In-brief: is having the Chief Executive’s Twitter account secured by a Google Gmail account really a security lapse? Not necessarily.
The world is having a collective freak out about the serial security lapses of the newly enshrined Trump administration. That includes the revelation, this week, that the Leader of the Free World is using a lowly Google Gmail account to secure @POTUS, the official Twitter account of the U.S.’s Chief Executive.
For a President and Administration as unconventional as Mr. Trump, the news about the gmail account seems like just another data point in a raucous and singularly unprofessional first week in office – the online equivalent of trash talking the United States’ second largest trading partner. But is having the Chief Executive’s Twitter account secured by a Google Gmail account really a security lapse? Not necessarily, according to security experts. In fact, Gmail may offer superior security to government-run platforms.
This story started on Tuesday, with a CNN article that channeled the advice of a well-known Twitter hacker calling him (her?) self WauchulaGhost (@WauchulaGhost), who urged the new President to secure his Twitter account. The leaks came by way of a Twitter password recovery feature that provided a hint to anyone seeking to recover the password: a redacted version of the address affiliated with the account. The @POTUS account was linked to two email addresses, one that appeared to belong to Dan Scavino, The President’s social media chief, and the other that appeared to be hosted on Trump’s personal DonaldJTrump.com domain.
With knowledge of that email address, an attacker could attempt to take over that account using any of a number of techniques, from spear phishing attacks like those used against John Podesta and other Democratic party officials during the last election cycle, or by gaming password reset features used to secure the Gmail account.
But security experts note that such hacking and account compromise techniques are not unique to Google’s Gmail. Further, Gmail offers a range of other security features to protect accounts that make that platform better defended against sophisticated hacking attacks than most privately managed platforms, including those of government agencies.
The stakes are high. With 14.4 million followers including nearly every major news organization in the US and abroad, heads of state and Wall Street traders, 140 character missives from the @POTUS account can send the stock of individual companies or whole markets soaring or plunging. They can set national governments on edge and, depending on the circumstances, scramble aircraft carriers and fighter jets. Trump’s enthusiastic use of Twitter has prompted some to wonder whether the @POTUS and @RealDonaldTrump accounts are a national security disaster in the making. But use of Gmail as a fallback account to secure Twitter isn’t in and of itself a security risk.
“Companies like Google and Microsoft have invested billions of dollars in securing their infrastructure,” said John Ackerly, the CEO at the firm Virtru, a secure email provider. “If want your data to be secure, it’s tough to beat Google, Microsoft or Amazon’s cloud,” he said.
Indeed, Gmail offers a wide range back-end and front end security features that make it among the most difficult platforms to compromise – providing users take advantage of those features. What are they? Let’s start on the back-end.
After a spate of government backed attacks on Gmail users with links to the government of China in 2011, Google implemented a wide range of features to spot and warn users about suspicious attempts to access their Gmail accounts. These days, Google monitors account access attempts and warns users when attempts to log into their account are received from a new device or IP address. Further, it tracks servers and Internet addresses used by nation-state actors and cyber criminals and gives specific warnings about such activity to users. In recent years, political activists, academics, journalists and others have grown accustomed to notifications about efforts to compromise their accounts.
For phishing attacks, Google has offered phishing protection for years and leverages its status as the World’s most trafficked website and one of the top email providers to identify new phishing attacks. Sure, the system isn’t perfect, as the spear phishing attack against Podesta and Colin Powell prove. There, Russian hackers stole credentials with an attack that posed as a Google password reset message, proving that even security features (like password theft alerts) can be turned against users. But less sophisticated and ham-fisted phishing attempts are likely to fall afoul of Google’s filters.
On the front end, also, Google offers a wide range of security features. It goes without saying that the service only allows secure (encrypted) communications between the user and Google’s cloud-based servers. Google also offers a range of two factor authentication options, including single-use text-based codes to access accounts, separate hardware tokens that generate one time codes, or external applications like Google Authenticator that do the same. The use of hard or soft second factor authentication dramatically reduces the danger of account takeover.
Some or all these features may be available to government managed IT assets like email servers for the President, Vice President and other Executive Branch staff. But recent history, as well as reports from the Government Accountability Office suggest that the U.S. Government is struggling to secure its IT infrastructure, including access to government IT assets.
In fact, a report by GAO in 2015 listed “personal identity verification” as a top cyber security challenge for government agencies. By GAO’s accounting, only 41 percent of user accounts at 23 civilian agencies had required these credentials for accessing agency systems.
The problem isn’t so much the platform as the policy, Ackerly said. “You have to think about two things: ‘who has control of the content,’ and ‘what happens after you share the content’? In other words: even if the President’s account remains secure, his communications are only as secure as his least-secure correspondent.
Government requirements about public access to government data and documents can complicate the use of cloud platforms, where government data is being shared with third-party vendors. And some data such as that used by law enforcement or the intelligence services may not belong on third-party cloud platforms at all, Ackerly said.
There is already evidence that the incoming Administration is struggling to separate public from private technology. A report on the web site of RT.com this week found that members of the Trump team were still relying on email servers managed by the Republican National Committee, while President Trump faced criticism for using an out of date Android smart phone to communicate.