State Department ducks security questions about Clinton emails

09.03.2015
A week before former Secretary of State Hillary Clinton was sworn into office in January 2009, clintonemail.com was registered as domain. It became Clinton's principal email address as secretary of state, and its use was known by U.S. officials.

What isn't known is whether the IT staff at the State Department reviewed Clinton's email system, participated or advised her in setting it up, checked it for security or otherwise monitored it.

Government officials have been peppered this week at press briefings about government IT involvement in Clinton's email system. The answers have been wholly unsatisfying, and remained so at a State Department briefing Friday afternoon.

When asked whether the department's IT operation looked at Clinton's email operation, as well the devices she conducted business on, Marie Harf, a State Department spokesperson, repeatedly said: "I just don't have details for you on that."

Harf, who acknowledged that she has been asked IT questions for the last three days and appeared frustrated by the ongoing queries, made no promise that any information would be forthcoming.

The only IT insights Harf did acknowledge -- at an earlier briefing this week -- is that the department has "no indication" that Clinton's email account "was compromised or hacked in any way." But she didn't said when or how that was determined.

Josh Earnest, White House press secretary, at a separate briefing, suggested that Clinton's approach may have made her less of a target. "I could imagine a scenario where you would say that a smaller network is less likely to attract the attention of hackers or others who might want to do harm," he said.

There's some truth to that. Risk is a combination of threat actor, or the outsider or insider, the vulnerability and potential damage, said Alan Paller, director of research at the SANS Institute. "Since threat actor and potential damage are the same whether it is State Department or her own system, the key question is which is more vulnerable," he said.

In this case, the State Department "is probably more vulnerable because of all the potential entry points, because of weak security skills of their IT staff." Locating a private email system with only a single entry point would be a harder task, he said.

The State Department. has said there was nothing prohibiting Clinton from using private email, provided the records were retained. But Clinton, who has turned over 55,000 pages of records, appeared to use a private email account almost exclusively.

If State Department officials are suggesting that it's ok for an employee to use a private email account to routinely conduct official business, that position is well outside the practice of other federal agencies.

(www.computerworld.com)

Patrick Thibodeau

Zur Startseite