A senior information security professional with intimate knowledge of federal systems has raised new security concerns about former Secretary of State Hillary Rodham Clinton’s use of a private email address and server to carry on official business, telling Fox News it would have been virtually impossible for White House officials to be unaware of the practice.
For one thing, the expert said, Clinton received many sensitive White House emails regarding top-level “Principals” meetings—sessions involving the most senior heads of government departments and agencies-- she attended during her four-year tenure.
“There would have been all kinds of correspondence that occurred about these,” the expert, who could not be more specifically identified, told Fox News. “Notices of meetings, agendas, outcome documents, action plans. Some of this would have been received by the Secretary’s staff but some of it would have gone directly to a private email address.”
“It would have been almost negligent not to have noticed” the private email address, the info-security professional noted, pointing out that Clinton’s email would have stood out even more in a slew of group emails directed to top officials with government email addresses.
The expert’s observations were not meant to indicate that President Obama himself would have known about all the circumstances surrounding Clinton’s email. White House Spokesman Josh Earnest said last week that Obama was aware of the email address but “was not aware of the details of how that e-mail address and how that server had been set up or how Secretary Clinton and her team were planning to comply with the Federal Records Act.”
This kind of bureaucratic traffic, the expert said, “ is considered ‘Sensitive But Unclassified,’ and ‘For Official Use Only,’”-- meaning that despite its non-secret nature it is meant to be sent and received only on government information systems.
The White House press office responded to questions about email communication to Clinton regarding principals meetings with the response that when the State Department had reviewed some 55,000 pages of printed-out Clinton emails, “you’ll certainly know where to find us and we’ll be happy to do the best we can to address any questions” about White House-related issues.
Whatever dispensation Clinton may have received for her private email, the specialist said, such practices “are officially banned” de facto through federal policies that forbid government employees the use of Web-based email for official business “due to inherent security flaws” that make government information systems more vulnerable to hacker attacks, -- “increase the attack surface,” in info-security jargon.
“They are considered insecure” even for routine traffic, the expert continued, because even unclassified federal government email systems contain “lots of controls” to monitor such things as potentially harmful email attachments—known in jargon as “nefarious executables”-- to help protect the system from hackers.
“When you leverage Web mail these are just not there,” the expert observed. In some sensitive government positions, attempts to use private email accounts within government offices are automatically blocked altogether, although this was clearly not so in Clinton’s case.
All of these info-security concerns increased dramatically in the wake of the spectacular release of State Department cables and other U.S. government traffic in 2010 and 2011 by WikiLeaks, whose founder, Julian Assange, is still claiming political asylum in the London embassy of Ecuador’s leftist government. (Clinton served as Secretary of State from 2009 to 2013.)
“Because she was a VIP,” the specialist added, then-Secretary Clinton “would have been heavily targeted anyway” by hackers, meaning that anything that further reduced her information security would be worthy of additional note.
Moreover, the expert said, “her whole address book would have been targeted” by hackers—Clinton has said she exchanged emails with about 100 officials through her private email address—meaning that any consideration of the risks of her use of private email would also have to take account of that fact.
Among those who “definitely would have known” from the outset of Clinton’s private email system, the information security professional asserted, was the State Department’s Chief Information Officer, whose office sets up all of State’s email accounts, and “probably” the department’s Chief Information Security Officer.
Among other reasons why both would be aware, the expert said, is that Clinton’s private email address would not appear in normal fashion in the Department’s Global Address Lookup—the email directory—but would have to be added if any regular communication with Clinton would take place.
State’s current CIO, Steven C. Taylor, got the job in April 2013, but held the position on an acting basis starting in August 2012. He was State’s Deputy Chief Information Officer (DCIO)—the information security slot-- and Chief Technology Officer of Operations from June, 2011 until his promotion.
Due to the “special attention” it would receive, the professional noted, it would also likely have been known about through the upper reaches of the State Department’s Office of Management, headed by Under Secretary of State Patrick Kennedy, whose oversight includes the CIO and his Bureau of Information Resource Management. Kennedy reports to the Secretary of State.
The Chief Information Officer and his department have come under continued criticism over several years from the Department’s Inspector General for a wide variety of security and other lapses that date back at least to 2010.
Delving further into the information security issues surrounding Clinton’s controversial email use, the professional who spoke with Fox News advised, might better focus not so much on the “forensic” issues surrounding her emails—which are at best two years old-- but on a “process audit” of the context in which she was enabled to use the private system, which might have implications for the future.
Among the questions that the professional suggested for such an audit: “Who approved the use? How did the Department of State even draw the conclusion that the use was appropriate? What checks and balances were put in place at the time?”
And importantly: “What additional security holes were introduced as a result?”