Congressional emails could be the next target for hacks, time to bolster defenses

Less than 300 days away from the 2018 midterm elections, we are now learning that “Fancy Bear,” one of the Russian hacking groups that breached the Democratic Party in 2016, has since been probing U.S. Senators and their staff to steal data through their email accounts.

Given how information security issues have been exploited to disrupt the democratic process in the U.S. and Europe, this news should surprise absolutely nobody. What is surprising for many in the cybersecurity community is the slow pace of progress we are making in improving our defense despite the tools to do so being readily available.

While the election infrastructure is getting attention from the Department of Homeland Security, communication security remains the weak link and also something our elected officials have the power to improve today with minimal effort. 

{mosads}Despite a remarkable laundry list of email-based attacks in just the recent years — the 2016 presidential campaign included — email still remains the primary means for distributing sensitive messages and documents, making congressional inboxes a target while also being the most difficult to secure.

Since email servers store every conversation — often years’ worth of messages and documents — in plain text, it is a perfect entry point into the professional lives and networks of elected officials and their entire staff. Once breached, an intruder can collect both trivial and sensitive information to weaponize it against our lawmakers and continue to expand the victim list all the way to their families and supporters.

All too often, attackers aren’t just after government secrets, they are after any personal information that may be leveraged to embarrass the office holders and their staff. No one is too small to target.

It is time to take advantage of the progress the information security industry has made in protecting critical data. Modern cryptography and the increased power of our phones make it now possible for any high-target organization to rely on end-to-end encryption, once only accessible to security professionals, to protect communications.

Unlike email, secure messaging tools ensure that the content of the message is protected between the trusted parties among congressional staff and never touches servers unencrypted. This means that high-value sensitive communications do not live on a central server, waiting to be hacked, but instead on the devices sending and receiving the information, with each message protected with a unique encryption key.

While it is not realistic to expect that encrypted apps will completely replace email anytime soon, it is easy enough to imagine our most critical communications migrate to technology that provides the highest security assurance against the ongoing attacks by nation state adversaries.

In fact, in recent months, several of the largest national campaign committees on both sides of the aisle have begun to institutionalize the use of encrypted messaging and have encouraged their top campaigns to do the same. In its “Cyber Playbook,” Harvard University’s bipartisan program Defending Digital Democracy strongly encouraged campaigns at all levels to use encryption to protect sensitive documents and conversations.

In recognition of the risks facing our political institutions following the 2016 election breaches, the Senate’s Sergeant at Arms also approved and explicitly recommended the use of specific encrypted messaging apps for Senate use. Now is the time to leverage these tools to scale the protection to every elected official and their staff.

With risks running high, we cannot continue to rely on email simply because everyone is too set in their ways to do something different. In 2018, given what we know about the threat at hand, not taking proper security precautions — whether to secure professional or personal information — is no longer responsible. It is time to accelerate the adoption of end-to-end encryption by our elected officials to ensure the integrity of our democratic institutions.

Joel Wallenstrom is president and CEO of secure communications platform Wickr, previously co-founder and executive for leading security research company iSEC Partners, responsible for finding and mitigating high-profile cyber security vulnerabilities.