How Something as Seemingly Benign as White House Email Can Have Freaky National Security Consequences
We’ve been talking with David Gewirtz, technology expert and author of Where Have All the Emails Gone? Welcome back, David, for the second part of our interview. We’ve already spoken about the cybersecurity situation that President Obama has inherited. Now, let’s go a little further back in time, if you don’t mind.
What was the impetus behind Where Have All the Emails Gone?
>We publish two magazines on email-related topics, one for IBM Lotus professionals and one for Microsoft Outlook and Exchange professionals. Back in April 2007, we ran a news story on the missing email topics. Since it was on-topic for the magazines, I decided I'd write one short article. Nothing made sense. 12 articles and an amazing story later, we decided we had enough for a book. The book was published in late 2007 and now, I've probably written another 12 articles on the continuing saga.
What time period are we talking about and how many emails have gone AWOL?
>I discuss three key issues, only one of which is missing emails. I consider some of the security issues inherent to how the White House manages email a far greater concern. There's a beast called the Hatch Act that can both give plausible deniability to storing email according to the FRA and PRA, and also almost requires insecure email for much of the White House's business.
That said, there are reports of millions of missing messages. The only period for which there is formal confirmation (in the form of testimony to congress by the White House) is for the period March 1, 2003 and May 23, 2003. Full details on this are at:
Why was the Bush administration's explanation for moving away from Lotus implausible?
>The Bush administration claimed Lotus Notes was antiquated and not up to the job. That is categorically incorrect. Lotus Notes is regularly updated and is an IBM flagship products. I have personally seen many extensive, enterprise-grade solutions with Notes that are absolutely best-of-breed. As of today, we've published 10,358 articles about Lotus Notes and it's quite excellent. In particular, Notes is renown for it's security, something not quite as well regarded for Microsoft Outlook. That's not to say Outlook and Exchange (the Microsoft solution) aren't also great, but it's a complete fallacy to claim Lotus isn't up to the job. That's, in fact, what got me curious about the rest of the story.
Does anyone besides for you get the immensity of the problem? If so, who?
>Certainly the IT professionals who read our magazines get it. Some of the folks in DC also get it. The groups who are suing the White House understand part of the problem, but they're forwarding their own agenda and in that agenda, suing the President is more sexy than chasing obscure ISPs in Tennessee or fixing a 1939 law or repairing basic security concerns. People I know in Homeland Security and the FBI, at least at the individual contributor level very much get the security issues. I've met some of the smartest and most impressive people working on the front lines in America's security agencies. The only problem for those guys is they work for politicians.
Are people beginning to pay attention? Have you seen any encouraging signs so far?
>Definitely. I've been interviewed a ton of times. I'm on the radio or in an interview at least once a week on this topic and we've reached, literally, millions of people. A nice side-stream benefit has been that I've also been able to talk about regular Internet security issues and help real people protect their own homes, just as an outgrowth of explaining some of the White House's security problems.
What would you like people to take away from this book?
>That email at the White House (at least during the Bush administration) is broken and needs to be fixed. It's also likely to be somewhat broken in the Obama administration, because the laws are still in place to tie their hands, but we can be hopeful.
People's eyes tend to glaze over as soon as something technical is discussed. Can you boil it all down to a few, simple points?
>Sure. From a personal point of view, if you don’t pay attention to the security of your computer, you could lose everything. Someone from Belarus could easily pop into your life and take all your money, charge up your credit cards, and cause you no end of hurt. From the perspective of White House security, the last thing we want is an enemy nation or organization to be able to interfere with the secure command and control of our government or, worst case, cause us some grievous harm because they know something they shouldn't.
You write about Blackberrys getting lost or highjacked, putting national security at risk. Karl Rove lost his at least once and maybe as many as five times. With the new president also a Blackberryphile, this problem is not going to go away. You have a few timely suggestions about how to safeguard these "mobile nightmares.” Please share them with us.
>Well, the biggest suggestion is to not hand your phone to anyone else. Make sure you have complete control over it. Don't keep confidential information in it, passwords, etc. For senior government officials, home addresses are also confidential information and shouldn't be in your phone. In the case of White House staffers, if you must give up your phone for a time, only give it to someone you, literally, trust with your life. That'd be members of the Secret Service.
> Yes, and no. There were always risks of some sort. Our grandparents didn’t have to deal with people from other countries invisibly sneaking into their computers and stealing their life savings, but our parents, even those in their 80s, now do. But hey, back in the Old West, there were gunfights and duels. We don’t have them as often (although we do have our own brand of gang violence).
Fundamentally, when anyone ever says “this is the worst it’s been” the answer is “no, it’s not”. Every generation and age had some really bad elements and some things that were truly beautiful.
That said, cyberthreats are scary, just because they are so incredibly complex to defend against and the tools to launch them are so easy to come by. In the cyberthreat world, weapons of mass destruction (cheap PCs, iPods, flash cards, etc) can be bought at Wal-Mart.
Thank you, David. We'll look forward to the final part of this three-part interview.
Read part one of this series:
Exclusive Interview with David Gewirtz, Author of Where Have All The Emails Gone?