If you guessed that, among US government agencies, the Central Intelligence Agency would be likeliest to employ the most advanced cryptography in their telecommunications, then the story of CIA Director David Petraeus’ lapses in security during his affair with his biographer, Paula Broadwell, most surely will surprise you.

 

The two paramours exchanged clandestine email through a method that Al Qaida apparently first used: sharing access to a single email account and leaving messages for each other in the form of drafts. In terms of protecting the privacy of messages, this method seems to work as long as third parties do not gain access to the account. Since one cannot encrypt messages held in draft form, a third party with account access would be able to read all drafts. For the same reason, even before accessing the account, if the third party knew to intercept the transactions that save the draft to the email provider’s server, the message would be available in the clear text.

 

Why did the proverbial top spy choose not to encrypt his email messages? Certainly not because his gmail account was personal; there would be no line between professional and personal in terms of the need for security, regardless of the communication channel. As a matter of course, with the top spy one would expect top security.

 

In fact, though, as non-secure as the method becomes to those with account credentials, the use of it in this case was not so risky. The FBI discovered the affair; and the FBI would not have been looking had not Paula Broadwell sent aggressive email messages to a woman named Jill Kelley.  And the FBI would not have been looking so carefully had not Kelley sought the help of her FBI agent friend, Friedrich Humphries (III), who was so dogged in pushing for an investigation of the harassment that he pursued another path when his own organization initially let the matter just sit. Because Humphries contacted congressional politicians, who contacted the FBI Director, the agents on the case became keenly motivated.

 

Broadwell apparently used the same email account to harass Jill Kelley that she used to share draft messages with Petraeus. Once the FBI correlated email messages with IP addresses in a pattern of regions that matched Paul Broadwell’s travel schedule, they got access to the relevant gmail account. They found the draft correspondence, inferred that Broadwell was having an affair with a high-ranking government official, and pursued the forensic IT trail until they found Petraeus at the other end.

 

Protecting Classified Information and Intellectual Property

Most government and business office have an IT policy about the kind of email you should send exclusively through the institution’s own email system. Usually an issued laptop or PC comes with an email client already configured with appropriate encryption settings.

 

Preserving information can be as important as obscuring it from those who should not see it. In addition to an appropriate AES cipher to secure message content, you should preempt and mitigate data loss by effectively monitoring the email server for events and create triggers to send real-time alerts. As an example, the SolarWinds Network Performance Monitor and Server and Application Monitor products together provide node and system/application early detection and advance warning features.