Hillary Mail – Unanswered Questions
By Mark Rasch
In the Oscar nominated movie “Whiplash,” J.K. Simmons' character, music teacher Terence Fletcher says, “There are no two words in the English language more harmful than "good job."" I think that at her press conference on March 10, former Secretary of State Hillary Clinton found two more harmful words. “It’s secure.”
For those who have been under a rock, during her tenure as Secretary of State, Hillary Clinton noted that she never used a government e-mail address (at state.gov) but rather used a personal email account (atclintonemail.com) maintained on a home-brew domain she kept at the family residence in Chappaqua, New York. The home-brew network has apparently already been established for the Secretary’s husband, former President Bill Clinton.
In the press conference at the United Nations, Clinton noted that the server "had numerous safeguards. It was on property guarded by the Secret Service and there were no security breaches." She also noted that "I did not email any classified materials to anyone."
Of course, these answers raise more questions than they answer.
Like, um.. WHO set up the server? I can’t imagine Hillary (or Bill for that matter) stringing CAT-6 and setting port setting on a firewall. If the server “had numerous safeguards” what were they? Did it have NIST and ISO (and FISMA?) compliant layered security? What OS was it running?
It’s not that the server could not have been secure – or that it could not have been secured. It could have been. Indeed, it could have been very secure. It could have been MORE secure than your average .gov domain. But that takes knowledge, sophistication, persistence, resources and dedication. Just ask any CISO. Who was doing patch management, threat intelligence, etc.? Saying that the domain had “numerous safeguards” means nothing. Hell, my open WiFi network has “numerous safeguards” including the fact that few people know that my WiFi network is open. Oops. Numerous safeguards are not the same thing as effective safeguards, proper safeguards, or the right safeguards.
This is important even if the Secretary of State didn’t use the domain for classified information. You have to assume that much of what was sent over the network constituted at least Sensitive But Unclassified (SBU) information. You also have to assume that the account was the constant target of attacks. Politically motivated attacks. Hacker attacks. Hactivist attacks. State-sponsored attacks. The information sent over her network was exactly the kind of information foreign governments would want to have access to. So “ordinary” security wouldn’t be good enough.
This is especially true in light of the fact that even the State Department’s security was inadequate to the task. An OMB (Office of Management and Budget) report issued in February showed glaring deficiencies in even the State Department’s compliance with goals (e.g., 0% progress toward strong authentication goals) and noting that “Agencies which have the weakest authentication profile allow the majority of unprivileged users to log on with user ID and password alone, which makes unauthorized network access more likely as passwords are much easier to steal through either malicious software or social engineering.
The following 16 agencies fall into this category: State, Labor, HUD, OPM, NRC, SBA, NSF, USAID, USDA, Energy, DOT, Interior, VA, Justice, Treasury, and NASA.” According to its own Inspector General, the Department of State’s overall compliance with security guidelines (for things like Continuous monitoring management; Configuration management; Identity and access management; Incident response and reporting; Risk management; Security training; Plans of action and milestones (POA&M); Remote access management; Contingency planning; Contractor systems; and Security capital planning) dropped from 53% in FY 2012 to 51% in FY 2013 to 42% in FY 2014. And that’s with a full time staff of IT Security professionals. Not sure what is going on in Chappaqua. Maybe she hired Ossining Computer Repair & Service in the next town over. Layered security is only as good as the layers themselves.
On property guarded by the Secret Service
Secretary State Clinton next observes that the network and home-brew domain was safe, partially because “It was on property guarded by the Secret Service…” OK. I had to suppress a guffaw here. This belongs on the former SNL Weekend Update Segment “Really?”
Sure, Secret Service protection can prevent a physical intrusion to a device, but that has got to be the least common way of compromising a network. In fact, even a physical intrusion to the device could be accomplished by swapping out cables at the office supply store in Thornwood, NY for cables that had corrupted chips installed in them, or by selling corrupted routers at the Staples in Elmsford. “Physical” access is not required. In fact, if the domain or server had WiFi access, a simple parabolic dish or even a decent Pringles can could be used to receive the signal. Even Paul Blart wouldn’t notice. Oh, and let’s face it, the USSS hasn’t enjoyed the best reputation for repelling attacks lately. So the observation that the Chappaqua location was physically secure is, at best, a non-sequitur.
