When Donald Trump took office, he received a Secret Service–approved encrypted device to replace his personal phone. This is the same security measure put in place when Barack Obama became president. Obama chafed at the restriction, and lobbied for an augmented version of his beloved BlackBerry. Even when he upgraded to a newer smartphone, he complained to Jimmy Fallon about how much he hated his locked-down gadget. Trump seems to have something in common with Obama, then — a conviction that using a secured device is intolerably boring. But his method of rebellion is different. As The New York Times reported this week, Trump still uses his trusty Android phone to send tweets about what he sees on Fox News. (The Times used a @realDonaldTrump tweet as an example; it is not clear what device he uses for @POTUS tweets.)
Having a locked-down phone does sound lame, but it’s an essential precaution. Eliminating a camera, microphone, and most communications apps helps protect presidents from surveillance and interception. Frustration is understandable. Ignoring basic safeguards for the sake of convenience and entertainment is not.
This is not an isolated lapse in judgment. It is a symptom of the Trump White House’s habitual apathy toward operational security. Newsweek reported this week that several inner-circle Trump White House staffers, including chief strategist Steve Bannon and counselor to the president Kellyanne Conway, used private email addresses until Wednesday, which is notable partly because those private accounts may not have been properly secured but also because Trump aggressively questioned Hillary Clinton’s fitness for presidential office because of her and her staffers’ use of a private email server. And since last week, a hacker known as WauchulaGhost has been tweeting about how easily anyone can figure out the Gmail addresses linked with one or both of Trump’s Twitter accounts (@realDonaldTrump is Trump’s personal account, which he tends to use more, and @POTUS is the official account of the president, where messages often come from his team). WauchulaGhost tweeted similar warnings about Melania Trump’s @FLOTUS account, press secretary Sean Spicer’s account, and assistant to the president Dan Scavino’s account.
The accounts’ settings allowed anyone to request a password reset, exposing the redacted but partially visible Gmail addresses. By leaving these redacted email addresses out in the digital open, Team Trump made it easy to guess the personal email addresses associated with their accounts. All of these Gmail addresses could very well have two-factor authentication turned on. They could have incredibly complex passwords. They could be as thoroughly guarded from intrusion as Gmail accounts can be. The public doesn’t know that information, and without it, I cannot make a judgment call about exactly how vulnerable the corresponding Twitter accounts are to direct intrusion. But I can say that this security failure left these addresses open to phishing attacks like those that fooled former Clinton campaign chairman John Podesta. And the fact that nobody thought about making such an easy security fix suggests that nobody gave official Twitter security much thought.
After several news reports pointing out this poor operational security breach, the email address associated with @POTUS appears to have been changed to a White House email. Belated attention is better than no attention, I suppose, but this indicates how little operational security preparation happened during the transition. Trump already had his personal Twitter account hacked, in 2013, and despite the intrusion, did not take one of the most basic steps to protect his account, requiring additional information to get a password reset link sent.
I don’t know if it’s possible to overstate how important operational security is to national security, particularly for Trump’s avidly watched Twitter accounts, which move markets and could conceivably start wars. BuzzFeed’s Joe Bernstein has laid out the potentially fearsome consequences of a Trump Twitter hack. Yes, we’re talking about @realDonaldTrump, Trump’s personal account, but make no mistake — just because this isn’t the official @POTUS account does not mean it’s any less important. The world knows this is where Trump tweets from; this account wields significant power. “If the hacker were geopolitically motivated, they could tweet favorably or unfavorably about a country or a leader (as Trump has done) and alter foreign affairs,” Bernstein wrote. “Or if the hacker had a grudge, they could call their enemy out in a tweet (as Trump has done) and unleash the rage of Trump’s nearly 19 million followers.” (He’s up to 22.3 million now on @realDonaldTrump.)
This pattern of reckless behavior demonstrates that we have a White House either so blithely nonchalant as to ignore obvious, easily fixable security gaps, or one that simply doesn’t understand the magnitude of digital security. “I know a lot about hacking,” President Trump told reporters last month. Seems like he could learn a lot more.