Somehow CIA Directors Don’t Have Very Good Cyberhygiene

John Brennan at the Council on Foreign Relations in March 2014.

Photo by Chip Somodevilla/Getty Images

On Wednesday, WikiLeaks published a data dump from CIA Director John Brennan’s personal AOL email account after it was hacked (possibly by high-school students). The emails don’t seem to contain anything earth-shattering, and they are all from before Brennan became CIA director. But they do include some social security numbers, government phone numbers, and draft recommendations about CIA interrogation methods and Iran. The strangest part of the whole situation is not the content of the emails—it’s that CIA directors seem to have information security lapses pretty frequently.

Getting a handle on cybersecurity can be difficult for the average consumer, who just wants to trust tech companies to take care of everything. But as my Slate colleague Joshua Keating pointed out Wednesday, Brennan is “a career spy entrusted with what may be the world’s most information-sensitive job.”

And incredibly, Brennan’s foibles pale in comparison to another CIA director cyberhygiene scandal. An emeritus chemistry professor at the Massachusetts Institute of Technology, John Deutch led the agency for a year and a half until December 1996. Shortly after he left, officials began looking into which laptops he had used to access confidential information. The CIA Inspector General published a report of the investigation’s findings in 2000. It concludes:

Former DCI John Deutch was specifically informed that he was not authorized to process classified information on government computers configured for unclassified use. Throughout his tenure as DCI, Deutch intentionally processed on those computers large volumes of highly classified information to include Top Secret Codeword material.  … all classified information on those computers was at risk of compromise. … Further, [Deutch] took no steps to restrict unauthorized persons from using government computers located at his residences.

It was the mid-’90s—his friends probably just wanted to watch Dancing Baby.

Deutch, who had been deputy secretary of defense from March 1994 to May 1995, also had cybersecurity lapses at the Pentagon. Six months after the CIA’s final report, the Department of Defense Office of the Inspector General published extremely similar findings about Deutch’s behavior at the Defense Department. “In particular, Dr. Deutch maintained a daily journal containing classified information that was almost 1,000 pages in length, on computer memory cards, that he reportedly transported in his shirt pocket.” Deutch opened and modified the journal on a number of computers not approved for that use.

And as if all of this isn’t bad enough, evidence also emerged in 2000 that somebody had accessed porn sites on the home laptops that Deutch was already improperly using to view and store classified data. The Daily News reported that Deutch denied that he had navigated to the sites, instead suggesting that it was “someone else” in his family. That might have helped a little bit except it only confirms the CIA Inspector General’s findings that he wrongly allowed other people in his household to use government computers and accessed the Internet on those computers in a way that compromised the classified data that already wasn’t supposed to be there. Woof.

At least David Patraeus was trying to be clever by communicating with his mistress/biographer Paula Broadwell through draft messages in a shared Gmail account. But as Slate pointed out in 2012, using some basic anonymity and encryption tools would have gone a lot further toward protecting their secret. You’d think that as the director of the CIA, Patraeus would have been comfortable taking cybersecurity precautions like that. But then again, based on his cohort of directors, maybe not.

One recent CIA director who got it right is Leon Panetta. He served as director from July 2011 to February 2013, and is known as a forceful cybersecurity advocate. He became secretary of defense in 2011 and gave a memorable speech aboard the Intrepid Sea, Air and Space Museum in 2012 in which he said that the only way Americans would awaken to the true importance of strong cybersecurity would be through some sort of “cyber-Pearl Harbor,” where a large-scale attack wreaks havoc in the physical world, not just the digital one. The New York Times reported that during the speech Panetta said hackers “could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”

That might all sound dramatic, but it’s exactly the type of worst-case scenario that you’d think CIA directors would have front in their minds. At a Lesley University lecture in Boston two weeks ago, Panetta talked about the Hillary Clinton personal email debacle, noting that, “It was a mistake to use a private server.” And he was confident that something like that would never happen to him. “I never used email,” he said. “It’s the best damn decision I ever made.”