By now, most readers will be familiar with the news reports that Hillary Clinton used a personal email account ([email protected]) for her official work while Secretary of State. Most of the news has been about whether or not this action violated federal record-keeping requirements but few (Shane Harris being a notable exception) are asking the distinct question of whether using a private email server is a secure way of communicating even in an unclassified context. Herewith a few quick thoughts:
- There is no reason to think that the Clinton email system was purposefully or accidentally insecure. Indeed, to the contrary, given the Clintons' privacy concerns they would be expected to have taken substantial security measures.
- Nor is there any reason to think that their system is less secure than that of the Department of State. Less than 6 months ago, reports suggested that State's own unclassified system had been breached. The comparative security or insecurity of Clinton's private system has yet to be demonstrated. [Though one suspects that State spends far more on security that the Clintons do personally.]
- Which leaves us with a number of questions about the Clintons' system:
- What security measures were used? Was mail encrypted? Did it use two-factor authentication? What intrusion detection and prevention systems were in place?
- How widely known was the existence of this email server system? Would it have come to the attention of foreign intelligence agencies, thus becoming a target?
- Who managed the IT and security for the system? Who else had access to it? Did the administrator have access to the content of emails?
- Did the system retain sufficient records and logs such that one could now do a forensic analysis of whether any attempts had ever been made to penetrate it (and/or determine if such attempts had been successful)?
- Reports suggest that beginning in 2012, the server was backed up to Google servers. Most of the same questions will apply to the data stored in this back up facility as well.
Does any of this matter? We can't know at this point. It depends as much on the content of the communications as it does on the security measures taken. It also depends on whether the risk in question is a merely theoretical one on if it is one that someone attempted to actually exploit. I suspect this is mostly a tempest-in-a-teapot, but as a test bed for thinking about cybersecurity concerns it makes for a fun bit of speculation.