When an Associated Press reporter told me in late 2017 that I was among those targeted in a hacking campaign executed by Russian operatives, I was amused. Little old me? Was I really worth targeting?
But as I scrolled through my email messages from around the time of the 2015 hacking attempts, I saw something much bigger in play with astounding security implications for the U.S. Army.
When Russia targeted my Gmail account and me, it wasn't just my personal information that was compromised. If foreign agents gained access to my data, they also gained access to the personal information of our Army Family Readiness Group (FRG) and everyone in it.
In just one month during which an attack took place, dozens of spreadsheets with the names, physical addresses, phone numbers, birth dates and even details about children for at least 500 individual Army family members had been delivered by Army unit officials to my personal email address.
If I was compromised, so were they. And they likely have no idea.
The U.S. government knew this happened and did virtually nothing.
Instead they warned only a handful of the targets, according to an AP investigation. I was not among those.
It wasn't until an AP reporter called me late last year that I had any idea this had occurred. An installment of the ongoing investigative story released by the AP today details what happened. According to data obtained by the Associated Press, I and at least four other military spouses were targeted by Russia-based foreign operatives in 2015 as part of a large-scale cyber hacking attack known as Fancy Bear.
Like the hundreds of other volunteers that fuel the Army family support group machine, I am expected to use my personal email to communicate with our FRG and unit leaders.
Generalized troop movement info, homecoming dates, deployment dates, family support group training manuals and other information about unit functions have also regularly been emailed to me. And because I rarely delete anything, all of that data and information still sits in my inbox today.
The military spouses AP reporters identified from among thousands of other targets had one thing in common: We were all quoted in a CNN story on a related hacking also ultimately linked to Russia. We were possibly selected as targets of convenience; the CNN article gave the hackers a handy list of names.
Although it is not clear whether foreign operatives ever did actually gain access to my email account, the personal security implications of the attempt are sweeping and should be a shock to everyone in the Army community.
The Army has a responsibility to tell families that their data may have been compromised through access to my inbox or the inboxes of other targeted individuals. According to the AP, the FBI knew who was on this list. However, I was never notified by any U.S. official that I had been targeted. To the best of my recollection, I never received any notification or correspondence from Google, either.
Thanks to the Army's support system and its reliance on a network of unit family member volunteers instead of paid employees, a foreign state can quickly and easily gain access to the personal data of families of deploying troops, including their physical locations, simply by targeting the unsecured email accounts of unit spouses.
It's not hard to see how the troop and family security situation unravels once that access is gained. If a U.S. soldier was to be captured and interrogated, how could information on his or her family be used? How could it be leveraged through social media? How could it be utilized through a targeted misinformation campaign?
At the root of this security problem is the Army's volunteer-run Family Readiness Group, the service's solution to the moving target of family support in an era of budget cuts and disengagement.
Army officials know families need information on important dates, like deployment homecomings, as well as other resources. They also know that -- thanks to geography, busy schedules or simple disinterest -- getting families physically in a room to hear that information is basically impossible.
Ten years ago, when the Army was flush with funding, units had paid family support positions held by employees using secure email servers in on-base offices. But budget cuts eliminated those positions, pushing the jobs instead to junior officers within the units and a parade of ever-changing volunteers working from home.
For that volunteer-based system to function, contact rosters are shared, often by unsecured email. When information needs to be shared, the volunteers contact each person on the list they've been assigned. Family members are strongly encouraged to allow their details to be included on the call sheets under threat of missing information they really do want to have, like the date of their soldier's homecoming.
Some brigades still employ a Family Readiness Officer (FRO), but often only during deployment. Others rely exclusively on the volunteer system.
While units across the services may follow their own individual procedures, it appears that only the Army allows widespread, unsecured email sharing of their rosters. I also can't say that every Army unit functions this way, but it has been standard practice in each of the five Army units with which I have volunteered.
The emailing of rosters does not seem to be directly against any specific Army policy. And if it is, the standard is largely ignored. Although a 2015 Army FRG handbook, for example, notes that "obsolete [roster] copies must be collected and destroyed," and that "when a key leader leaves the job or moves, that leader's copies should be turned in to the supervisor," it never states that the roster should be shared only by hard copy.
I found that handbook in my Gmail inbox this month, attached to the same March 2015 email message as six individual rosters containing the personal details of more than 300 family members.
I do not remember ever being told to delete a roster.
The hacking attempts I'm told were from Russia appeared in my inbox as emails that looked like they were from Google but were actually phishing attempts. If I clicked through and entered my existing password, I would have handed the hackers total access to my account, likely without ever noticing they were using it.
As a result of that infiltration, they would have had access to the rosters I was receiving at the time, as well as those I had received in the past and any I received thereafter.
Did Russian hackers actually access my inbox? According to the AP, the unique link in at least one of the multiple hacking attempts sent to me was clicked at some point. Whether it was by me is impossible to tell, the reporter told me, since the AP has found that sometimes the hackers clicked through their own links to make sure they were working.
To the best of my recollection, I did not click it. But maybe I did. Do you remember what you clicked any given day three years ago?
No matter how you shake it out, the hacking attempts on my account and the information that was potentially compromised must spark some hard conversations at the Pentagon about how we treat military family information and protect the people who handle it.
Should we be emailing it out? Is it fair to rely on volunteers to keep it secure?
If family information and security is valuable to the Army -- and it should be -- putting cash behind staffing a family support job is not just appropriate, it's a necessary security investment.
Leaders must also update and enforce FRG standards to eliminate the unsecured sharing of personal family information.
