Perhaps you’ve heard of the story of poor Shaham Amiri. He was an Iranian scientist who apparently spilled secrets to the CIA–and he paid for it dearly.
With his life.
Amiri apparently disappeared on a supposed Meccan pilgrimage, and when he resurfaced, he was in America at the Pakistani embassy in Washington D.C., seeking assistance for a safe return to Tehran. He later shared that he was kidnapped, tortured, and bribed by the CIA for his knowledge.
But that may not have been true.
Hillary Clinton, who was Secretary of State at the time, revealed in emails that were made public that he was in America — and sharing what he knew — on his own volition. He later had cold feet. (Next up in this series: top 10 tips for staying alive in the witness protection program.) Many concerns about his situation were expressed in numerous Clinton email threads, provoking Iran to act and punish Amiri for his crimes and allegiance to America.
It was the contents of those emails that sent Amiri to his death.
When dealing with any type of communication, especially email, it’s imperative to understand the consequences and potential risks of the emails getting out. There’s the internal human component (an untrustworthy confidant, a printout being left in an insecure location, a copy and paste gone bad, forwarding of emails, or transference of emails to a personal account against policy) and there’s the external human component (breaches, social engineering, a hack, malware, and other types of abuse).
Welcome to the modern era, where you’re always leaving a digital footprint behind.
And sometimes that could have real world — in this case, deadly — consequences.
I think many people would say pretty confidently that Amiri died because the US acknowledged he was disclosing sensitive information freely and wasn’t abused despite his insistence. Someone — many people — lied.
And a defector died.
But this is a tech site, so what does this have to do with us? In IT especially, it’s imperative that we treat any type of correspondence as sensitive. But confidential emails especially should require additional security and monitoring. (And frankly, your email server should be more secure than Clinton’s private one. You can do better. We know that.)
The US government, shockingly, didn’t know better. We could point fingers at a lot of people — including Amiri himself — for what ultimately led to his death. But we can also fault it to technology and the way the email server was lacking in the most important security necessary to keep this man alive.
I’m sure the contents of these emails about Amiri’s allegiance to America may not have even raised eyebrows, but the nature of this business — foreign affairs in the government — required a lot more care and consideration. Messages that are sensitive enough, depending on the industry and topic matter, should be held to a time-sensitivity “term,” in that that they self-destruct after a period of time. That way, they’re not living on a server for someone to forward or for a hacker to breach externally. We know solutions out there offer a self-destruction flag, that they’re immediately deleted after being read or deleted within a period of time if they’re not, so the risk is reduced tremendously. (And secured physical printouts can’t be hacked.) Should the government have implemented security mechanisms to prevent this kind of thing? Yeah, I’d say so.
The US government definitely should have known better. Does your company?