The U.S. Secret Service (USSS) has been under intense political fire since mid-July when the Department of Homeland Security (DHS) Inspector General’s office told Congress that the text messages surrounding the important events of January 6 had been permanently deleted for twenty-four key agents. The USSS currently operates under DHS.
The facts of this high-stakes national drama are unclear, and conflicts between lawmakers and DHS and DHS and the Secret Service further muddy the waters. But in essence, the Secret Service claims that it lost the texts in January 2021 after it reset its mobile phones to factory settings as part of a pre-planned, three-month system migration that entailed instructing agents to back up their phones.
The emerging and still-jumbled story of the Secret Service’s lost text messages, although a political firestorm in Washington, is also an object lesson for all security personnel on the challenges in securing mobile communications and the role that document destruction and retention policies play in organizational security.
The Secret Service’s missing texts: A timeline
The following timeline recaps the developments of the missing texts controversy. It underscores the current chronic lack of clarity about what happened, which has been heightened by intra-agency finger-pointing over who is responsible for the lapses that led to the crisis.
January 16, 2021: Representative Carolyn B. Maloney (D-NY), Chairwoman of the Committee on Oversight and Reform, and Representative Bennie G. Thompson (D-MS), Chairman of the Committee on Homeland Security, along with other committee chairs, wrote a letter to DHS and other agencies requesting that they produce documents and materials that relate to the January 6 insurrection.
February 26, 2021: The DHS Office of Inspector General (OIG) reportedly requested records of electronic communication from the Secret Service for its own investigation into the January 6 attack.
March 25, 2021: Several House committees asked the White House, National Archives, the Attorney General, DHS, and other government agencies for communications received, prepared, or sent between January 5 and January 7.
February 2022: DHS informed Inspector General Joseph Cuffari’s office that text messages sent or received by then-Acting Secretary Chad Wolf, then-Acting Deputy Secretary Ken Cuccinelli, and Acting Under Secretary for Management Randolph D. “Tex” Alles could not be found. Cuffari’s office withheld this information from Congress for more than five months.
July 14, 2022: A letter sent by the DHS Inspector General to the House and Senate Homeland Security Committees said the Secret Service erased text messages from January 5 and January 6, 2021. After news of the letter broke, Anthony Guglielmi, Chief of Communications for the United States Secret Service, issued a statement explaining how the text messages disappeared. He said that the Secret Service began to reset its mobile phones to factory settings as part of a pre-planned, three-month system migration.
Several reports say that the Secret Service told agents to back up their phones before the reset, giving them instructions on how to do so. Somewhere in that process, data resident on the phones was lost. Guglielmi contends that the DHS Inspector General requested electronic communications for the first time on February 26, 2021, after the migration was well underway, even though House officials asked DHS to hand over all documents and materials related to January 6 on January 16, 2021.
July 16, 2022: The January 6 committee issued a subpoena to the Secret Service seeking the missing texts, and any reports issued related to events of January 6, 2021.
July 19, 2022: The National Archives demanded more information from the USSS about “the potential unauthorized deletion” of agency text messages, likely to determine if the agency violated federal record retention requirements.
July 19, 2022: According to a letter sent by a DHS official to the House Select Committee investigating the January 6 insurrection, the Secret Service was able to produce only one text message, a conversation from former U.S. Capitol Police Chief Steven Sund to former Secret Service Uniformed Division Chief Thomas Sullivan requesting assistance on January 6, 2021.
July 21, 2022: DHS deputy inspector general, Gladys Ayala, directed the Secret Service to halt its internal search for purged texts sent by agents around January 6 so that it does not “interfere with an ongoing criminal investigation.”
July 29, 2022: Sources and internal records suggest that Cuffari scrapped his investigative team’s efforts to recover the deleted texts early this year.
August 1, 2022: Representatives Maloney and Thompson sent a letter to Cuffari saying he botched any investigation into the missing January 6 texts. That failure, combined with a lack of reporting on the Secret Service’s role on January 6, constitutes a coverup that warrants his stepping aside so that a new inspector general be named, the congressional leaders say.
