On November 8, 2012, General David Petraeus, Director of the CIA, resigned from his position due to multiple accusations of infidelity to his spouse and betrayal of his country. Despite the morbid coverage by the media at the time, there is a little-known detail related to an infosec incident. The purpose of this brief article is to analyze the security aspects of the so-called "Petraeus dossier".
A Clarification Note
More than ten years have passed since the scandal and subsequent resignation of the officer that motivates this text. Since there was an information security incident behind the events, this text aims to analyze the facts and discuss, from the perspective of infosec practices, what happened. It does not intend to make moralistic comments about the behavior of a particularly successful military officer who dedicated a significant part of his life to serving his country. Nor is it an analysis of the information security management aspects of an organization like the CIA. It is, in fact, a reflection on the difficulties organizations and their leaders face when managing information security aspects.
A Distinguished Military Career
General Petraeus had a highly distinguished military career.
David Howell Petraeus began his military career in 1974 at the United States Military Academy at West Point, where he graduated with honors with a B.S. degree. He later attended Fort Leavenworth, where he graduated in 1983 with the "Marshall" medal for having the highest academic average in his class. After his graduation, he served admirably in the United States Army for over 37 years in assignments in different countries around the world, particularly in the Middle East in Afghanistan and Iraq, eventually reaching the highest military rank in the United States Army: "Four-Star General," as the commander of the USCENTCOM (U.S. Central Command).
As the son of distinguished military parents and married to the daughter of General Knowlton, he had a meteoric military career in the Army, full of decorations, from operational results to doctrine matters, until June 30, 2011, when President Barack Obama nominated Petraeus as Director of the CIA. He was unanimously confirmed by the entire Senate. He resigned from his military career in the Army with the highest honors and assumed the position of Director of the CIA on September 6, 2011, until his resignation amid a scandal on November 9, 2012.
The Events and the Scandal
General Petraeus met military journalist Paula Broadwell at a social event at Harvard in 2006. The idea of writing a biography about General Petraeus's distinguished military career arose at this social event. This idea led to the book "All In: The Education of General David Petraeus," which is currently on sale. The journalist and the General met repeatedly to work on the book.
At some point during these meetings, as narrated by Time magazine ("Nation: National Security: Spyfall Nov 2012"), the two adults consensually decided to have a clandestine romantic relationship, which continued even after Petraeus's appointment as Director of the CIA.
On the other hand, General Petraeus, in his military career, had multiple opportunities to combat the terrorist group Al-Qaeda. Despite their inclination towards Islamic fundamentalism, this group extensively used email as a communication tool. However, they used email with an important variation: each terrorist cell, consisting of around 10 militants, used a single shared Gmail account with a common password among all cell members.
The idea was that whenever a cell member wanted to communicate with the cell, they would log into the shared Gmail account, write the message, and save it as a draft. Subsequently, other cell members would also log into the shared account, review the draft messages, and reply with new draft messages, ensuring that there was no "movement" of messages between email accounts that could be intercepted by the CIA.
Despite the simplicity of the procedure, this ingenious technique apparently provided Al-Qaeda with the necessary security to coordinate operations among cell militants. This last statement, I concede, may be debatable, and I invite the reader to reflect on it since, in any case, the information is stored on Google® servers.
The point is that General Petraeus, to coordinate his romantic encounters with Paula Broadwell, decided to use the same communication techniques that his rival Al-Qaeda was using.
Thus, the General and Paula created a joint Gmail account in which one would write a message, save it as a draft, and then the other would reply to the message and delete the first message. In this way, if the General's wife happened to check his email, she would find no stored messages, incoming or outgoing.
Simple and straightforward... and perhaps, foolproof against suspicious spouses.
A Calculated Error
However, General Petraeus may have overlooked the public nature of his work as the Director of the CIA and the somewhat "puritanical" and "moralistic" nature of American society.
While in other countries, such as France, marital infidelity by the Prime Minister is a socially celebrated institution with decades of history and "colorful" details, in the USA, the same act can be severely judged and criticized.
For reasons that are not relevant to discuss, General Petraeus and Paula decided to end their romantic relationship. Very respectfully and by mutual agreement, they deleted the Gmail account they had been using, and life went on: Petraeus returned to his home and his work as Director of the CIA, while Paula Broadwell continued her work as a journalist and her rank as a Lieutenant Colonel in the Army.
Some time later, Paula Broadwell entered into a new relationship, also with a married man. However, this time her new partner did not have anti-terrorism training like Petraeus, and they simply exchanged emails without any precaution of saving draft messages to delete later.
Without delving into the scandalous details of the matter, the wife of Paula's new lover reviewed her husband's emails, found the messages, and decided to directly confront Paula Broadwell about the intrusion she was making into their home.
