Manitoba

Manitoba premier vows there were no leaks from use of wife's email — but how does he know?

​Cybersecurity experts say there’s almost no way Manitoba Premier Brian Pallister could know if his use of his wife’s personal cellphone and email had led to a leak.

Brian Pallister used his wife's email and cellphone for government business

Manitoba PC Leader Brian Pallister and his wife, Esther, celebrate his party's election victory with candidates and supporters in Winnipeg in April 2016. The premier says he is no longer using his wife's email account. (John Woods/Canadian Press)

Cybersecurity experts say there's almost no way Manitoba Premier Brian Pallister could know if using his wife's personal cellphone and email had led to a leak.

Pallister addressed the media on Wednesday for the first time since news broke that he had used his wife's account and device to conduct government business.

CBC News first reported last week that sensitive government material, including a budget speech, was sent to Esther Pallister's personal email account. 

On Wednesday, the premier repeatedly asserted he had never been the subject of a leak and that he no longer used his wife's email. 

"I haven't been associated with a leak, ever, in my public life. So I take this issue very seriously," said Pallister.

"I can only tell you that we've made the necessary improvements to move to a new realm of protection and that there were no leaks as a consequence of the practice that we engaged in."

Despite Pallister's reassurances that he has never been hacked, cybersecurity experts say the premier might not be aware if there had been a security breach.

"There's really no way to guarantee that," said Daniel Tobok, CEO of cybersecurity firm Cytelligence. "Particularly on a personal email account such as Yahoo, Gmail and so on. And because unfortunately there's no alerts and no real-time monitoring to actually effectively tell you." 

Even for large organizations, it can take a long time before evidence of a hack is discovered, if it ever is.

"If we look at the JPMorgan hack from about two years ago, it was several months before they actually discovered that they actually had a significant hack inside their systems," said Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada.

People find workarounds

Often the security features used by online services can prove ineffective. A CBC reporter discovered that the password on Esther Pallister's email could be reset by answering the question: "What is your mother's maiden name?"

"When you have a simple question and simple answer as a security feature, in terms of trying to prevent your password from being reset, it becomes a challenge, particularly when you're a public figure, because a lot of information may be publicly available about you," Kabilan said.

The issue isn't limited to politicians. Senior members of corporations and other organizations also skirt rules around security.

People don't follow proper security protocols for many reasons, Kabilan said.

"When there is a lot of security, or the usability is poor, people find workarounds to make things easier," he said.

For example, a device might not have access to a web browser and email at the same time, meaning the politician or senior official might resort to a secondary device, Kabilan said.

"People struggle with the systems that are provided to them. People are very smart, they try to find workarounds to make their lives easier," he said. "In many cases, these people are trying to do their jobs, and trying to do them as efficiently as possible, and in the easiest way possible."

Password reset requirements outdated

Many of the rules for cybersecurity in place today are outdated, Kabilan said. For example, many organizations require staff to reset their passwords after a period of time.

That approach was originally set up with the belief that it would take some time before someone could compromise your system. Today, if your password's compromised, it would take about two seconds or less, Kabilan said.

So instead of improving security, the resetting of passwords can hurt security by forcing people to write down new passwords, or leave them in an unsecured place.

Tobok recommends people protect themselves by having a secondary email account where they can receive email reset notifications.

Using two-factor authentication, which uses a secondary device like a cellphone number as well as a password, can also help.

The Privacy Commissioner of Canada recommends people avoid using obvious passwords like their mother's maiden name, child's name, pet's name, or other references that someone may be able to guess through information posted elsewhere.