The recent announcement by the FBI that Hillary Clinton did not break the law but simply showed “extreme carelessness” should serve as a shot across the bow to anyone responsible for their organization’s information security. The FBI’s recommendation does not provide much help in regards to determining where the line is drawn between criminal “gross negligence” and “extreme carelessness”. One theory is that the difference lies in foreknowledge and intent. If so, then all of us in the security space need to take a very hard look at improving and enhancing security awareness within our organizations. Our users must be informed, otherwise, we bear the responsibility for their actions.
We all know that one of the greatest threats to information security are the uninformed, non-malicious employee, which is what the FBI has deemed Mrs. Clinton and her colleagues to be. The best way to protect ourselves from this type of data vulnerability is to make sure that our employees and colleagues are trained on security policies around password security, phishing, hoaxes, malware, file sharing, copyright and obviously, the importance of using corporate systems that are secure and governed by the organization. The FBI’s determination that the actions of Mrs. Clinton were simply extremely careless would indicate that the Department of State failed in its duty to train its employees on security awareness. Had the State Department implemented an effective security awareness program she would have known what she was doing and more than likely the FBI would have gone past “extreme carelessness” and deemed her actions “gross negligence.” Let’s take a look at the major mistakes Mrs. Clinton and her team made and consider how an effective security awareness program would have helped.
The challenges that Mrs. Clinton faced recently arose when a picture of her using a Blackberry phone went viral on the internet. Had she been properly trained on her organization’s hardware policies she would have known that personal communication devices present a huge security risk. Those devices can be tampered with and their phones and microphones can be used as listening devices. Mrs. Clinton’s office is a very secure area of the State Department building called “Mahogany Row” where visitors are required to surrender their phones before entering. Security here is tight because space is specifically set up for handling classified material. One of the emails made available to Justice Watch via their Freedom of Information Act request shows that Mrs. Clinton requested a special Blackberry, but was denied one by the NSA. Had she known why her request was denied and the risk associated with using non-secure telecommunication devices she would not have asked the State Department’s IT Manager, Bryan Pagliano to set up a private email server for her to use a personal Blackberry device despite the NSA’s refusal to allow her to do so. Had Mrs. Clinton and Mr. Pagliano been properly trained they would have known that this was inappropriate and ill-advised. Perhaps he told her as much, but we don’t know because all of his emails are unavailable. It would be interesting to see if he warned her of the consequences of what she was doing. Had he received training, it is quite certain that he would have known enough to do so or that if she persisted she would be more than just “extremely careless”.
Another weakness in the State Departments security awareness program was its failure to make Mrs. Clinton understand that removing the header which indicates data classification does not alter the sensitivity of the content under the header. Emails between her and her aides indicate that she was unaware that cutting off the “classified” stamp on a document prior to faxing or emailing does not make that communication secure. Nor does it change the classification of the communication. Clearly, this is a security awareness issue, if she had known about this issue and requested her aides to remove data classification in order to send messages over insecure channels, she would be intentionally breaching security policies and document handling policies. Documenting our security awareness programs is becoming critical so that there is shared accountability between IT and an organization’s user community.
It seems that the weakness in the State Department’s security awareness program goes beyond failing to educate its users and extends to those responsible for ensuring that policies are enforced. Judicial Watch recently released the transcript of Patrick Kennedy’s, State Department Under Secretary for Management, deposition in which he states that he did not realize that Mrs. Clinton’s use of a personal email address was a problem. This is the gentleman responsible for ensuring that the State Department’s policies are enforced. Mr. Kennedy testified that he had “no opinion” as to whether the use of a personal email address by Mrs. Clinton was a violation of policies. Even the most basic of security awareness programs will cover an organization’s email policies. These policies will always cover the importance of email archival and the organizations document retention policies. Had Mr. Kennedy been properly trained, he would have known that making emails available for legal discovery from a personal email account would be extremely difficult. The State Department has a general email policy which states “ that normal day-to-day operations be conducted on an authorized [Automated Information System], which has the proper level of security control to provide non-repudiation, authentication, and encryption, to ensure confidentiality, integrity, and availability of the resident information,”. Mrs. Clinton must have been unaware of this policy and so must have Mr. Kennedy, otherwise, it would be hard to characterize their disregard for this policy as mere “carelessness”.
Mrs. Clinton was not only extremely careless with State secrets, she also appears to have been careless with the well-being of her staff and colleagues. Email is an area that is of primary importance to training employees on because an individual’s use of email impacts those around them. Not only are they putting themselves in a compromising situation they are also putting at risk anyone that they send communications to and anyone that is sending them information. Had Hillary Clinton been properly trained on the damage she might be doing to her staff’s careers it is quite certain that she would not have allowed them to send her top secret and classified information to her private email address. Also, those working for and with Mrs. Clinton must also not have been adequately trained or they would certainly have refused to send government documents to a nongovernment email address. In private enterprise, one would never send financial or customer data to a colleague’s personal email address. Doing so would make one immediately complicit in data leaking outside the control of an organization. This is an area that perhaps the State Department’s IT group did not completely fail in. A State Department Inspector General report stated that State Department staffers raised concerns about Mrs. Clinton’s use of a private email system but were told to “never speak of it again”. Those working under Mrs. Clinton must not have been informed that it was their duty to refuse to send classified data to an unofficial email address. Had the training been effective someone would have stuck to their guns protecting themselves and US national interests.
Another more difficult security awareness objective is to make our employees and other stakeholders good judges of what is sensitive and what is not sensitive. The government defines classified data as “information created or received by an agency of the federal government or a government contractor that would damage national security if improperly released.” Whether that data is marked classified is irrelevant, what matters is the data itself and the burden is on the individual handling the information to make the determination as to whether or not that information will damage national security if improperly released.
Had Mrs. Clinton been aware of this, she would not have emphasized that she never sent anything “marked classified” she would have known that how a document is officially classified is not as important as the handler’s personal assessment of the sensitivity of the document.
Information security programs strive to keep data in the hands of the right people, but it has another goal which is to make employees accountable for their actions. It is important that organizations be able to quickly and efficiently present documents during litigation of any type. Email records are frequently subpoenaed during litigation. In the public sector, this type of litigation has become quite common since the creation of the Freedom of Information Act in 1967. Federal government employees should expect to have their records subpoenaed at any time by any citizen. Had Mrs. Clinton been made aware of this she would not have used her own private email server. She would have realized the painstaking process the State Department would have to go through in order to make her private emails part of the official record. This was a tremendous failure of the Department of State’s security awareness program, probably the most grievous failure of all, because it put at risk government transparency.
Education and training would have prevented much of what Mrs. Clinton has been going through. Security professionals that have security awareness programs in place must do a good job of documenting their programs and the lessons they are teaching their employees. The FBI has now signaled that intention and ignorance matter. If Mrs. Clinton was not “grossly negligent” in her use of information, then the State Department’s IT group must have been grossly negligent in their responsibility to make their employees aware of their security policies and procedures. I would imagine that at some point someone is going to look to the State Department’s CIO and ask him some very tough questions. Hopefully, he will have in place a security awareness program that is well documented. This does not seem to be the case based on the FBI’s determination that no laws were broken. Let this be a lesson to all of us.