“Cybersecurity specialists said the agency bungled a routine task by telling agents to back up their own records, which is ‘not something any other organization would ever do’
Cybersecurity experts and former government leaders are stunned by how poorly the Secret Service and the Department of Homeland Security handled the preservation of officials’ text messages and other data from around Jan. 6, 2021, saying the top agencies entrusted with fighting cybercrime should never have bungled the simple task of backing up agents’ phones.
Experts are divided over whether the disappearance of phone data from around the time of the insurrection is a sign of incompetence, an intentional coverup, or some murkier middle ground. But the failure has raised suspicions about the disposition of records that could provide intimate details about what happened on that chaotic day, and whose preservation was mandated by federal law.
“This was the most singularly stressful day for the Secret Service since the attempted assassination of [Ronald] Reagan,” said Paul Rosenzweig, a senior policy official at the Department of Homeland Security during the George W. Bush administration who’s now a cybersecurity consultant in Washington. “Why apparently was there no interest in preserving records for the purposes of doing an after-action review? It’s like we have a 9/11 attack and air traffic control wipes its records.”
Rosenzweig said he polled 11 of his friends with cybersecurity backgrounds, including information-security chiefs at federal agencies, on whether any of them had ever done a migration without a plan for backing up data and restoring it. None of them had. “There’s a relatively high degree of skepticism about [the Secret Service] in the group,” he said.
The Secret Service said it began deleting data from officials’ phones in the same month as the Capitol siege, when its agents were among the closest eyewitnesses both to President Donald Trump, now under criminal investigationfor his push to overturn the election, and to Vice President Mike Pence, who had narrowly escaped the mob.
The agency said the deletions were part of a preplanned “system migration,” that agents had been instructed to back up their own phones, and that any “insinuation” of malicious intent is wrong.
But tech experts said such a migration is a task that smaller organizations routinely accomplish without error. The agency also went through with its reset of the phones more than a week after Jan. 16, 2021, when House committees told officials at DHS to hand over all relevant “documents or materials” as part of their investigations into the deadly assault.
The error likely means that the information, which could reveal details critical to the Jan. 6 committee’s ongoing investigation, may be extremely challenging if not impossible to retrieve. Some of the data may remain on the phones, even after deletion, but with options for unlocking it that are slim to none.
If the Secret Service had truly wanted to preserve agents’ messages, experts said, it should have been almost trivially easy to do so. Backups and exports are a basic feature of nearly every messaging service, and federal law requires such records to be safeguarded and submitted to the National Archives.
Several experts were critical of the Secret Service’s explanation that it had asked agents to upload their own phone data to an agency drive before their phones were wiped. Cybersecurity professionals said that policy was “highly unusual,” “ludicrous,” a “failure of management” and “not something any other organization would ever do.”
The error is especially notable because of the Secret Service’s vaunted role in the federal bureaucracy. Besides protecting America’s most powerful people, the agency leads some of the government’s most technically sophisticated investigations of financial fraud, ransomware and cybercrime.
“Telling people to back up their stuff individually just sounds crazy,” said one technology chief interviewed by The Post, who spoke on the condition of anonymity to discuss sensitive information security practices. “This is why you have IT people. Why not tell people to go buy their own ammunition?”
On Thursday, The Washington Post revealed that phone records from Trump’s acting homeland security secretary, Chad Wolf, and acting deputy secretary Ken Cuccinelli in the days leading up to the Capitol riots also apparently vanished due to what internal emails suggested was a “reset” of their phones after they left their jobs in January 2021. Wolf has said he gave his phone to DHS officials with all data intact, and the reset appears to have been separate from the Secret Service’s migration.
Some experts said they could see how such errors were possible. Both the DHS and Secret Service are known for a culture of secrecy, a disdain for oversight and a preference for operational security above all else. Among the potential technical complications, these experts said, was the fact that DHS and Secret Service personnel can use iPhones and Apple’s iMessage for communications, which encrypts texts and stores them on the phone.
But several experts said they could not understand why the agencies had not worked more aggressively to safeguard phone records after Jan. 6 — not only because they were legally required to, but because the information could have helped them scrutinize how they had performed during an attack on the heart of American democracy.
In a letter to the House select committee investigating the insurrection, Secret Service officials said they began planning in the fall of 2020 to move all devices onto Microsoft Intune, a “mobile device management” service, known as an MDM, that companies and other organizations can use to centrally manage their computers and phones.
The agency said it told its personnel on Jan. 25 to back up their phones’ data onto an internal drive, notably offering a “step-by-step” guide, but that employees were ultimately “responsible for appropriately preserving government records that may be created via text messaging.” The Secret Service said agents were told that enrolling their devices in the new system, via a “self-install,” was mandatory, although it was not clear that actually performing the backup was.
The migration, the agency said, began two days later, on Jan. 27 — 11 days after the committee had first instructed DHS officials to preserve their records. Some experts questioned why, even if the process had been preplanned, the agency did not pause the migration or assume a more direct role in preserving agents’ data during that 11-day span.
The Secret Service said that the migration process deleted “data resident on some phones” but that none of the texts that DHS Inspector General Joseph Cuffari had been seeking were lost.
The agency watchdog had requested all text messages sent and received by 24 Secret Service personnel between Dec. 7, 2020, and Jan. 8, 2021. The agency returned only one record — a text message conversation from a former U.S. Capitol Police chief to a former chief of the Secret Service’s Uniformed Division on Jan. 6, asking for help.
