Then-Secretary of State Hillary Clinton, by using her own email address and server for official business, was not only skirting government guidelines but taking serious cybersecurity risks as well, IT professionals tell FoxNews.com.
While secretary, Clinton was using her own private clintonemail.com domain, as well as doing government work on personal email.
IT consultant Bruce Webster, who has been digging into the mystery of the private Clinton emails, says that while government servers are certainly vulnerable, they still have highly maintained controls and 24-7 monitoring for potential breaches.
He said Clinton’s emails would have been less protected than if they went through the State Department networks.
“The most secure way would have been to actually use the State.gov servers,” he told FoxNews.com. “[The government] takes security very seriously. They have whole platoons of people dedicated to ensuring their servers aren’t hacked.
“If she has a private server running somewhere and she was doing everything on it, the question is, how secure could it have been?”
He said it’s unclear whether Clinton ran a personal server in her Chappaqua, N.Y., home, as suggested Thursday by the Associated Press, or she maintained a dedicated one through a hosting service elsewhere. Webster said while Clinton may have had her own server, it could have been hosted externally. He found at least two Internet Protocol (IP) addresses associated with the clintonemail.com domain were also linked to two hosting services, Planet and Confluence Networks, “for the entire duration of the domain’s existence.”
But even with an outside hosting service, he said, “you’re really opening the doors for a security breach,” depending on where the servers were, who had access to them, and whether the services were reputable.
The level of security would depend on several factors.
James Turner, a software engineer and freelance technology journalist, told FoxNews.com that using your own dedicated server for email – unlike a Gmail or Microsoft account – gives one “absolute control of it, and it’s not likely to be the target of someone looking for a large score.
'No employee has the authority to circumvent [security controls]'
- Matt Curtin, cybersecurity consultant
“If you’re an island unto yourself, you’d have to be specifically targeted. If it wasn’t well known, then it was probably safe.”
But the secretary of state isn’t an ordinary email user. If someone had found out about the private domain, her server could be especially open to breaches unless she had the industrial-strength security operations to protect it.
“A company like Google has an entire team of security folks doing nothing but locking doors,” Turner said.
He said: “So the basic question is, did outsiders know about [Clinton’s] email server?”
Clinton’s email domain reportedly surfaced in the case of one major hack – when Clinton aide Sidney Blumenthal was breached by Romanian hacker Guccifer. Blumenthal reportedly was communicating with a “clintonemail.com” domain.
Fox News has also learned from a prominent hacker that Clinton appears to have established multiple email addresses for her private use, and possibly the use of her aides, under that domain.
According to reports, Clinton employed an email security service on the backend, MX Logic, which scrubs emails before they are received for bugs and spam. It is not clear whether the government had access to her server at any time to ensure it maintained any formal security standards.
According to an Al Jazeera America report, State Department technology experts were concerned about Clinton's use of a separate system, but their fears "fell on deaf ears."
Aside from cybersecurity, the other major concern surrounding Clinton’s email practices is that they were not all automatically saved or considered part of records requests. That is why the House committee investigating the Benghazi attacks subpoenaed her emails earlier this week.
Clinton earlier turned over 55,000 emails to the department, when she was asked for them. Clinton late Wednesday tweeted that she has asked the State Department to make those emails public.
Both Clinton's current spokesman and a spokeswoman for the State Department said Clinton's emails contained only unclassified exchanges.
Experts remind that Clinton may have been mindful of previous security breaches on State Department networks when she established her own email address. There were significant break-ins in 2006 (and 2014) -- and in 2010, U.S. soldier Chelsea (then Bradley) Manning swiped 250,000 diplomatic cables from the servers and gave them to WikiLeaks.
“Ironically, Clinton’s server could have been more secure,” Turner said.
But Matt Curtin, a cybersecurity consultant and president of Interhack, said whether the government is vulnerable is “irrelevant.” When someone with access to sensitive government information goes rogue with their email, he said, then the whole system is rendered “blind” and open to attack.
“She doesn’t have the authority as secretary of state to go around the [security] controls,” he charged. “There are procedures and rules that govern the way this is managed. No employee has the authority to circumvent the mechanisms.”
The Associated Press contributed to this report.