Hillary Clinton was emailing more than 100 government officials for four years on a personal account. Her office even says the practice was “widely known” to those colleagues, since her address was visible.
So why no red flags?
While Clinton says she followed the rules, questions are mounting over why administration and government information security officials apparently did little to nudge her back into using the government system – which various guidelines make clear is preferred, if not legally required.
Part of the problem may be that a key IT office has been plagued with problems and confusion for years. Plus, the responsibility for email systems is so far-flung across the government that it's unclear whether any one person or agency could be accountable.
“What we have here is a lack of clear ownership of both IT infrastructure and the ability to enforce specific policies within the government,” David Kennedy, founder of cybersecurity firm TrustedSec, told FoxNews.com.
Overall, the government’s information security responsibilities are split between the White House cyber czar and the Defense and Homeland Security departments. However, most of this is big picture and doesn’t break down into a government official coming in to check out State email systems or see if employees are in compliance.
On paper, at least, that task would appear to fall to offices within the State Department.
One, the Bureau of Information Resource Management, Office of Information Assurance, is supposed to certify the security status of more than 170 information systems in the department. And a newly released inspector general report indicates the bureau deals with the issue of record-preservation and emails as well. The report, which said State employees haven’t gotten proper training or guidance to preserve “record emails,” said the Bureau of Information Resource Management launched that system in 2009.
The same report said a different bureau – the Bureau of Administration – should “exercise central oversight” over that system. In other words, BIRM administers the technical side of emails and record-keeping; and the Bureau of Administration, specifically its Office of Information Programs and Services, is responsible for “records management” overall, “including providing guidance on the preservation of records for the Department.”
According to the report, they should be making sure workers are preserving official emails. Presumably, they could have pressured an official such as Clinton to move to the government email system to help facilitate that kind of record preservation.
But the State Department did not respond to requests for comment from FoxNews.com on which agency would have been responsible. And Kennedy told FoxNews.com the lines of responsibility simply aren't clear.
“It seems like there’s a major disconnect on who the actual owner is,” he said.
Kennedy added that in any organization, including the federal government, the IT organization ensures enforcement of email policy but warned, “in this case, it doesn’t appear there’s any clear owner and that’s alarming.”
According to one report, in Al Jazeera America, department technology experts did voice concerns about Clinton's email habits, but those concerns never resulted in any changes.
The Bureau of Information Resource Management, for one, has faced critical audits and internal reviews for years.
A scathing 2012 report from the State Department’s inspector general said the “lead office” for cybersecurity is so dysfunctional, sloppy and technologically out-of-date that it “wastes personnel resources” and forces other departments to pick up their cyber slack.
The employees often don’t know what they are supposed to do, the department lacks a mission statement and those put in charge barely bother to show up to work, the report said.
“This report reads like a what-not-to-do list from every policy, program and contracting perspective,” Scott Amey, general counsel for the Project on Government Oversight, told Mother Jones in 2013, citing concerns about foreign entities hacking into U.S. government systems.
A 2014 follow-up to the IG report showed little had been done to fix the long list of problems plaguing State’s cybersecurity squad. The IG warned that State was still riddled with security gaps and didn’t seem to have a viable plan to fix it.
The bureau’s top official, William Lay, reports to the department’s chief information security officer (CISO), who reports to State’s Chief Information Officer Steven C. Taylor.
Prior to joining the State Department, Lay served as director of information technology for the Office of Assistant Chief of Staff for Installation Management as the chief information officer. Over the past three decades, he was worked for the Departments of Energy and Commerce, the Federal Communications Commission and the Minerals Management Service, according to his official State Department biography.
Taylor is directly responsible for the Information Resource Management Bureau’s budget of $750 million, and oversees the State Department’s total IT budget of about $1 billion. Taylor has also served as State’s deputy chief information officer and chief technology officer of operations from June 2011.
While Lay has absorbed much of the blame for the unit’s past issues, reports show most of the problems predate him. Lay’s predecessor, John Streufert, who worked in the office between February 2008 and January 2012, has also been accused of failing to address basic issues like operating a bureau without a mission statement and lacking accreditation.
John Isaza, a partner at law firm Rimon, P.C. which deals with information security, also blames technology for the missteps at State.
“What I mean is that the adoption of technology has far outpaced the ability of all organizations to keep up with them, including the State Department or any others in the government or private sector,” he told FoxNews.com. “Consumers and customers demand the immediacy facilitated by technology, so people, processes and procedures take a back seat in favor of adoption.”
But the blows for State keep on coming.
On Wednesday, the separate inspector general report said that when Clinton was secretary of state in 2011, department employees wrote more than 1 billion emails. Yet of those, just 61,156 were marked for public record and preserved. The report also says State Department employees don’t know the rules for what emails should be kept for the records. Others deleted emails on purpose, apparently afraid of the fallout if their emails were stamped as public records and therefore easily searched and exposed.
There’s another check in place for record-keeping, though it’s unclear whether this was followed.
Shannen Coffin, a senior Justice Department lawyer under the George W. Bush administration, told Fox News' "The Kelly File" the rules call for departing officials to let records officials check through their files when they leave – not two years later, as was done here.
Isaza says State can get back on track and suggests it continues to conduct random audits as part of its system checks and balances to ensure compliance and that processes and technology “are behaving as expected.”
Fox News' George Russell and The Associated Press contributed to this report.