More than extreme carelessness, a willful and systemic disregard for required security practice
In light of the FBI’s pronouncement on Hillary Clinton’s email use, presidential email expert David Gewirtz examines recently released government documents that reveal Clinton’s pattern of negligence.
This week marked one of the more unprecedented acts in what has already been a highly unusual campaign season: the director of the FBI provided a detailed assessment of Hillary Clinton’s behavior with regard to email management.
Unfortunately, while Director James B. Comey’s statement about Secretary Clinton was both of relief to her campaign and damning with regard to her security practices, it was ultimately incomplete.
In this article, we’ll take a much deeper dive and look at the specifics of how Secretary Clinton and her staff mismanaged secure information and thereby created a substantial and worrisome security risk for the United States.
This article specifically focuses on security issues with regard to Secretary Clinton’s State Department. It does not look at the records management component of our investigation. For that, please read my previous article, Investigating Hillary Clinton: Which secretaries of state violated the Federal Records Act?
In this article, I will provide details behind the following eight troubling observations:
- Secretary Clinton’s staff was aware of State department policy regarding private devices and servers
- Concerns were presented about the Secretary’s disregard of this policy and were dismissed with instructions never to speak of them again
- A memo concerning security risks of using private email was sent to State Department staffers under Secretary Clinton’s own signature
- There were multiple instances of known attempts to attack the Clinton’s private server
- Mrs. Clinton herself demonstrated awareness of the security risks of email through her concern over bad links and phishing attacks
- The use of a private email account was problematic not only for security reasons but because messages were being sent to spam
- The priority was masking Secretary Clinton’s identity rather than solving the messaging or security issues
- Known security problems were never reported to Departmental security personnel.
Buckle up. This is going to be a rocky ride.
Sidebar: Read my personal disclosure statement
Ground rules
As discussed in my previous Investigating Hillary Clinton article, there are some ground rules I abide by when I conduct investigations into the practices of officials at the highest levels of the U.S. government. In particular, I rely on declassified or unclassified government statements and documents only.
While these are not necessarily “primary sources,” as might be defined in an academic project, they are often as close as it’s possible to get during what the government calls an “open source” (as in not classified) investigation.
In this article, I will be discussing elements of Director Comey’s statement, along with a detailed investigation report from the US Department of State (USDOS).
Ironically, it appears that Secretary Clinton’s insistence on the use of her personal email system had an unintended consequence: much of her email to State Department staff wound up in their spam bins.
Both of these sources cite additional internal investigations and reports, most of which have not been made public. Even so, the aggregate statements made by the FBI and USDOS investigators can be considered “official,” because they are statements by authorized members of government agencies. They represent each agency’s formal findings.
Many of you have contacted me with concerns that I did not cite specific news articles, which may or may not have had more inflammatory information. That is intentional. When doing this level of investigation — one intended to stand up to the test of time — it’s critical that hearsay, rumors, and innuendo be filtered out of the process in the quest for a baseline of factual information.
As is always the case with any documents, official or otherwise, what was said or published most likely only scratches the surface. Even so, the information we have available to us via open and declassified information is enough to give us a detailed perspective that, in this case, is damning enough as it is.
Finally, while the political implications of these investigations are fascinating, I will not be discussing those implications in this article. This article is intended solely to provide investigatory disclosure, not political prognostication.
Sidebar: See my source materials
State Department policies during Clinton’s tenure
Hillary Clinton became the 67th US Secretary of State on January 21, 2009 and left office on February 1, 2013.
As such, any policies that were in place prior to her entering office in 2009 apply to Hillary Clinton and her staff, while policies enacted after February 2013 do not.
This is important, because there have been some discussions about messages retroactively classified, and about government programs like the Capstone Approach, which was introduced in August of 2013, seven months after Mrs. Clinton left office.
Some of the media reports cite these issues, but it’s relatively obvious that, absent an available time machine, guidelines enacted after the Secretary left office should not be used to pass judgement over her behavior while in office.
OIG cites two organizations within the Department of State that manage information security: the Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS). When the OIG conducted its investigation into the Clinton period at State, investigators spoke to IRM and DS officials, and determined that during Clinton’s tenure:
Department employees must use agency-authorized information systems to conduct normal day-to-day operations because the use of non-Departmental systems creates significant security risks.
The OIG report goes on to say:
Among the risks is the targeting and penetration of the personal email accounts of Department employees, which was brought to the attention of most senior officials of the Department as early as 2011.
Not only was Mrs. Clinton the serving Secretary of State in 2011, the 11 STATE 65111 document cited in the OIG report is listed as from “SECSTATE WASHDC.” In other words, it was sent to State employees under Secretary Clinton’s signature.
Over the years, policies at State got more rigorous and sophisticated, but as early as 2005, the FAM required use of authorized information systems. In 2008, the FAM was updated to allow the use of “privately owned computers only with DS and IRM approval.”
The OIG report therefore clearly confirmed that the use of private computers, which they describe as “computers, mobile devices, Internet connections and personal email” was not permitted without prior approval. Since that policy was in place when Mrs. Clinton arrived at State, she was subject to its requirements.
Continue reading below…
