Deciphering Email Insecurity

Stripped of hyperbole, the recent US election imparted important information security lessons. One is that email insecurity threatens political campaigns and maybe even elections. Another is that compromised email can be ruinous to any organization.

Much can go wrong with email. People can knowingly or unknowingly violate institutional email policy, thereby increasing risks to themselves and to their affiliates. Even those who don’t violate policy can suffer successful incursion, as with the email-based attack on the Democratic National Committee during the presidential election.

Thus, in addition to better compliance, it seems we may also need better policies. Even with both, we still face big risks and impediments. Regardless, email isn’t going away anytime soon, so let’s start with policy compliance.

Email Policy Compliance

Everyone who uses email has an email policy, good or bad. A good policy, for example, is to keep email login passwords secret. Another is to change passwords periodically to protect from undetected disclosure. Enterprises often have email policies that match their organizational prerogatives, such as for systems control over business-related communications. For the sake of policy compliance, personal email is generally not sanctioned for business (including government business).

Nonetheless, a US Secretary of State was “...not the first official to use private email” for public business — even business at the level of the US Cabinet. The situation represents an organizational failure per US government standards:

“System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner.”

The standard further recommends that organizations “…monitor, detect, and report when policy violations occur” to fix flaws and uphold policy. The organization is responsible for ensuring compliance, not just the individual user.

This highlights the endemic problem with recommended email security practices. It’s wrong for the individual to violate security policies, but it frequently happens. It’s also wrong for the organization not to verify policy compliance. This lesson was lost in the recent US elections: Both candidates said it was wrong to violate the private-server email policy, but neither said why, and neither said what should be done differently in the future. Thus, the problem persists.

Better Email Policies

Policy compliance is great if the policies are compliance-worthy. If compliance to a set of policies doesn’t provide the needed email security, then we obviously need better policies. For sensitive emails, organizations might consider adding an email signing and encryption policy.

Most people choose not to digitally sign or encrypt their personal email today, and it’s just as rare in business. However, it does add a tier of defense against the plundering of private correspondence on hacked servers. Further, it’s easy to forge email. If business emails result in actions to be taken, signed email helps mitigate forgery risk. People who are guiding any large organization, particularly one with financial assets, probably need signed and encrypted email as a policy.

In deference to the wisdom of a stopped clock, it’s time once again to revisit PGP or something like it. However, decades of attempts to deploy email signing and encryption have foundered.

Several years after PGP was introduced, the CTO of a startup security company proposed that the executive staff use PGP signed and encrypted email. Things went south immediately. The CEO said that he had used secure email before, it was a pain, no one else was using it and neither would he.

So, the CTO instead promoted the idea among the company’s engineering leaders. One said that he hadn’t used secure email before, but promised to try it. His signed and encrypted message never arrived in the CTO’s inbox. As happens, the experienced engineer properly created email keys with a password, but did not write down the password, then uploaded his public key to the MIT PGP server, which he subsequently could not use because he forgot the password. That was the end of that email security proposal.

Poor usability is the classic explanation for slow PGP uptake: “Why Johnny Can’t Encrypt” points to an unduly complex and error-prone design strategy for the rejection of PGP email by the masses. Another oft-heard explanation involves the “network effect,” where the value of an application depends on how many people use it. Since PGP is hard to do correctly, few adopt it, thus it never enters common practice.

Signed and encrypted email reduces risk. If done properly, encrypted emails stay encrypted on the network and on computers. A person’s messages cannot be decrypted or forged by an attacker without obtaining a secret key from the individual’s computer.

Without email encryption, an intruder can gain access to an organization’s emails by defeating the security of one server. When email is encrypted, however, the attacker must defeat the security of each person’s computer before gaining access to the entire organization’s email.

Continuing Conundrum

The need for email security applies to government as well as enterprise, but many regimes oppose use of encryption and authentication when it’s outside of government control. For example, Apple Corporation has been the target of US government legal action and political ire for its strong authentication and encryption technology intended to keep user data under user control.

US government policy is unlikely to change when it comes to encryption and authentication, and that’s unfortunate. It has been unwilling to give up a law enforcement tool that’s easily circumvented, but that has proven to be very costly to the nation’s businesses. Such a position limits a government’s leadership in reducing costly cyber-attacks and subversion of public institutions and private enterprises.

Any organizations that use email should consider upgrading their email policies to include signing and encryption. Regardless of inconvenience or length of learning curve, the risk is just too great.

The hard lessons from the 2016 US election are that email-policy compliance must be enforced and that email signing and encryption are needed, especially at the highest levels of management and among people who are more accustomed to giving orders than taking them.

What’s Hot on Infosecurity Magazine?