CIA Director David Petraeus testifies before the U.S. Senate Intelligence Committee during a full committee hearing on "World Wide Threats" in Washington, D.C. Jan. 31, 2012
In some ways, David Petraeus and Paula Broadwell prove a point about human nature that is often made by security experts: very few of us have the discipline to protect our privacy consistently, even when intensely personal matters are concerned. We are inattentive to things we know about (cameras on elevators), disregard uncomfortable facts (employers log Web browsing) or give in to convenience (e-mailing a password).
Still, friends remain astonished that the CIA director and an Army Reserve intelligence officer did so little to conceal a transgression with such high stakes. “For a guy who’s pretty savvy, even if he was going to succumb to this temptation, it’s a surprise he’d write it down,” says Brigadier General Peter DeLuca, commandant of the U.S. Army Engineer School, who served two tours in Iraq as one of the “smart boys” around Petraeus.
CIA security director Mary Rose McCaffrey alluded in October to the steps her aides routinely took to protect Petraeus from the intense scrutiny of foreign intelligence agencies: “He’s so visible that literally every day we scan his computer, because he has both his classified computers and his unclassified computers.” She added, presciently, “He has been so educated in this new job, and he is so smart and so good at this, but even four-stars have room to learn.”
If he learned, it did not show. The chief spook and his paramour took absurdly inadequate steps to cover their tracks, as if they did not really want to bother. They used fake names to create free webmail accounts but not commercial VPNs or the more robust Tor service to mask their Internet addresses. They exchanged messages in the clear, without using freely available encryption tools.
For some exchanges, Broadwell and Petraeus used a long-outmoded terrorist technique: they shared an e-mail account, with one saving a message in the Drafts folder and the other deleting it after reading it. Though terrorists once believed this electronic dead drop sidestepped surveillance, federal prosecutors have openly acknowledged since 2003 that it does not work.