The Missing Secret Service Text Messages: Lessons for IT Security

The United States Secret Service (USSS) has been under intense political fire since mid-July, when the Office of the Inspector General of the Department of Homeland Security (DHS) told Congress that text messages surrounding the significant events of January 6 had been permanently terminated for twenty-four key agents. The USSS currently operates under the DHS.

The facts of this high-stakes national drama are unclear, and disputes between lawmakers and DHS and DHS and the Secret Service further muddy the waters. But in essence, the Secret Service says it lost the text messages in January 2021 after resetting their cellphones to factory settings as part of a three-month pre-planned system migration that involved asking agents to back up their phones. .

The emerging and still muddled story of lost Secret Service text messages, albeit a political storm in Washington, is also an object lesson for all security personnel about the challenges of securing mobile communications and the role document destruction and retention policies in the organization. Security.

The Missing Secret Service Texts: A Timeline

The following timeline summarizes developments in the missing texts controversy. It underscores the current chronic lack of clarity about what happened, which has been exacerbated by the pointing finger within the agency about who is responsible for the failings that led to the crisis.

January 16, 2021: Rep. Carolyn B. Maloney (D-NY), chair of the Oversight and Reform Committee, and Rep. Bennie G. Thompson (D-MS), chair of the Homeland Security Committee, along with other chairs of committee, wrote a letter to DHS and other agencies asking them to produce documents and materials related to the Jan. 6 insurrection.

February 26, 2021: The DHS Office of Inspector General (OIG) has reportedly requested electronic communication records from the Secret Service for its own investigation into the Jan. 6 attack.

March 25, 2021: Several House committees have asked the White House, National Archives, Attorney General, DHS, and other government agencies for communications received, prepared, or sent between Jan. 5 and Jan. 7.

February 2022: DHS notified the Office of Inspector General Joseph Cuffari that text messages sent or received by then-Acting Secretary Chad Wolf, then-Acting Assistant Secretary Ken Cuccinelli, and Acting Undersecretary to management Randolph D. “Tex” Alles were nowhere to be found. Cuffari’s office hid this information from Congress for more than five months.

July 14, 2022: A letter sent by the DHS Inspector General to the House and Senate Homeland Security Committees said the Secret Service deleted the text messages from January 5 and 6, 2021. After the letter was announced, Anthony Guglielmi , chief of communications for the United States Secret Service, released a statement explaining how the text messages went missing. He said the Secret Service had started factory resetting their cellphones as part of a three-month pre-planned system migration.

Multiple reports indicate that the Secret Service told agents to back up their phones before the reset, giving them instructions on how to do so. Somewhere in this process, data resident on the phones was lost. Guglielmi contends that the DHS inspector general first requested electronic communications on Feb. 26, 2021, after the migration was well underway, even though House officials asked DHS to turn over all related documents and materials. to January 6 on January 16, 2021.

July 16, 2022: The January 6 Committee issued a subpoena to the Secret Service requesting the missing texts and all published reports related to the events of January 6, 2021.

July 19, 2022: The National Archives requested more information from the USSS about the “potential unauthorized deletion” of the agency’s text messages, which may determine whether the agency violated federal record retention requirements.

July 19, 2022: According to a letter sent by a DHS official to the House Select Committee investigating the Jan. 6 uprising, the Secret Service was able to produce only one text message, a conversation with the former U.S. Capitol police chief. Steven Sund with former Secret Service Uniformed Division Chief Thomas. Sullivan asking for help on January 6, 2021.

July 21, 2022: DHS Deputy Inspector General Gladys Ayala has ordered the Secret Service to suspend its internal search for purged texts sent by agents around Jan. 6 so they “do not interfere with an ongoing criminal investigation.”

July 29, 2022: Sources and insider records suggest Cuffari abandoned efforts by his investigative team to recover the deleted texts earlier this year.

August 1, 2022: Representatives Maloney and Thompson sent a letter to Cuffari saying he botched any investigation into the January 6 missing texts. This failure, combined with the absence of reports on the role of the secret service on January 6, constitutes a cover-up which justifies its withdrawal so that a new inspector general is appointed, according to the leaders of the Congress.

