An independent audit by the Inspector General has found that presidential hopeful Hillary Clinton and her team ignored “clear guidance” from the State Department about email security while she was Secretary of State.
Auditors found that Clinton, who served as the United States’ top diplomat from 2009 to 2013 under President Obama, broke with federal standards and left sensitive material potentially vulnerable to hackers. In fact, Clinton was forced off email in 2011 for a time due to hacking attempts, although she insists nothing was breached.
At issue is her use of an unapproved personal email account to conduct governmental business—an account that the IG found was not brought under the purview of the department’s internal security framework. The 78-page analysis, a copy of which was obtained by the AP, also said that Clinton never demonstrated that the server or the Blackberry she used while in office "met minimum information security requirements."
"It's well known that the most sophisticated cyber-criminals target people, not machines, which makes it all the more crucial that organizations educate their users as a first line of defense,” said Matthew Ravden, CMO and vice president at Balabit, via email. “This is a very good example of the worst possible practice, not only highlighting the problems of 'bring your own device' but 'bring your own server' as well.”
A Clinton spokesperson said that her practices were in line with those of her predecessors, including Republican Colin Powell, who exclusively used a private email account.
"The inspector general documents just how consistent her email practices were with those of other secretaries and senior officials at the State Department who also used personal email," Clinton campaign spokesman Brian Fallon told the Associated Press. "Her use of personal email was known to officials within the department during her tenure, and that there is no evidence of any successful breach of the secretary's server."
Twice in 2010, information management staff at the State Department raised concerns that Clinton's email practices failed to meet federal records-keeping requirements. The staff's director responded that Clinton's personal email system had been reviewed and approved by legal staff—but that’s a claim for which the IG found no evidence.
The report noted that while the State Department has historically been "slow to recognize and to manage effectively the legal requirements and cybersecurity risks associated with electronic data communications,” Clinton’s past practices are found to be at fault.
"By Secretary Clinton's tenure, the department's guidance was considerably more detailed and more sophisticated," the report concluded. "Secretary Clinton's cybersecurity practices accordingly must be evaluated in light of these more comprehensive directives."
Craig Kensek, security expert at Lastline, told Infosecurity that it’s unlikely that Clinton and her staff misunderstood what their responsibilities were.
“For people with a law degree, there is a vast difference between ‘guideline’ and ‘mandatory guideline’ (call it a requirement),” he said. "’Mandatory’ should have been the order of the day, years ago. I can see encrypting emails—both on the server and in transit—becoming a requirement in certain sectors of the government. Meanwhile there are numerous stories in the press about this particular server being hacked."
Photo © a katz/Shutterstock.com