There Were No Security Breaches
As Amy Poehler would say to Jimmy Fallon, “Really?” “Really?” And how exactly would we know that? Several years ago I conducted a security assessment of a major manufacturer in the Midwest. I asked them how many penetrations or attempted penetrations they had observed in the past 3 months, and the CISO said that there had been none. Zero. Zip. Zilch. Pretty ‘freakin’ awesome. Then I asked what kind of logging they were doing, and you already know the answer. So as I went to the parking lot to jot down vanity license plate numbers for social engineering passwords (H00s13r!) I came back to pages and pages of attempted penetrations. When someone says “there were no security breaches” at best they are saying “I haven’t noticed any.” Absence of evidence is not evidence of absence.
In order to have any reasonable assurance that there were no breaches, one would have to have continuous monitoring (at all possible points of entry or subversion), logging, strong access controls, patch management, IDS, IPS, and all the things you would expect from a mature information security program. Not on in the broom closet in Westchester County. And even then, you likely would not detect the sophisticated nation-state attacks, which, by their nature are designed to be stealthy, surreptitious, and hard to detect. Just ask the boys (and girls) at Fort Meade. And it’s not like the State Department isn’t subject to breaches. Can anyone say Bradley (or Chelsea) Manning?
Also, if the breaches were “man in the middle” or “man on the side” attacks, or corrupted certificates, or occurred on the servers where the other party was located, this would not have been detected at the client side.
The only way to be assured there was no breach is to have no server. The only way to win is not to play at all.
Clinton followed up her press conference by releasing a “FAQ” document. In that document, she noted:
What level of encryption was employed? Who was the service provider, etc.?
The security and integrity of her family’s electronic communications was taken seriously from the onset when it was first set up for President Clinton’s team. While the curiosity in the specifics of this set up is understandable, given what people with ill-intentions can do with such information in this day and age, there are concerns about broadcasting specific technical details about past and current practices. However, suffice it to say, robust protections were put in place and additional upgrades and techniques employed over time as they became available, including consulting and employing third party experts.
Hmm.. a mix of “security through obscurity” and “we had experts.” Again, while the details of the encryption previously used might not be appropriate for public dissemination, the State Department CISO and/or OIG should at a minimum review it. In fact, this should have probably been done BEFORE the domain was used. Devil = details.
Wait, No Classified Information on the Email?
Secretary Clinton also reiterated the fact that she never used her personal email account for classified information. Whew. That’s a relief. But since she had NO OTHER account, that raises the question about how she consumed classified information that she would have inevitably needed for her job. According to her FAQ:
Was classified material sent or received by Secretary Clinton on this email address?
No. A separate, closed system was used by the Department for the sole purpose of handling classified communications which was designed to prevent such information from being transmitted anywhere other than within that system, including to outside email accounts.
How did Secretary Clinton receive and consume classified information?
The Secretary’s office is located in a secure area. The Secretary while in the office viewed classified information in hard copy. While on travel, the Department had rigorous protocols for her and traveling staff to receive and transmit information of all types.
OK.. curious. Even if there was a “separate, closed system” for classified information, the information directed to the Secretary of State would have had to have been directed to a particular address, right? But she had no such address. So classified communications directed at the Secretary of State would have had to have been directed to someone, who would have had to provide them to the Secretary of State, right?
Oh, and when she says “the Secretary’s office is located in a secure area” I assume she is referring to the office in Foggy Bottom, not the one in Chappaqua (although they likely are both secure, and might both meet the requirements of a Secure Classified Information Facility (SCIF). The fact that classified information was “viewed in hard copy” meant that someone else received classified information on behalf of the Secretary of State and then printed it out and handed it to her.
Kinda defeats the purpose of electronic communications, no?
“It’s 3 AM and your children are safe and asleep” said the Clinton 2008 Presidential ad. “Something is happening in the world. But there’s a server at the Secretary of State’s Office… now a staffer must be found to access that server, read the communications, print them out, and find the Secretary of State to hand her a copy of the communication… by 7:30 or so, someone has gotten the Secretary a copy of the document.”
But before Members of Congress particularly get too sanctimonious about this, remember that Senators Graham, Schumer, Hatch, McCain, Carper and others use no email at all. Hey. Welcome to the 21st Century, guys.
Look. Everything that was done here may have been perfectly legal. It may have been perfectly (well, there’s not such thing as perfectly, but reasonably) secure. All official communications may have been turned over to the State Department, and the deleted records may have all been personal “Yoga” communications that were not required to be kept. But what we probably learned is that the actual two most harmful words in the English language are, “trust me.” Trust me.