State Department ducks security questions about Clinton emails

Government officials have been quizzed about government IT involvement in Hillary Clinton's email system while she was Secretary of State

A week before former Secretary of State Hillary Clinton was sworn into office in January 2009, was registered as domain. It became Clinton's principal email address as secretary of state, and its use was known by U.S. officials.

What isn't known is whether the IT staff at the State Department reviewed Clinton's email system, participated or advised her in setting it up, checked it for security or otherwise monitored it.

Government officials have been peppered this week at press briefings about government IT involvement in Clinton's email system. The answers have been wholly unsatisfying, and remained so at a State Department briefing Friday afternoon.

When asked whether the department's IT operation looked at Clinton's email operation, as well the devices she conducted business on, Marie Harf, a State Department spokesperson, repeatedly said: "I just don't have details for you on that."

Harf, who acknowledged that she has been asked IT questions for the last three days and appeared frustrated by the ongoing queries, made no promise that any information would be forthcoming.

The only IT insights Harf did acknowledge -- at an earlier briefing this week -- is that the department has "no indication" that Clinton's email account "was compromised or hacked in any way." But she didn't said when or how that was determined.

Josh Earnest, White House press secretary, at a separate briefing, suggested that Clinton's approach may have made her less of a target. "I could imagine a scenario where you would say that a smaller network is less likely to attract the attention of hackers or others who might want to do harm," he said.

There's some truth to that. Risk is a combination of threat actor, or the outsider or insider, the vulnerability and potential damage, said Alan Paller, director of research at the SANS Institute. "Since threat actor and potential damage are the same whether it is State Department or her own system, the key question is which is more vulnerable," he said.

In this case, the State Department "is probably more vulnerable because of all the potential entry points, because of weak security skills of their IT staff." Locating a private email system with only a single entry point would be a harder task, he said.

The State Department. has said there was nothing prohibiting Clinton from using private email, provided the records were retained. But Clinton, who has turned over 55,000 pages of records, appeared to use a private email account almost exclusively.

If State Department officials are suggesting that it's ok for an employee to use a private email account to routinely conduct official business, that position is well outside the practice of other federal agencies.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITInternet-based applications and servicesGovernment use of ITsecurityMailState Departmentgovernmentinternet

More about SANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Patrick Thibodeau

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts