One of the big surprises of the 2016 election season for me (and yes, I know there was a lot of competition) was that—out of nowhere and all at once—it seemed a lot of people suddenly cared a lot about basic user cybersecurity practices. Not their own cybersecurity practices, necessarily, but Hillary Clinton’s, certainly, and now, it seems, also Donald Trump’s.
Trump, the New York Times reported this week, is still using his personal Android phone to post on Twitter. There’s a lot we don’t know about this phone: whether it’s encrypted, whether it automatically connects to nearby wireless networks, whether you can unlock it by drawing a large letter “T.” We do know it’s the same phone he was using before he became president—not one approved or issued by any government security team—and blog Android Central makes a fairly compelling case that it’s a Samsung Galaxy S3. So it’s probably safe to assume it has security roughly equivalent to that of your Android phone, or worse if you’ve gotten a new phone recently. (At Lawfare, cybersecurity researcher Nicholas Weaver argues that the Galaxy S3 “does not meet the security requirements of the average teenager.”)
In related news, CNN also reported on Jan. 24 about Trump’s failure to protect his @POTUS Twitter account with two-factor authentication, which would require anyone trying to compromise his account to figure out not just his password but also a code sent to his phone. Meanwhile, CNN pointed out that at that point, the @POTUS, @FLOTUS, and @VP handles had password reset emails linked to Gmail accounts (Pence’s was reportedly email@example.com, if you’re looking to get in touch). On the morning of Jan. 26, it seemed that Trump’s account was still tied to a Gmail account, as—of all people—TV Guide managing editor Alex Zalben found. (Other Twitter users and outlets later confirmed his finding.) Trump’s account seemed to be tied to the Gmail address of his social media manager, Dan Scavino. Only after those reports circulated Thursday morning did Trump’s reset email change to a whitehouse.gov address.
(This raises an interesting question: Are whitehouse.gov email accounts actually any more secure than Gmail ones? Possibly not. Google has some fairly effective monitoring tools for anomalous behavior among its users as well as a lot of data on phishing and spam email, and we don’t know much about how whitehouse.gov accounts are monitored, or whether the people in charge of protecting them are being listened to right now. Just based on the president’s continued use of his personal phone, it seems unlikely that he’s listening to anyone with any deep understanding of computer security at the moment.).
And I haven’t even mentioned that Trump press secretary Sean Spicer may or may not have accidentally tweeted a password on Thursday.
None of this is great news. As a cybersecurity researcher, I would, of course, prefer a president who took personal cybersecurity measures seriously. After all, we’re talking about a person with access to the most secret information in the country, someone whose Twitter account could conceivably be used to tank the stock market or cause an international incident, if compromised. Weaver also points out that, if he’s carrying his Android phone everywhere with him, it can be used to record any and all of his interactions by adversaries who have compromised it. In fact, Weaver argues, “anyone around the President should presume they are being actively recorded by hostile powers, regardless of location, unless they are positive the phone is out of the room.”
This laxness and disinterest in cybersecurity will set the tone for national cybersecurity initiatives and efforts as well as personal ones. Will a guy who won’t even secure his own phone ever be bothered to secure an entire country’s networks? Meanwhile, his appointed cybersecurity adviser Rudy Giuliani only recently learned about popular encrypted messaging app Signal, so he doesn’t seem likely to provide the necessary technical expertise or wisdom.
But the truth is, when it comes to setting the tone for national cybersecurity, Trump has already done something much more damaging than using a possibly outdated Android phone or linking his Twitter handle to a Gmail address. In deciding to effectively ignore the Russian election hacking efforts, he has issued an open invitation to foreign powers to target U.S. networks and information without fear of retribution.
So yes, I might wish for a president who, at the very least, had enough cybersecurity common sense to implement two-factor authentication and replace his smartphone. But even though they could have serious consequences, the shortcomings of Trump’s personal cybersecurity still seem almost trivial in light of the shortcomings of his national cybersecurity policy.
What’s not trivial—what’s frankly nothing short of remarkable—is that people are (apparently) interested in his personal cybersecurity. That people are reading and writing articles about whether his Twitter account is protected by two-factor authentication, and whether his smartphone is encrypted. Of all the things to be concerned about, these may not the most pressing. And yet—and yet—how strangely wonderful that we’re now willing to malign people (or, at least, high-level politicians) on the basis of their cybersecurity shortcomings. The people who malign them on these bases probably didn’t like them much to begin with, and criticisms of their cybersecurity practices may well be reflections of this pre-existing personal animosity.
But still, Hillary Clinton and Donald Trump have somehow succeeded where years and years of National Cybersecurity Awareness months and well-meant educational campaigns have failed. They’ve managed to attach to the act of failing to protect a server or a smartphone, or not implementing two-factor authentication for a social media account, the kind of social stigma that we usually reserve for people who don't wash their hands after using the bathroom.