A message behind the Palin hack: firewall your communications

Long-time readers here know I’m a network engineer by profession. So, when the subject of so-called “hackers” and compromised e-mail systems come up the topic is squarely within my expertise. When I titled this post and used the term “firewall” it could be assumed I’m talking about the network security technology of the same name. I’m not. I’m talking about where good security always begins and always ends: with human behavior.

I’ll have more to say on this subject now that more about the actual act of the crime in question is known. (By that I mean the illegal access of Palin’s e-mail by perpetrators currently suspected but unknown.) The point of this post, however, is to address what the feeding frenzied media are trying to make the entire point all about and that is the use of private e-mail accounts to conduct public business. First things first, I want to get right onto the table the fact about the Palin situation that the media would prefer you overlook. By everyone’s account who has viewed the actual e-mails stolen – I have not, thank you – there was nothing in those e-mails pertaining to the transaction of public business. Even the hacker himself confirmed that when he posted the information. (Ace’s account is sprinkled with his trademark disregard for… ahem… professional language, so the faint-of-heart should be prepared. Heh™.) That means that what the MSM are trying to make this all about is nothing but a smokescreen and an attempt to tear down the VP candidate on the GOP ticket. Remember that as this case goes forward.

It does raise, once again, the issue about the communications by public officials. We in Loudoun County have had some recent experience in this kind of thing and I think it’s germane to this discussion to repeat the advice to public offificals I gave back in June:

I think the best method for governing officials to follow is to rigidly separate their business documents and their personal ones. No business should be transacted using any communications systems except the official government ones. Each official that is expected to do business outside of their offices should be issued laptops that can connect in to the government systems and permit the officials to do their work. They should immediately return a message sent to their personal e-mail addresses that deals with official business saying that they can’t discuss that here and directing the author to their official account. No personal computers should be involved in this at all. Keep what is personal in the personal space and what is public in the public space. That way the FOIA requests can be adjudicated easily. Hard? Sure. But it can be done, I know for a fact. And if anyone in Loudoun’s government wishes to discuss the technical details of that, I’m happy to do so. I can also put them in touch with other engineers should they feel I’ve now developed a conflict of interest.

While my suggestion certainly involves the deployment of technical solutions, it’s not the technology that makes this suggestion effective, it’s the behavior of the public official. It’s all too tempting to just respond to a given query in e-mail by hitting the “Reply” button and expounding away. It is a matter of discipline for the official, however, to not do that when a matter of public business is mentioned in an e-mail handled by any system other than the official one they use at their offices. The way I described it to an elected official back in June, if she received an e-mail in her personal account(s) that’s either partly or completely involved public business, her only reply to the sender should be something to the effect of, “I’m sorry, I can’t discuss public business in this e-mail account. Please direct any such inquiries to my official account at elected.punk@God-knows-where.gov.” You may feel free to respond to the non-business part of such an e-mail but this should be the only response to the public business part.

Likewise, try to keep the personal e-mails sent from the official account to a minimum. That situation is far less of a problem than the reverse but it’s good practice to maintain a separation between those classifications. That’s what I mean by “firewall” in this context.

To close this subject out, I want to reiterate that Sarah Palin’s situation is not a matter of a public offical using private e-mail to conduct public business, as admitted by the criminal himself. I bring this subject up as a tangential issue, not as a direct response.

20 September, 2008 - Posted by rzrmoon | 2008 Presidential Race, Crime & Punishment, Internet, Politics, Technology