Security Experts:

Feedback Friday: Industry Reactions to Hillary Clinton’s Use of Personal Email

News broke this week that Hillary Clinton, who will likely run for president in 2016, exclusively used a personal email account to conduct official government business during her tenure as U.S. Secretary of State.

Clinton may have violated federal regulations, which require officials to conduct day-to-day operations on authorized information systems that have a proper level of security controls. The use of a personal email account might have left Clinton’s communications vulnerable to hacker attacks.

Hillary Clinton personal email

Another reason for which emails written and received by federal officials should be stored on government servers is because such records, with the exception of certain classified and sensitive materials, are supposed to be retained for congressional committees, historians, and the news media.

Clinton has turned over 55,000 pages of documents covering the time she was in office, and asked the State Department to release them so that the public can see her emails. However, it could take the State Department several months to review all the documents and determine if they can be released to the public.

Government-transparency advocates and Republicans have criticized the politician, claiming that she used a personal account to make sure she could control which emails would be released to the public.

The State Department says it can determine if Clinton broke the rules only after reviewing her messages.

Some industry professionals believe such practices can pose serious security risks, while others have pointed out that email in general is not a secure communications channel.

And the Feedback Begins...

Andrew Conway, research analyst at Cloudmark:

"First of all, email, whether it is run by the government or private enterprise, is not a secure medium. There are too many places where email can be intercepted by a rogue sysadmin or programmer. Government systems are no safer than private systems in this respect. In fact, if Clinton was using a private mail server, she may well have been more secure against insider threats than a government system which might have had dozens or hundreds of employees with administrator access.


Secondly, the use of private email for government business in not uncommon. Some years ago, I was working as a consultant and did an emergency project for the State of Florida. I built a web page to help people find their nearest hurricane shelter, and got it up and running while a hurricane was on the way. Afterwards I got a thank you email from jeb(at)jebbush.com, which doesn't look like an official State of Florida email address to me."

Kevin Epstein, vice president, Advanced Security & Governance for Proofpoint:

"Use of personal mail for business is not innately a security or compliance risk; it depends on the systems and policies in place. For example, many regulated organizations allow staff to use personal social media accounts to interact with clients, or even solicit business -- and this is good business practice, as long as the accounts are subject to the organization's supervision, archiving, and other security & compliance systems.


The medium is not the message. All the email being discussed is already crossing the public internet, so it's all exposed to the same risk in some sense. It is absolutely possible to send an encrypted email that was audited by the organization through a public ISP, and have that be more secure and more compliant than the same content being sent unencrypted and unaudited through the organization's own email servers. The question in these circumstances is clearly to what the degree the organizations systems were used or avoided, and why?


Security and compliance require the collaboration of individual practices and organizational systems. The most cautious individual in the world may still be unable to comply with reams of regulations, or may be unable to do their job if their systems infrastructure demands excessive compliance actions or filters on communications. At the same time, determined individuals will always find ways of thwarting security and compliance systems within their organizations, even if it's only out of frustration with the overhead imposed by those systems. Ideally individuals act for the best, and systems remain transparent and noninterfering."

Stephen Pao, GM of Security at Barracuda Networks:

"This is no surprise. Just about every regulatory framework today covers the need to retain, disclose, and retain electronic communications. The attention placed on this issue for Mrs. Clinton's emails is appropriate given the widely understood nature of archived emails and their use in investigation, discovery, and litigation. In this case, her use of communications outside of the State Department email system extended investigation to her personal email. However, what has been less talked about is that these kinds of investigations could ultimately extend even beyond personal email.


Today, so much messaging is happening over collaboration applications, such as Skype or iMessage, that use transport encryption that is not easily intercepted, and most organizations are not set up to regulate their usage. Even social applications, such as Twitter direct messaging, Facebook Messenger, and LinkedIn inMail which are easier to regulate are often allowed for business communications, leaving organizations in a place where they might not strictly comply with their own information management policies.


We know that with our social media archiving, application control, and mobile device management capabilities, some of our offerings have been ahead of our customers' asks. Still, we believe that as the lines continue to erode between our work and our personal technologies, the need for companies to better identify potential areas of risk will only increase."

David B. Amsler, President & CIO, Foreground Security:

“It is astounding to me that this was allowed and that this isn’t an even bigger deal. While previous Secretaries of State did use personal email for some activities—which is understandable since some activities would be illegal to do under official cover or status—no Secretary of State has ever exclusively used personal email. The statement that came out in the last few days—that she assumed all her emails would be saved since she was emailing with other State Department officials—is laughable and offensive to me.


What about emails not sent to State Department officials, since that was the only email account she used? Since it was essentially her official government email account, any email sent outside State can’t be officially tracked. What other activities was she performing under that same cover? To come out now and say she has instructed her team to turn over all emails is misleading, at best, since there is no way to verify if those records are 100 percent complete.”

John Pirc, Chief Strategy Officer and Co-founder, Bricata:

“There is inherent risk in using email in general and that typically comes in the form of social engineering/phishing/SPAM attempts to get you to click on a link. Now with that said, most large organizations such as the State Dept. will have an entire security team and products in place that address the security risk associated with email. Additionally, they will have policies in place that prohibit the use of personal email that contains company/government business. There is very good reason for not using personal email to conduct company business because as soon as you cross that boundary, that information you communicated or attached is no longer controlled by the company. Also, if any of the communications are confidential/sensitive, they are now being stored on a private “homebrew" email server.


