The Joint Chiefs of Staff unclassified email system is now back online, after having been down for more than two weeks, following a breach that some officials have blamed on the Russians. Media reports have stated that no classified information was stolen in the attack. But that isn’t quite as reassuring as it might seem: A great deal of metadata and surrounding context can still be inferred from unclassified emails. These inferences might include the social connections between people, the names of projects a person is working on, how emails are formatted, and what jargon a person uses. On the surface, this kind of information might seem innocuous. However, in the hands of a skilled and patient adversary, this information can be used to exploit human weaknesses in cybersecurity.
It could particularly be used in spear phishing—email-based attacks targeting specific organizations or individuals. The goal of spear phishing is to fool people into circumventing all of their own cybersecurity defenses, tricking people into sharing their password, replying with sensitive documents, or installing malware. One notorious example of spear phishing was the breach at the company RSA back in 2011, in which attackers successfully sent a malware-laden spreadsheet named “2011 Recruitment Plan” to two small groups of employees and possibly stole information about the company’s cybersecurity products.