-term impact of the high-profile hacks and dissemination of Democratic emails, and that, sooner rather than later, we’ll be treated to new disclosures of other famous persons’ private emails that minimally will be embarrassing and maximally will change the course of history.

In an Op-Ed article in the November 5, 2016 New York Times, Zeynep Tufekci writes in “Whistle-Drowning, Not Whistle Blowing” that “[t]he response to hacks is not simply to tell people to stop writing things down,” and that the admonition not to “… discuss things over email if you don’t want to see them on CNN” is a new version of “Don’t wear a miniskirt if you don’t want to get assaulted.” Professor Tufekci claims that telling folks not to put private or secret information in emails would set us back decades in our ability to communicate and that “we need to build resilience by emphasizing curation, and ethics, and by no longer acting as if something that has been hacked and dumped is all up for grabs.”

I don’t know about how you feel about it, but I think that Professor Tufekci’s idealistic proposals would be much harder to achieve than convincing people not to put potentially problematic information into emails, texts or tweets (or into microphones that might be live). There are other forms of communication, such as direct telephone calls (not so much conference calls as you may not be aware of who could be listening in at the other end) and faxes (preferably obfuscated or encrypted) that are inherently more secure and are harder, though not impossible, to tap. There is traditional express and snail mail and courier services for highly-sensitive documents that are not needed immediately but can wait hours or a day or so. And, if hard copy is not required, then you can just pick up the phone. Furthermore, you can use technology to scan your emails for content and recipients (including blind copies) before sending and be informed if there is questionable content or unintended addressees contained therein. But the programs that do the scanning are not perfect and stuff gets through, so your own awareness and care is really what is needed.

There is no question that we easily get caught up in the interchange of ideas and emotions via email or text or social media that can then be harvested and distributed. But constraint and restraint are highly recommended in such cases. We must remember that there are at least two places where emails can be found, the sender and recipient, so that attempts to subsequently delete or hide such communications are unlikely to be effective, especially given the common practice of archiving emails for long-term reference.

The mantra of not putting into emails or texts or on social networks that which you wouldn’t write on a postcard or want to appear on the front page of a national newspaper is by no means a new concept, as Professor Tufekci would claim. It was common at least two decades ago for cybersecurity professionals, such as myself, to admonish users in the same fashion. But it just hasn’t worked out very well. The horrors of attaching email threads containing discomforting information to your replies or of hitting the “reply to all” button abound. Most folks just don’t seem to get it. But always remember … you never know where that unfortunate email might turn up.

Would emphasis on Tufekci’s “curation, context and ethics” be more effective than “just say no”? I very much doubt it. The lesson learned is that of avoidance. For one thing, you can trade convenience and usability for more secure, less risky methods of communications. That’s not something most people want to do but it is an available option. Also, anonymity doesn’t always work since messages can be traced to the originator in many cases. It’s just common sense to think twice before you press the “send” button.

Post a Comment

Your email is never published nor shared. Required fields are marked *