Major questions remain unanswered

Many questions remain unanswered for a development that has received massive media coverage. Two questions, in particular, are crucial to understanding what happened.

What phones were involved and what text messaging system was used? Although media coverage and government statements refer to “text-based” messages and devices, it’s unclear what texting protocol was used by Secret Service agents, what phones were used, or even if the missing texts were sent to personal or government-issued phones.

Although some experts believe that the text messages unarchived iMessages were sent to agency-issued iPhones, which have not been verified. Giving credence to the idea that iMessage was used and not SMS, Signal, WhatsApp or any other protocol, USSS spokesperson Guglielmi said his agency is considering disabling employees’ ability to send iMessages on their business iPhones.

If the Secret Service was using iMessage, it’s unlikely they were using the version generally available to all consumers, Robert Falzon, Check Point’s chief engineering and technical officer, told CSO. “I can’t say for sure, but it’s likely that they’re not using the generic service. Instead, they’ve probably requested modifications or changes to those services that are specifically tailored to the Secret Service. “

Why were backups not available? Infosec professionals consider backing up systems before migration to be extraordinarily routine and easy. The Secret Service said it began planning in fall 2020 to move all devices to Microsoft Intune, a mobile device management (MDM) service. But, they left it up to agents to back up their phones as part of a mandatory “self-registration” process according to a step-by-step guide published by the agency.

Allowing agents to back up their phones would be an extraordinarily unusual step for the agency, going against established security practices. “To me, that would be a gross failure of the process,” says Check Point’s Falzon. “It hurts credibility.” He also says he finds it “strange that you have an irreversible migration. It’s the opposite of what the most competent IT infrastructure administrators would try to achieve.”

Mark Rasch, an attorney at the KJK law firm and creator of the DOJ’s Computer Crime Unit and Cybercrime Practice, tells CSO that by deploying an MDM solution, an employer can assert control of devices and how they are used and forcing things to be saved and forcing things to be erased. If the Secret Service didn’t use MDM before migrating to Intune or maintained some central backup system and instead relied on agents to save, delete, or back up their messages, no backup likely existed.

“Think of your own phone. When you send a text message instead of an email, a copy of it isn’t saved with your employer,” Rasch says. “Thus, from a records management perspective, SMS and MMS rely on individuals to store and secure communications.”

The likelihood that all the agents erred by not collectively backing up their phones is low. “I have a long philosophy, which has proven to be mostly correct, that one should never attribute to venality what mere stupidity will adequately explain,” Rasch says. But, “the circumstances with this one, that it would take twenty individual agents for each individually to make the same mistake, are inconceivable.”

Safety lessons to be learned

Infosec professionals can learn a few lessons from this high-level drama. “The first thing is that document retention and destruction policies are themselves security policies. If you have data, but certainly sensitive data that you don’t need, the only thing they do is to create a vulnerability,” Rasch said.

“On the other hand, if you have data that you need to retain and dispose of, that also creates liability. So you need strong, revised document retention and destruction policies. “a technology that will help you apply it. Identify what needs to be removed and what needs to be preserved,” Rasch.

“Then you need training and awareness so people know what they’re allowed to keep and what they’re allowed to delete. And then, finally, you need to have some form of centralized control that allows you to deploy this policy throughout the company.”

And Rasch says, “the message for security conscious people is that if you have a mobile workforce, which you do, you should have a mobile device management solution, or at least assess if it will work in your environment.”

Falzon thinks the issues raised in this controversy apply to any business. “The simple fact that we didn’t know what service was being used on these devices, were they personal or corporate devices, how were they locked down, these are the same challenges that all businesses face, even the smallest mothers-and-pop organizations Mobile devices are central to our personal and professional lives, so they’re probably the richest target you can imagine for an exploit,” Falzon says.

Copyright © 2022 IDG Communications, Inc.

Comments are closed.