Cuffari’s office said last week it has launched a criminal investigation into the missing data. But congressional Democrats have since pushed for Cuffari’s removal, saying the Trump appointee’s failure to promptly alert Congress has undermined the investigation and diminished the chances that lost evidence could be recovered. Cuffari’s office, they said, learned in December that messages had been erased but did not tell Congress until this month.
Cuffari said earlier this month that “many” texts from Jan. 5 and 6 were erased after he made his first request. Secret Service spokesman Anthony Guglielmisaid in a statement that Cuffari’s office made its request for the first time in February 2021, after the migration was underway.
Asked for comment Friday, the Secret Service provided a previously issued statement, saying it was cooperating with the investigation.
Data migrations of these sorts are not uncommon, experts said. One of the basic rules for conducting them is that devices should be backed up with redundant copies in such a way that the process can be reversed if something goes wrong. Microsoft Intune, specifically, offers guides for how to back up devices, restore saved data and move devices onto the service without deleting their data outright.
The baffling decision-making and the timing of the deletions have led some critics to question whether the agencies were seeking to conceal inconvenient facts. The messages, they pointed out, may have shed a negative light on the behavior of Trump, a man whom many in DHS and on the Secret Service had long fought — not just professionally, but personally and politically — to protect.
One former senior government official who served under Trump said they viewed the missing texts not as a conspiracy but as the inevitable result of an organizational failure by DHS to set up systems that would ensure proper data retention on employees’ devices.
The use of iPhones, which prioritize individual users’ privacy over organizations’ ability to centrally manage data, creates challenges for data retention that are solvable through the right practices. But relying on individual Secret Service agents to upload their iMessages, without any other backup system or way to ensure compliance, before permanently wiping their devices suggests that such practices were not in place.
“What they’re doing is they’re shifting the burden to the individual user to do the backup, and that’s a failure of policy and governance,” the former official said. “It’s the overarching program that was set up for failure.”
The former official added that it’s unclear how much, if any, sensitive communication Secret Service agents would have been doing via iMessage anyway. In many government agencies, employees carry personal devices as well as their work devices, and rules about keeping work communications on work devices are not always diligently followed.
The Secret Service blocks its phones from using Apple’s iCloud, a popular service for automatically saving copies of phone data to the web, according to an agency official who spoke on the condition of anonymity to discuss a sensitive matter under investigation.
Using iCloud backups could have ensured that copies of the messages would have been preserved even after a phone reset. But the system could have also been seen as a security risk because it made agents’ digital conversations more vulnerable to hackers or spies.
A former head of technology at another agency within DHS, speaking on condition of anonymity to describe security practices, told The Post that not using iCloud “does come with trade-offs” but could also reduce the need for security officials to “worry about very sensitive data” being exposed.
Agents could have copied data onto an agency backup drive, even without iCloud. But the Secret Service, more than other top security agencies, “tends to want to do their own thing and segment off their IT solutions as much as possible,” the person said. “They have good reason, and the security culture itself is fairly good because of the mission.”
Robert Osgood, director of the computer forensics program at George Mason University and a longtime forensics examiner for the FBI, said federal law enforcement agencies are typically “really good at storing data” and that, under normal circumstances, it would take “a comedy of errors” for an organization such as the Secret Service to delete data critical to a high-profile investigation.
But “a comedy of errors does happen in the government, unfortunately, and happens more times than people think,” Osgood said. Secret Service agents on the president’s security detail, he added, may also face unique incentives to avoid leaving data trails about sensitive matters.
“By the nature of what they do, they can’t be the eyes and ears of Congress or the inspector general or the DOJ, because that would actually interfere with their mission” to maintain the president’s trust and privacy, Osgood said.
Preserving the records could have also been complicated by officials’ choices on how they communicated. It’s unclear how many agents used messaging apps such as Signal or Wickr, which have become popular for their encryption and security protections, or carried personal phones on Jan. 6. One former government official said such behavior is common in DHS, especially within small or select groups such as the presidential and vice-presidential details.
As part of DHS, the Secret Service would have been required to use some form of “mobile device management” service even before the Intune migration, a former FBI cybersecurity agent told The Post.
But the agency has not specified what MDM it migrated from, and each system works in different ways. Some allow for complete access to phone contents by IT administrators, while others permit only a couple of actions, such as deleting or “wiping” data from a device after it has been discontinued. Some MDMs, including Intune, also allow organizations to restrict what apps employees can download to their devices, potentially limiting their options for messaging to officially approved apps.
If the agency had pursued a typical migration process, experts said it would be strange for the agency to have lost data for only some agents, or for more than a day. A veteran data forensics expert at a large consulting firm who was not authorized to speak publicly said it “does sound fishy” that so much data would go missing.
Leaving backups of critical data to individual employees would be an odd choice for an organization’s IT department if the top priority were to make sure nothing was lost, said Paul Bischoff, an online privacy expert at the security firm Comparitech.
“If individual staff members were responsible for backing up and resetting their own devices instead of trained IT staff, I can see a lot of opportunities for user error to crop up,” Bischoff said. “That might result in some data being accidentally lost, or it could just be a convenient alibi.”
It also remains unclear whether the data is gone forever. It is sometimes possible to retrieve data deleted in a factory reset of a phone, depending on how the data was stored, Bischoff said. “Until the old data is actually overwritten with new data, it can remain on disk even after a factory reset and in many cases be recovered using forensic software.” That may not be possible, however, if it was encrypted or overwritten before the reset.
Osgood said he takes the Secret Service at its word that it didn’t intentionally destroy what it should have known could be critical evidence in a historic investigation. But he said its explanations to date leave “more questions than answers.”
Carol D. Leonnig contributed to this report.