Apparently, there was a rather difficult phone conversation in which the two women exchanged potentially aggressive comments about the husband and Paula's role in an established household.
Some time after the phone conversation ended, the deceived wife began receiving emails that she perceived as threatening. Consequently, she contacted the FBI for protection and assistance.
Agent Frederick Ward Humphries II took the case and, with the technological resources of the FBI, traced the origin of the threatening messages to the deceived wife, which naturally led back to Paula Broadwell's computer. Humphries then proceeded to conduct a forensic analysis of that computer and discovered an old, forgotten cookie that pointed to a closed and deleted Gmail account from some time ago.
During its forensic investigation and in accordance with the court's request, the FBI requested Google® to provide all the information associated with this deleted Gmail account (subpoena). Google® complied with the court order and provided metadata and messages. The metadata included IP addresses associated with the CIA, which immediately raised concerns about the counterintelligence activities of the federal government.
The messages included intimate details of the romantic relationship between General Petraeus and Paula Broadwell, as well as some other highly sensational and indiscreet messages of national security nature that were classified and inexplicably shared by General Petraeus with his lover.
All the information about the scandal was leaked to the media and gossip magazines, which didn't cease until several days later when General Petraeus decided to resign from his position (https: //nypost.com/2012/11/11/petraeus-mistress-sent-harassing -e-mails-to-woman-who-threatened-relationship-sources/, https://www.nytimes.com/2012/11/10/us/citing-affair-petra eus-resigns-as-cia-director.html).
General Petraeus was prosecuted after his resignation, and his legal process lasted for a couple of years, with no clear outcomes from the accusing and defending parties. It concluded in April 2015 when the General pleaded guilty to mishandling classified information, receiving a sentence of two years of probation without imprisonment and a fine of $100,000 (https://www.washingtonpost.com/world/national-security/petraeus-set-to-plead-guilty-to-mishandling-c lassified-materials/2015/04/22/3e6dbf20-e8f5-11e4-aae1-d64 2717d8afa_story.html).
A Brief Analysis
The first lesson, and the easiest to discern, has to do with the fact that digital information never dies... 30 years ago, records of an intimate relationship like letters or photos would gradually disappear, deteriorating just like paper does. But digital information remains intact regardless of the passing years... to put it in a Shakespearean style phrase, we could say "Ghosts from your digital past will come back to haunt you..."
The second lesson we can learn relates to the difficulty humans face when conducting information security risk analysis. Clearly, the resource of a shared Gmail account could be sufficient to protect the romantic relationship between two ordinary individuals. However, General Petraeus was not an ordinary person; in addition to being a husband and family man, he was the Director of the CIA and therefore a target not only for numerous enemies around the world but also under surveillance by the FBI and its counterintelligence departments.
From the perspective of information security and risk analysis, General Petraeus completely misjudged his adversary. By using shared Gmail accounts, we can see that the General thought his adversary was his wife, when in reality, his adversary turned out to be none other than the FBI itself, and clearly the FBI has more legal and forensic computing resources than any jealous spouse could possess.
Epilogue
Indeed, we often see these mistakes in determining the adversary in the infosec world.
For example, it happens when, let's say we're talking about a bank, they have identified a series of fraud scenarios originating from disloyal employees or perhaps common criminals, and have set up appropriate controls for these scenarios, only to discover at a critical moment that their adversary was much more powerful, as it turned out to be organized crime or a cyber warfare scenario in which a hostile government tries to destroy critical infrastructure that the bank is a part of.
A quite familiar situation... Just remember the Petya / NotPetya cyber weapons (https://en.wikipedia.org /wiki/Petya_and_NotPetya) they were developed by hacking groups linked to the Russian government and used against Ukraine as a prelude to the invasion. However, multiple organizations on this side of the Atlantic became victims of Petya and its variants... without having anything to do with the geopolitics of Eastern Europe, they were simply collateral damage in the crossfire of cyber warfare in the Black Sea region.
Likewise, the same thing may be happening with risk scenarios based on quantum computing attacks. It's possible that many organizations have designed their risk scenarios and protection based on local adversaries running classical computing, only to find that the playing field has recently changed and their adversaries can now emerge from beyond the Baltic Sea or the Black Sea, equipped with the ghostly processing power associated with the quantum world.
Indeed, much is said in the hacking world about "harvest now, decrypt later" techniques, which allow for the storage of encrypted sensitive information now, to be decrypted later when commercial quantum hardware becomes available in the cloud. These are the challenges of "adversary shift" faced by practitioners in the field of information security within organizations.
*The image used in this note was taken from https://en.wikipedia.org/wiki/David_Petraeus, strictly adhering to fair-use criteria.