Major questions remain unanswered
Many questions remain unanswered for a development that has received massive press coverage. Two questions, in particular, are crucial to fully grasping what happened.
What phones were involved, and which text messaging system was used? Although media coverage and government statements reference “text” messages and devices, it’s unclear what texting protocol was used by the Secret Service agents, what phones were used, or even if the missing texts were sent on personal or government-issued phones.
Although some experts believe that the text messages were unarchived iMessages sent on agency-issued iPhones, that has not been verified. Lending credence to the notion that iMessage was used and not SMS, Signal, WhatsApp, or any other protocol, USSS spokesperson Guglielmi indicated that his agency is considering turning off employees’ ability to send iMessages on their work-issued iPhones.
If the Secret Service was using iMessage, it’s unlikely they were using the version generally available to all consumers, Robert Falzon, head of engineering and CTO for Check Point, tells CSO. “I can’t say for certain, but it’s likely they’re not using the generic service. Instead, they probably have modifications they’ve requested or changes to those services that are specifically accommodating to the Secret Service.”
Why weren’t backups available? Infosec professionals consider backing up systems before migration an extraordinarily routine and easy task. The Secret Service said it began planning in the fall of 2020 to move all devices onto Microsoft Intune, a mobile device management (MDM) service. But, they left it up to agents to back up their phones as part of a mandatory “self-enroll” process according to a step-by-step guide issued by the agency.
Allowing agents to back up their phones would be an extraordinarily unusual step for the agency, one running counter to prevailing security practices. “To me, it would be an egregious failure of process,” Check Point’s Falzon says. “It strains credibility.” He also says that he finds it “strange that you would have an irreversible migration. This is the opposite of what most competent IT infrastructure administrators would try to achieve.”
Mark Rasch, of counsel at the law firm KJK and the creator of the DOJ’s Computer Crime Unit and Cyber-Forensics practice, tells CSO that by deploying an MDM solution, an employer can assert control over the devices and how they are used and force things to be saved and force things to be wiped. If the Secret Service did not use an MDM before migrating to Intune or otherwise maintain a central backup system of some kind and instead relied on agents to save, delete, or back up their messages, no backups likely existed.
“Think of your own phone. When you send a text message instead of an email, a copy of it is not saved with your employer,” Rasch says. “So, from a document management standpoint, SMS and MMS relies on individuals to store and secure the communications.”
The likelihood that all the agents goofed by collectively not backing up their phones is small. “I have a long philosophy, which has proved mostly accurate, that one should never attribute to venality that which mere stupidity will adequately explain,” Rasch says. But, “the circumstances with this one, that it would require twenty individual agents to each individually make the same mistake, is inconceivable.”
Security lessons to be learned
Infosec professionals can draw some lessons from this high-level drama. “The first thing is that document retention and destruction policies are themselves security policies. If you have data, but definitely sensitive data that you don’t need, the sole thing it does is creates a vulnerability,” Rasch says.
“On the other hand, if you have data that you’re required to keep and get rid of it, that also creates liability. So, you need robust and reviewed document retention and destruction policies. Then you need to have technology that will help you enforce it. Identify what needs to be deleted and what needs to be preserved,” Rasch.
“Then you need training and awareness so people know what they’re allowed to keep and delete. And then, lastly, you need to have some form of centralized control that allows you to deploy this policy across the enterprise.”
And Rasch says, “the message for security-conscious people is that if you have a mobile workforce, which you do, you should have a mobile device management solution, or at least evaluate whether it’ll work in your environment.”
Falzon thinks the questions raised in this controversy apply to any enterprise. “The simple fact that we don’t know what service was being used on these devices, were they on personal or company devices, how were they locked down, those are the same challenges faced by any enterprise, even the smaller mom-and-pop organizations. Mobile devices sit at the core of our personal and business lives. So, they are probably the richest target that you can imagine for an exploit,” says Falzon.
Copyright © 2022 IDG Communications, Inc.