Despite a hack two years ago that publicly exposed Hillary Clinton’s emails, the State Department took no action to shore up the security of the former secretary of state’s private computer server.
A State Department official said the department could not do anything in response to the March 2013 hack of longtime Clinton confidant Sidney Blumenthal because it occurred on a non-governmental computer system. The hacked emails, which included Blumenthal’s frequent correspondence with Clinton while she was in office in 2012, were sent by the Romanian hacker to media organizations, which later posted them online.
The disclosure renews questions of when State Department officials first learned that Clinton was doing department business on a private server and what steps they took to safeguard her sensitive diplomatic communications, some of which have been deemed classified.
National security and technology experts told McClatchy that the government should have taken immediate action, including implementing such security precautions as updating software and protecting passwords.
The failure to take any precautions also could have left Clinton’s server vulnerable to hackers, experts said. Just this week, a Senate committee chairman asked FBI Director James Comey whether the bureau was investigating the possibility she was hacked.
“The State Department should have done something,” said Brian Reid, a cybersecurity expert with the company Internet Systems Consortium. “If your house is burgled, you’re going to put alarms on the windows. It’s just basic common sense.”
The department’s inspector general’s office, which on its own initiative could have investigated or assessed the breach at the time, declined to comment this week and referred questions to the State Department.
Clinton’s exclusive use of a personal email account, routed through a private server for all four years she served as secretary of state, continues to hurt her prospects as the Democratic front-runner for president. With her campaign under siege, her poll numbers are slipping and Vermont Sen. Bernie Sanders, an opponent for the Democratic nomination, is gaining ground.
The furor intensified after the Intelligence Community’s inspector general asked the FBI to scrutinize the security implications of her use of a private server after classified material was found on her server.
Five emails sent to Clinton were recently deemed as classified, including two designated “Top Secret.” State Department officials have challenged the classifications and emphasized that the emails were not marked as classified at the time.
Clinton has maintained that she never sent or received any material marked as classified and has characterized questions about her private server as a partisan attack and a bureaucratic problem.
In order to be as cooperative as possible, we have turned over the server. They can do whatever they want to with the server to figure out what’s there and what’s not there. That’s for the people investigating it to try to figure out.
Former Secretary of State Hillary Clinton
A State Department official who is knowledgeable about the government’s response to the Blumenthal hack confirmed that the department did not investigate. The official refused to say if the discovery of the hack is what alerted the department to the existence of Clinton’s private server. The official could not speak publicly as a matter of practice.
“We would not address the security of a system of an individual who was not employed at the time with the federal government,” the official said.
Because Blumenthal did not work for the government, the official said, the correspondence did not likely include sensitive information.
However, revelations that the State Department failed to take action after the hack by Romanian Marcel Lazar Lehel is prompting criticism of Clinton’s decision to use her own server.
“The State Department has shown an unfathomable indifference to Secretary Clinton’s email arrangement from the very beginning,” said Rep. Trey Gowdy, chairman of the House committee investigating the fatal attacks in Benghazi, Libya, in 2012. “This is evidenced by their acquiescence in allowing the private server from the very first day, a failure to preserve and protect the public record during . . . her tenure, and a failure to seek the return of the public record until a committee of Congress essentially insisted it be done.”
Once the Blumenthal hack occurred, the domain name for Clinton’s host server was easily obtainable and her account was likely vulnerable, said Darren Hayes, director of cybersecurity at the computer science school at New York’s Pace University. Clinton changed her email address after the hack. In June 2013, she also hired a Colorado firm to manage her email server.
“Somebody could look up information about the registrar for that domain name,” identify the unique IP address for her account, locate the email server “and find out what vulnerabilities might be associated with that server,” Hayes said.
He said that “there were certainly some security precautions that the State Department and others could have suggested.”
For example, there are weekly security “patches” that can help shield an email server from uninvited intruders. In addition, there were ways to harden her server’s network so that only fully secured networks would be allowed access.
Reid, the cybersecurity expert, said that at the very least the State Department should have immediately checked with Clinton to see what type of user authentication she relied on.
Authentication ensures that the user is in fact the account holder. A password is the first level of authentication. However, the federal government is moving toward fingerprint verification as well, and that security measure was available at the time of the hack, Reid said.
Unless there's a policy requiring them to do it, or there’s a serious downward push from somebody to do something, they’re not going to do anything.
Cybersecurity expert Brian Reid on the State Department’s inaction
The State Department’s initial inaction stands in contrast to the way the Department of Homeland Security dealt with its email accounts for officials transmitting sensitive information.
“Everyone had to have a government email account and the servers belonged to the government,” said Charles Allen, who was undersecretary of the Department of Homeland Security for intelligence and analysis during George W. Bush’s presidency.
During Secretary Michael Chertoff’s tenure, the department “was very scrupulous in how we managed government email accounts that were connected to the Internet,” Allen said in a phone interview.
Others, however, were not alarmed by the State Department’s approach to the hack.
“On the security priority list, I would think the Blumenthal hack would be way down the list, if present at all,” said Thomas S. Blanton, director of George Washington University’s National Security Archive.
He expressed skepticism about “securocrats in the intelligence community” who may be exaggerating the gravity of the classified information on the emails.
Secretary Clinton made the decision to use a private email system and server for official State Department business, and her decision has consequences for the security and preservation of her records. . . . Because of what we know now, I have concerns about the measures in place at the State Department to secure and preserve Secretary Clinton’s records.
Republican Sen. Ron Johnson, chairman of Senate Homeland Security Committee
Clinton turned over 30,490 work emails to the State Department last December, but she said that she deleted another 31,830 personal emails.
The State Department, however, said it didn’t receive all or part of 15 of her emails after matching them with emails Blumenthal gave the House Select Committee on Benghazi in June. Blumenthal testified in front of the committee behind closed doors in August.
McClatchy also learned that the State Department did not review Blumenthal’s hacked emails to determine if Clinton failed to hand over all of her emails.
The State Department official said that the department, as a matter of practice, does not review documents that are leaked publicly on websites or elsewhere, because they can’t authenticate that they are original documents. In this case, the official noted that the documents appeared to have been edited to include markings and different fonts.
“We can’t rely on that,” the official said. “The State Department needs to be able to confirm the source for it to be considered a federal record.”
Experts in public records laws say that they would not expect the State Department to have used information from a non-governmental website to respond to a records request. But, they say, the State Department certainly should have cross-referenced the emails with the ones Clinton turned over.
“It’s a completely reasonable thing to do,” said John Wonderlich, policy director for the Sunlight Foundation, which pushes for government openness. “It’s not about authenticating the emails. It’s about cross-referencing them and doing what they can.”
The State Department recently was ranked last among 15 agencies by the Center for Effective Government in its handling of open records requests.
Clinton has attempted to downplay the scrutiny as mere partisan attacks, but questions about her judgment and motive for using a private system continue to dog her.
On Aug. 11, Clinton agreed to turn over the server to the Justice Department after months of resistance.