Experts: Clinton email practices risked data disclosures
Hillary Rodham Clinton's use of a private email address and private computer server for official State Department business heightened security risks to her communications, such as the inadvertent disclosure of sensitive information and the danger from hackers, several information security experts said.
The revelation that Clinton relied exclusively on a private email account for routine exchanges during her four-year stint as secretary of state also raises questions about whether the agency or anyone else in government examined Clinton's private email server and network before it began operating and continued to regularly review it during her tenure. Federal regulations subject the computer systems of some federal contractors and other organizations to federal oversight when they interact with government systems to ensure they are protected.
On Wednesday, a House committee investigating the attacks in Benghazi, Libya, issued subpoenas for emails from Clinton and others related to Libya. The Republican-led Select Committee on Benghazi also instructed technology companies it did not identify to preserve any relevant documents in their possession.
For a second day, Washington seemed preoccupied with Clinton's email practices, which gave Clinton—who is expected to run for president in the 2016 campaign—significant control over limiting access to her message archives. But they also complicated the State Department's legal responsibilities in finding and turning over official emails in response to any investigations, lawsuits or public records requests.
Late Wednesday, Clinton urged the State Department to release the emails she wrote from her private account. "I want the public to see my email. I asked State to release them. They said they will review them for release as soon as possible," she said on Twitter.
State Department spokeswoman Marie Harf said in response to Clinton's tweet that the department will review for release the emails Clinton provided. Harf said the department will conduct the review as quickly as possible, but said it could take some time to review, given the sheer volume of emails.
Clinton's extensive use of her private account for at least 55,000 emails made it likely that in at least some exchanges, references were made to either classified or sensitive information, said J. William Leonard, who held high-ranking information security posts with the Defense Department and the National Archives.
"I would be exceedingly surprised if there were not situations where at the very least classified or sensitive information was inadvertently released just by the nature of her position and the nature of information that is routinely discussed," said Leonard, who under President George W. Bush was director of the Information Security Oversight Office, which oversees the government-wide security classification system.
Both Clinton's current spokesman and a spokeswoman for the State Department said Clinton's emails contained only unclassified exchanges. State Department spokeswoman Marie Harf said Clinton as Cabinet secretary never used a government email account on the agency's separate network for sharing classified information, which Clinton would have been prohibited from forwarding to her private email account.
"She had other ways of communicating through classified email through her assistants or her staff, with people, when she needed to use a classified setting," Harf said.
On Wednesday, White House spokesman Josh Earnest said, "It's hard for me to assess what sort of vulnerability may have been created by the establishment of a separate network."
The most likely security risk in Clinton's emails was the possibility of what the intelligence community calls "spillage," the inadvertent leakage of classified information in exchanges, paraphrases and shorthand.
"It's what would happen when classified references are unintentionally introduced into an unclassified email system," Leonard said. "That would be an obvious question with Secretary Clinton's network. The sheer volume of those emails would certainly carry that risk."
Steven Aftergood, a government secrecy expert at the Federation of American Scientists, said Clinton's unclassified emails would have been a target for hackers.
"There is lots of State Department information that is not formally classified but is sensitive and advantageous for those who could obtain it," Aftergood said. "They may not want to know what she's eating for lunch, but would gain insight by learning who she was talking to, what her agendas are, where she was traveling."
Aftergood and other experts said that while Clinton may have had direct control over the private server that managed her emails, it almost certainly did not have the same robust defenses of government or large corporate computer systems. It is not known how Clinton protected her private server when she was a Cabinet secretary until 2013, but a later version was reconfigured to use a Denver-based commercial email provider now owned by McAfee Inc., a top Internet security company.
Some experts said if properly protected by firewalls and security systems and regularly monitored and updated, even a small independent server could have been as strong as government networks.
"Depending on the configuration, there's no reason a system like that couldn't be secure, especially since State has been a target of hackers in the past," said Christopher Cummiskey, a former senior Obama administration Homeland Security official who responded to cyber-attacks against government and contractor networks.
© 2015 The Associated Press. All rights reserved.