As you may have heard in the news recently, former Secretary of State Hillary Clinton did not use an official US government email with a .gov address during her entire tenure as Secretary, and instead exclusively used a ClintonEmail.com personal address for all State Department-related correspondence. Reports suggest that her email account was hosted on a server that was not physically under government control and instead was located at her private residence in New York. Clinton assured that the server and email system, originally set up for former President Bill Clinton’s office, had “numerous safeguards” but she did not provide additional details about the security measures in place—other than being physically protected by the Secret Service. According to the security research firm Venafi, she also failed to encrypt her private email service with a digital certificate for the first three months as Secretary of State. Political scandal aside, the so-called “emailgate” controversy does raise a number of cybersecurity issues that we should be thinking about.
One of the biggest takeaways from this case is that our leaders have a responsibility to master and develop good cyber policy and secure the country’s most valuable, sensitive information. This means that politicians at the highest levels need to have a basic understanding of cybersecurity, and—critically—that we can’t let important cybersecurity lessons be lost in a political turf war.
The story about Hillary’s use of a private email account matters for three reasons:
- The Secretary of State, as a Cabinet-level official, is one of the most prominent targets of foreign espionage efforts. The President, Secretary of Defense, head of the CIA, and other top leaders in the public and private sectors alike also qualify in this top tier of potential targets. These individuals handle some of the most important and most sensitive—therefore most alluring—information in the country. Foreign governments and nefarious actors are sure to be interested in obtaining that information.
- Nation-state threat actors represent the top of the food chain in terms of cybersecurity adversaries. Nation-states and highly organized criminal gangs can bring the most talent and resources to bear in this arena, so you need to employ the best of your best to thwart those potential cyber-attacks. It should go without saying that a private email server established in one’s home—even if one is the Secretary of Defense—is likely not as secure as official US government servers.
- Take points #1 and #2 together and you have a situation where very high-value targets are threatened by the most advanced and sophisticated offensive information security capabilities out there. Put another way, the best of the best are gunning for those people to get their information.
Clinton’s assertion that her server had not been penetrated and her emails had not been compromised cannot be proved with 100% certainty, much less by a politician who is not a cybersecurity or IT expert. It took Target Corporation months to figure out that they’d been hacked in 2013. The same is true for Home Depot, SONY, and many other retailers that suffered data breaches in 2014. Even a financial institution the size of JP Morgan, which spends over $250 million a year on cybersecurity—and plans to double that amount—was recently hacked. These entities have legions of cybersecurity professionals patching, deploying anti-virus systems, and remediating cyber-attacks, and yet they still were hacked. In other words, if they can be hacked, so can Clinton’s private email server. And many other questions remain: how secure was the server used? Who was protecting it? Was there any evidence that it was compromised (again, this can be quite difficult to establish)? Assuming that it was compromised, what information was on it and what could have been exfiltrated?
Regardless of one’s political affiliation and support, this case demonstrates how a single decision—to use a private email instead of a government one—can violate security best practices and possibly the State Department’s security policy (assuming they had a clear policy in this case). In the wake of the emailgate scandal, we ought to ask if this is an incident limited to a single individual or if this is a systemic problem whereby senior government officials communicate sensitive.
Hillary Clinton Used Personal Email Account at State Dept., Possibly Breaking Rules | The New York Times