In the world of cyber security, a “honeypot” is typically a trap set up on decoy servers designed to appear like they are a part of the genuine network. Isolated and monitored, the honeypot is used to gather information about an attack or the person logging into the system. But the term itself has been around longer than logins and passwords, and as it applies to state security, it’s also recruitment tool (popularized by the world of espionage fiction) where sex is used to lure people into a position where they can be blackmailed.
But what happens when cyber and state security intersect? Some 15,000 of the reported 36 million email addresses that were leaked in the Ashley Madison data dump belonged to either military or federal government domains. It’s likely that people with security clearance were left exposed and vulnerable.
“This situation exemplifies the need for people to understand that any information that they do not want potentially leaked or to be made public—no matter how private they feel the site they are posting to is—should consider the implications of posting information that could be used against them, and whether they could be bribed or face other consequences,” says Tyler Cohen Woods, a cyber security advisor with Inspired eLearning, and a former Defense Intelligence Agency senior intelligence officer.
Given the sheer number of .mil email addresses that have been leaked, it isn’t entirely clear how the U.S. military might respond. Adultery is a cause for military punishment under the Uniform Code of Justice. Moreover, service members who are caught in an affair can face a dishonorable discharge.
Yet the military hasn’t actually said much on the issue. One reason may be that there is no proof that those named in the 9.7 gigabyte data dump of Ashley Madison users were actually having an affair. “There is no crime in signing up for a website,” Wayne Hall, an Army spokesman, told the Daily Beast last month.
This isn’t to say that the people whose names appeared on the list will be given a free pass. “For decades in all U.S. military services, extramarital affairs or other sexual improprieties have been considered reason enough to demand a commissioned officer’s resignation,” says Charles King, principal analyst at Pund-IT. “The assumption being that if an officer wasn’t willing to honor his or her marriage vows, he or she couldn’t be trusted to honor military vows.”
Such an example was made of Brigadier General Jeffrey A. Sinclair. In 2014, the Army officer was demoted two levels in rank for sexual misconduct, and the was forced to retire as a lieutenant colonel. And Sinclair is hardly alone in failing to honor his vows to the military or spouse. According to data compiled by The Associated Press, approximately 30 percent of military commanders fired in the past decade were the result of sexually related offenses that included harassment, adultery, and improper relationships.
But without proof of an affair, soldiers may not be forced to resign or even face charges. Still, being attached to Ashley Madison could follow them in other ways. “Those with .mil addresses will likely come under scrutiny, and they may be questioned about it,” says Alan Webber, research director for innovation and transformation at IDC. “However, we won’t know whether there will be any repercussions as this will be treated as a personnel matter.”
What’s more likely is that those in command positions may find a black mark in their service records. “The higher the rank the more you have access to,” says Webber. “So from that perspective those of a higher rank may come under greater scrutiny.”
And outside the military, people with security clearance may also be impacted by the hack. Leaked accounts included email addresses for Department of Homeland Security, Department of Justice, and State Department workers. Ashley Madison-linked employees holding security clearance may have violated the government’s Adjudicative Guidelines for Determining Eligibility for Access to Classified Information, specifically Guideline D: Sexual Behavior, which says conditions that could raise a security concern include: “sexual behavior that causes an individual to be vulnerable to coercion, exploitation, or duress.”
Based on the wording, it would seem like those whose merely signed up for the site—even if they didn’t engage in actual sexual activity—would violate the guidelines.
“There is no law that says you can’t have an affair,” says Webber. “Where it could be an issue is for those with TS/SCI level (Top Secret/Sensitive Compartmented Information) clearance, where (they) might need to take a polygraph. In this case, it could be an issue for background checks.”
None of this suggests the government will conduct an investigation of the military members and government workers who appear on the list, but these people could be asked about the hack when they are up for promotion or higher security clearance.
But from a state security perspective, ultimately the question is just how compromising this information actually is. The value of the data dump to any intelligence agency is questionable says Webber. On the one hand the intelligence community is always seeking ways to get information about individuals, but exposure this widespread probably lessens the chances it could be used in blackmail, since the information is already “out there.”
“It looks to me like all the data is being dumped onto the Internet, so the potential for it to become leverage in some scheme is dropping faster than my 401K,” says Jim Purtilo, professor at University of Maryland who researches cyber security techniques.
“Everyone is going to know the Ashley Madison secrets soon enough,” he says. “I don’t think you could compromise anyone by threatening to open a barn door after the horses have already escaped.”