Hillary Hacked, or “EmailGate” – why it mattered

By Lucius Cincinnatus

Has anyone else noticed that many of Hillary Clinton’s supporters, now outraged over hacking by foreign governments, expressed little concern for it before the November election? When it came to light in 2014-15 that Mrs. Clinton was conducting her official State Department communications using a private email account on a home-brew server we were told it was no big deal. It was an odd position for some to take given that the Office of the Inspector General* did not see it that way in its official Report:

 “According to DS (Bureau of Diplomatic Security) and IRM (Bureau of Information Resource Management) officials, Department employees must use agency-authorized information systems to conduct normal day-to-day operations because the use of non-Departmental systems creates significant security risks.” (Office of the Inspector General’s Report, released May 2016, p.26)

“Among the risks is the targeting and penetration of the personal email accounts of Department employees, which was brought to the attention of the most senior officials of the Department as early as 2011.” (OIGR pp. 26-27)

Despite the seriousness of the issue, USA Today ran an opinion piece last June calling Clinton’s decision to conduct official business using an unapproved, in-home server a “non-scandal” and a “pseudo-scandal.” The piece was obviously designed to deflect criticism away from Mrs. Clinton and was very forgiving given that Mrs. Clinton actions may have increased her exposure to foreign hacking. The author of the piece must have slept through key parts of the Inspector General’s Official Report, which the author gave the impression he had read. For instance, he fails to mention the part of the IG’s report that says the Foreign Affairs Manual  (FAM), which is presumably issued to all State Department employees, warns that,

“…sensitive, but unclassified information resident on personally owned computers is generally more susceptible to cyber-attacks and/or compromise than information on government-owned computers connected to the Internet.” (OIGR pp.54-55)

With little more than a month to go before the election, the Huffington Post was still trying to downplay the seriousness of Clinton’s cyber security indiscretions: “Republicans Just Cannot Let The Clinton Emails Go.” It’s a headline crafted to make Republicans look like partisan attack dogs, however the issue was far more than just about some emails. Clinton conducted her official business using a personal email account and a home-based server in direct opposition to State Department policies.

The Inspector General’s Report states the issue very clearly:

“Secretary Clinton used mobile devices to conduct official business using the personal email account on her private server extensively, as illustrated by the 55,000 pages of material making up the approximately 30,000 emails she provided to the Department in December 2014. Throughout Secretary Clinton’s tenure, the FAM (Foreign Affairs Manual) stated that normal day-to-day operations should be conducted on an authorized Automated Information System, yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server. According to the current CIO (Chief Information Officer) and Assistant Secretary for Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. However, according to these officials, DS (Bureau of Diplomatic security) and IRM (Bureau of Information Resource Management) did not—and would not—approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so.” (OIGR pp. 36-37)

hillary-clinton-sworn-in-as-secretary-state

Honest Hillary with her hand on the Bible. Secretary of State-Designate Hillary Rodham Clinton is being sworn in as the next Secretary of State after approval of her nomination. Photo: U.S. Department of State

“I was permitted to and used a personal email…” Hillary Clinton on Iowa Public Radio August 14, 2016

Is that so, honest Hillary?

“During Secretary Clinton’s tenure, the FAM also instructed employees that they were expected to use approved, secure methods to transmit SBU information and that, if they needed to transmit SBU (sensitive but unclassified) information outside the Department’s OpenNet network on a regular basis to non-Departmental addresses, they should request a solution from IRM. However, OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU.” (OIGR p. 37)

“One of the primary reasons that Department policy requires the use of Department systems is to guard against cybersecurity incidents….Consequently, the Department has issued numerous announcements, cables, training requirements, and memos to highlight the various restrictions and risks associated with the use of non-Departmental systems, especially the use of personal email accounts.” (OIGR p. 32)

“The use of personal email accounts to conduct official business has been a particular concern over the past several years. For example, on March 11, 2011, the Assistant Secretary for Diplomatic Security sent a memorandum on cybersecurity threats directly to Secretary Clinton.” (OIGR p. 33)

The fact is that after repeated warnings about cyber security and the multiple threats to it, Hillary and her staff continued to intentionally disregarded State Department guidelines.

“DS and IRM reported to OIG that Secretary Clinton never demonstrated to them that her private server or mobile device met minimum information security requirements specified by FISMA (Federal Information  Security Management Act) and the FAM.” (OIGR pp.36-37)

“…OIG interviewed other senior Department officials with relevant knowledge who served under Secretary Clinton, including the Under Secretary for Management, who supervises both DS and IRM; current and former Executive Secretaries; and attorneys within the Office of the Legal Adviser. These officials all stated that they were not asked to approve or otherwise review the use of Secretary Clinton’s server and that they had no knowledge of approval or review by other Department staff.” (OIGR p. 37)

If Hillary’s supporters are so concerned now about foreign hacking and cyber security (as they should be) why were they so unconcerned when it was discovered that our Secretary of State was flouting the federal government’s own cyber security rules and regulations?

Unfortunately, double standards are used all the time by people who are careless with the truth.

*Part of the OIG’s mission is to perform “specialized security inspections and audits in support of the Department’s mission to provide effective protection to our personnel, facilities, and sensitive information.”