Some of the same unhackable applications that have become the “favorite technologies” of the Islamic State and other terrorist groups have gained popularity in Washington, D.C., in part because the federal government is still struggling to find ways to protect government communications.
Wickr, Telegram, and similar apps that promise the ability to send encrypted, self-destructing messages have a certain appeal throughout the political class, but especially within the intelligence community. Rep. Mike Pompeo, a former Army intelligence officer who now sits on the House Permanent Select Committee on Intelligence, uses one such app because hackers might gain valuable information from something as innocent as a conversation with a family member.
“I use [an encrypted messaging app] for my personal stuff, not for my official work,” the Kansas Republican, who emphasized that he doesn’t discuss classified information on the program, explained to the Washington Examiner. “Foreign governments want to know what elected officials around the world are doing. I want them to know less and not more about who I am and how I interact with others.”
That precaution is not unique to Pompeo. “It is a prudent move,” Senate Intelligence Committee member James Lankford, R-Okla., who declined to discuss his personal cyber-security practices with the Examiner, said of the apps. “There is no question that individuals that work within the federal government, whether it be agency heads or members of Congress — those are prime targets for foreign actors to be able to track what we do, what we think, how we function, as they build a file on each leader within the federal government.”
Government officials’ reliance on secure text messaging puts a twist on the public discussion of end-to-end encryption, an increasingly common technology that criminals and terrorists have exploited to avoid detection by federal authorities.
“[E]ncryption as currently implemented poses real barriers to law enforcement’s ability to seek information in specific cases of possible national security threat,” FBI Director James Comey told Congress in March.
With the proliferation of private encryption comes the possibility that some federal officials might use the programs to skirt congressional oversight or public records laws. “There are oversight issues that begin to percolate,” said Pompeo, who served on the House Select Committee on Benghazi that discovered Hillary Clinton’s use of a private email server. “But I’m often reminded . . . for 180 years, the information was in a folder some place sitting in someone’s basement or a government office basement. Searching meant sending 50 people down to dig through the files and maybe get lucky and find it.”
But many feel they have no choice, as the government isn’t offering much in the way of training to ensure secure communications, and hackers continue to leak the emails of public officials.
For one, federal employees receive only “rudimentary” training on how to protect themselves from cyberthreats, according to intelligence community sources.
“You go to these briefings and it’s just a letdown,” an intelligence officer in the D.C. area, speaking on condition of anonymity, told the Examiner. “Okay, seriously? ‘Check my privacy settings?’ Okay, cool, I’ve already done that.”
That applies across the federal government. The Office of the Director of National Intelligence, for instance, warns government employees to change their passwords regularly, to avoid pornographic websites that often house malware, and “delete suspicious emails,” but even elected officials only get basic training when they take office.
“It walks through all the basic cyber hygiene,” Senate Intelligence Committee member James Lankford, R-Okla., told the Examiner while discussing the briefing incoming lawmakers receive. “I haven’t seen anything that actually moves past that.”
Bureaucratic turf-wars have delayed the process of improving the training, according to Lankford, who has asked the intelligence community to take a leading role in updating the federal government’s playbook.
“Part of the issue that the federal government faces is who has the authority to be able to make sure that all entities are maintaining good cyber-security,” Lankford said. “Everyone is trying to figure out who is the lead cook here.”
A spokesman at the Office of the Director of National Intelligence declined Examiner requests for comment on more elaborate cyber-security tactics.
In the meantime, the more tech-savvy officials are shifting for themselves, including by uninstalling unnecessary phone apps that could have tech vulnerabilities, for instance, or deleting old email accounts and replacing their new ones periodically. “People who use the same email account for everything for ten years are asking to be hacked,” the intelligence officer said.
That means effective defensive measures are labor-intensive, which could deter some users who might not realize they should put in the extra work. “The hard part is most people would think, ‘I’m not [at risk], why would anyone care about what I do?'” Lankford said. “Most people, even most members of Congress, don’t take it seriously about what a great threat we really face.”
That applies to junior staffers, perhaps even more than lawmakers or senior officials such as John Podesta. “The little people are a lot bigger target than they think they are,” the D.C.-based intelligence officer said. “I would rather hack a scheduler than almost anyone else.”
Even prudent web-users will continue face cyber-security risks, however, and some of the encrypted messaging apps might already be vulnerable to hackers. Only six of 39 encrypted messaging services pass muster, according to the Electronic Freedom Foundation. Relying on any one account for too long could backfire.
“Encryption can be broken with enough patience,” the intelligence officer said. “It really is about keeping moving.”
