If Russia hacked me, it exposed the family system of the US military
When an Associated Press reporter told me in late 2017 that I was among those targeted in a hacking campaign carried out by Russian agents, it amused me. Little old me? Was I Really Worth Targeting?
But as I scanned my emails during the days of the 2015 hack attempts, I saw something much bigger at play with amazing security implications for the U.S. military.
When Russia targeted my Gmail account and me, it wasn’t just my personal information that was compromised. While foreign agents had access to my data, they also had access to the personal information of our Army Family Readiness Group (FRG) and all of its members.
In just a month in which an attack took place, dozens of spreadsheets with the names, physical addresses, phone numbers, dates of birth and even details of the children of at least 500 family members of army were delivered by army unit officials to my personal email address. address.
If I was compromised, so were they. And they probably have no idea. The US government knew this had happened and did next to nothing.
Instead, they only warned a handful of targets, according to a survey by the PA. I was not one of those.
It wasn’t until the end of last year that an AP reporter called me that I had any idea that this had happened. An episode of the ongoing investigative story released by the AP today details what happened. According to data obtained by The Associated Press, myself and at least four other military wives were targeted by Russian-based foreign agents in 2015 in a large-scale cyber attack known as Fancy. Bear.
Like the hundreds of other volunteers who power the Army Family Support Group machine, I have to use my personal email to communicate with our RFA and unit leaders.
Generalized information on troop movements, return dates, deployment dates, family support group training manuals and other information on the functions of the unit were also sent to me on a regular basis. by e-mail. And because I rarely delete anything, all of that data and information is still in my inbox today.
The military wives that PA journalists identified among thousands of other targets had one thing in common: We were all quoted in a CNN article about a hack ultimately linked to Russia as well. We may have been selected as targets of convenience; the CNN article gave the hackers a handy list of names.
While it’s not clear whether foreign agents actually gained access to my email account, the implications of this attempt for personal security are considerable and should come as a shock to everyone in the military community.
The military has a responsibility to notify families that their data may have been compromised by accessing my inbox or the inboxes of other targeted individuals. According to the AP, the FBI knew who was on that list. However, I was never informed by any American official that I had been targeted. To the best of my recollection, I never received any notifications or correspondence from Google either.
Through the military’s support system and its reliance on a network of volunteer family members of the unit instead of paid staff, a foreign state can quickly and easily access the personal data of the families of deployed troops. , including their physical locations, simply by targeting the unsecured email accounts of spouses on the unit.
It is not difficult to see how the security situation for troops and families deteriorates once access is obtained. If an American soldier were to be captured and interrogated, how could his family information be used? How could it be exploited through social media? How could it be used through a targeted disinformation campaign?
At the root of this security problem is the Army’s Family Readiness Group, the service’s solution to the shifting target of supporting families in an era of budget cuts and disengagement.
Army officials know families need information on important dates, such as deployment returns, and other resources. They also know that – thanks to geography, busy schedules, or sheer disinterest – it’s fundamentally impossible to physically reunite families in a room to hear this information.
Ten years ago, when the military had sufficient funds, units paid for family support positions occupied by employees using secure mail servers in base offices. But budget cuts have eliminated those positions, pushing instead positions for junior officers within units and a parade of ever-changing volunteers working from home.
For this volunteer-based system to work, contact lists are shared, often through unsecured email. When information needs to be shared, volunteers contact everyone on their assigned list. Family members are strongly encouraged to allow their contact information to be included on appeal sheets or they may miss information they really want, such as their soldier’s return date.
Some brigades still employ a Family Readiness Officer (FRO), but often only during deployment. Others rely exclusively on the volunteer system.
While units across the services can follow their own individual procedures, it appears only the military allows widespread and insecure email sharing of their lists. I also cannot say that every unit in the Army operates this way, but it is standard practice in each of the five Army units that I have volunteered with.
E-mailing the lists does not appear to directly contravene any specific military policy. And if so, the standard is largely ignored. Although a 2015 FRG army manual, for example, notes that ” [roster] copies must be collected and destroyed â, and thatâ when a key leader leaves his post or moves, the copies of that leader must be given to the supervisor â, he never states that the list should only be shared on paper .
I found this manual in my Gmail inbox this month, attached to the same March 2015 email as six individual lists containing the personal information of over 300 family members.
I don’t remember being told to delete a list.
The hacking attempts I am told to originate from Russia appeared in my inbox as emails that appeared to be from Google, but were in fact phishing attempts. If I had clicked and entered my existing password, I would have given hackers full access to my account, probably never noticing that they were using it.
As a result of this infiltration, they would have had access to the lists that I received at the time, as well as those that I had received in the past and those that I received subsequently.
Have Russian hackers actually accessed my inbox? According to the AP, the single link in at least one of the multiple hack attempts sent to me was clicked at some point. Whether it was through me is impossible to say, the reporter told me, as the AP discovered that sometimes hackers clicked on their own links to make sure they worked.
To the best of my recollection, I didn’t click on it. But maybe I did. Do you remember what you clicked on on a given day three years ago?
No matter how you go, hacking attempts on my account and potentially compromised information must spark some tough conversations in the Pentagon about how we handle military family information and protect the people who handle it.
Should we send it by email? Is it fair to rely on volunteers to keep you safe?
While family information and safety is valuable to the military – and it should be – putting money into a family support job is not only appropriate, it is a necessary security investment. .
Leaders should also update and enforce FRG standards to eliminate unsecured sharing of personal family information.
View full article
Â© Copyright 2021 Military.com. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.