The concern with setting up a private email server is making sure you have reasonable security in place and I think that is highly unlikely in this case. Questions come to mind regarding the use of encryption in transit and at rest…which is best practices for most large organizations regarding email. It’s highly unlikely a “homebrew” mail server has enterprise grade security on it. On the encryption aspect, did she ever use it on a mobile device in another Country? I don’t think it would take long for a foreign country’s Intel Service to figure out who she was communicating with because of her high profile and being able to hack a private mail server that likely doesn’t have enterprise grade security is like taking candy from a baby…well at least for people at my level.


In short, with any high ranking Government Official or Business executive, this is not a great idea and will place you and your company at great risk; and not to mention when you leave you will have electronic copies of information that no longer belong to you. As an executive and co-founder of a company, I would be irritate if I found out someone in my company was using a private email to communicate, send documents, etc.; instead of our corporate email server.”

Rehan Jalil, Elastica CEO:

“This is a clear example of Shadow IT and the problems that can arise when users at any level decide to use applications outside the purview of IT and IT security teams. In this case it appears as if email was the Shadow IT application of choice but it is just one way that people are sharing information.


The questions to ask now are: what other personal cloud-based applications are being used for exchanging regulated information by Hillary Clinton and others who play a role in national security and is there more data circulating in the wild that no one knows about?


Though we can’t be certain what security precautions Clinton took with her email account, it’s alarming to find that the former Secretary of State used Shadow IT for official government communications.”

Bill Solms, CEO of Wave Systems:

“Anytime a senior executive runs all or even part of their official email traffic through a private email account it raises concerns over both accountability and security. From an accountability perspective, it raises the specter of the ability to manipulate the process to achieve less than complete compliance with oversight rules. If a CEO of a corporation subject to Sarbanes-Oxley had conducted their business affairs this way it would have most certainly been a violation of that legislation. It doesn’t mean that the former Secretary did it for this reason, but it leaves the door open for speculation.


The other and more serious concern is what level of sensitivity and/or government classification was involved in the emails and what level of security was employed to protect those emails? Was the level of security appropriate for protection of the emails of a serving Secretary of State? If she used a generic, commercially available email service then it likely did not provide that level of security. It’s also important to note the difference between the level of security given to the general email accounts at a government agency like the State Department, and the level of security given to the accounts of the Secretary herself. It would likely have been a much more highly protected account than those at State that were recently compromised by hackers.


To protect the content of their email, for both official compliance and privacy reasons, executives of either a Government agency or of a commercial organization are always recommended to use the officially protected email accounts.”

Richard Barger, Chief Intelligence Officer, ThreatConnect:

 “Today’s sophisticated threats are from the very groups known to target high profile executive users at both work and at home. These attackers know that with the convergence of mobile technologies, and use of personal accounts to conduct work activities; attackers gain unprecedented access to very candid insights and private exchanges that our public and private sector VIPs are having.


These threat actors are after the vulnerable user, not necessarily the vulnerable asset. We know this because of the patterns of activity we are seeing and the threat intelligence being shared within our platform. Once attackers gain a foothold of an executive target, they will use that initial access to grab credentials and masquerade as that user. They leverage that access to a victim's account to conduct secondary spear-phishing operations, which can lead to targeting others within the victim’s inner circle. It's just like dominoes - as soon as one tips over, it’s only a matter of time before they all fall. Luckily, security teams are using threat intelligence to make their security controls and investments stronger, so they can better support their executive users against these types of threats.”

Greg Hoffer, Senior Director of Engineering, Globalscape:

“As with most situations like this, it’s helpful to first acknowledge what we don’t know. Politics aside, it’s best to break this down empirically and ask questions without prejudgment or assumptions – because based on the number of compromises across industry and government, no one is above reproach. When it comes to email --- or any technology for that matter – we need to examine people, process and technology factors. Here are my questions:


First, regardless of where the technologies were deployed, were they deployed correctly? For example, we have heard a lot of SSL based vulnerabilities in the past 12 months (Heartbleed, Poodle, Shellshock, Superfish, FREAK) that are scary, violate the trust that we had in core security technologies, and are squarely in the arena of defects in the technological controls of security. Yes, these are bad. But even the most secure technologies imaginable are vulnerable to compromise when those technologies are not applied properly. Additionally, was the email system protected by multiple layers of security – encryption, multifactor authentication, scanning, etc? Security can be a strength in numbers approach and, when done correctly, an all boats rise proposition.


Second, apart from what technologies were deployed, who deployed and managed them? Who provided primary IT support for the Clintons? From reports it would seem that they used some hosted security solutions to augment direct management, but what level of rigor and expertise was applied to the ongoing management and oversight of the system – particularly based on the sensitivity and criticality of the communications involved.


Third, did the systems and the management adhere to regulations and best practices in terms of security policies, standards, and procedures. Regulations and regulatory oversight play important roles here. While there is broad disagreement around the full efficacy of individual standards, there should be no debate that completely ignoring recommendations and requirements leave everyone exposed and increases the risk technological security controls can be circumvented.”

Until Next Friday...Have a Great Weekend! 

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.