Archives

Clinton e-Mail Scandal: Who Cares?

In March 2015, the American public first heard about Hillary Clinton and a personal email account possibly used for government work. Quickly, the story unraveled, and is still in the headlines one year later. Mrs. Clinton, while serving from 2009-2013 as the US Secretary of State, used a personal email address to conduct government business. Not only that, the server was physically located in her home, hosting her domain clintonemail.com. The discovery came during a House committee investigation of the 2012 attack on the US Consulate in Benghazi, Libya. Islamist militants organized that attack, killing Ambassador J. Christopher Stevens and three more Americans. There are no shortage of opinions on the matter, and they are usually partisan. Politics aside, why are her tens of thousands of “private” emails a big deal? Who cares what kind of email address she used and where her server was located?

Set aside the fact that the private email account may have violated several federal policies concerning how communications may be conducted. Executive Order 13526 and US Code 793 regulate how classified national security information is disclosed and transmitted. According to US Code 798, “the term ‘classified information’ means information which…is, for reasons of national security, specifically designed by a United States Government Agency for limited or restricted dissemination or distribution It turns out, Clinton’s communications contained top secret, sensitive compartmented information (SCI), confidential, and top secret information which included even more sensitive “special access program” (SAP) information. The National Archives and Records Administration requires any emails, even personal, be sent to them for preservation. Also, the Freedom of Information Act requires all federal agencies to disclose information upon request except for a few exemptions. When reporters made FOIA requests, the State Department could not fulfill them. There were no emails…on the State Department servers. In fact, the former Secretary of State never requested an official State Department email account.

 

Security Controls Bypassed

From a security professional’s perspective, Clinton’s use of a non-government address and especially a private email server is a huge deal. The United States Government, just like most businesses and employers, has security measures in place for email, laptops, computers, and other devices. Clinton completely bypassed any and all measures by using a private account. Additionally, because she had her own server, she lacked the spam, virus and patch protection even services like Google Gmail or Yahoo! email would have provided.

Twenty critical security controls were developed by SANS (the SysAdmin, Audit, Network, Security Institute), in collaboration with hundreds of other groups, including the Department of Defense, civilian federal agencies and cybersecurity experts. These controls include secure configurations for network devices like routers and firewalls, continuous vulnerability assessment and remediation, malware defenses, and account monitoring and control. The only security control known for Clinton’s server was the protection Secret Service would have provided limiting physical access to her residence.

Clinton’s domain, clintonemail.com, was registered with Network Solutions, a private domain registrar. If a hacker or foreign intelligence service got into Network Solutions, the clintonemail.com domain would be all theirs as well. If that seems far-fetched, consider that during one of Clinton’s years as Secretary of State, hundreds of Network Solutions domains were hacked.

 

Hacking Happens

A young hacker, purported to be a college student in Tennessee, gained access to Alaska Governor and US Vice Presidential candidate Sarah Palin’s[JB4]  email in 2008. According to Wired magazine, the hack didn’t require as much skill as it did a few Google[JB5]  searches. He simply found her email address: gov.palin@yahoo.com and requested Yahoo reset her password. To get past the security questions, the hacker says he spent 45 minutes on Wikipedia and Google to find Palin’s birthdate, zip code (there are only two in Alaska), and where she met her spouse. He read all of her emails, looked at photos, and posted his accomplishments to a forum called 4chan, which has been associated with activist group Anonymous.

 

Who cares?

Politics and presidential aspirations notwithstanding, going around an employer’s policies and conducting business on a personal email account and/or server is not a good idea. Whether you are communicating trade secrets or government secrets, the data can be left dangerously exposed when outside the protection of security controls. Some security experts are questioning the capabilities of the firms Clinton hired as service providers. One, which she contracted to back up her emails to the cloud, most likely lacked the extra security needed to protect highly sensitive data.  The Cloud Security Alliance (CSA) reports that insufficient due diligence, rushing to use the cloud without a full understanding of the potentials and threats, is one of the top cloud security threats.

 

Summary

While the legal and political implications of former Secretary of State Hillary Clinton’s personal email and server play out, information security professionals point to the issue as an example of poor practices when it comes to keeping data safe. Clinton used her own server and domain for all professional correspondence while in office from 2009-2013. While bypassing all security measures the Federal Government has in place on their servers, Clinton opened herself up to sharing top secret and special access program data with prying eyes.

 

CIPP/US and CIPT Exam Preparation 

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, Certified Information Privacy Professional in US Government (CIPP/G), or the Certified Information Privacy Technologist (CIPT) exam, a privacy professional should be comfortable with topics related to this post, including:

CIPP/US:

  • Data Classification (I.C.a.)
  • Data Retention and Disposal (I.C.f.)
  • Vendor Management (I.C.e.)

CIPP/G:

  • The Freedom of Information Act of 1974 (I.C.c.)

CIPT:

  • Foundational Elements for Embedding Privacy in IT (I.A.c.e.h.j.k.)
  • Common Privacy Principles (II.C.e.g.h.)

 

Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>