In March of 2015, a controversy began when the public technically savvy members of the public learned that
- Hillary Clinton had used a personal email account for official business while she served as Secretary of State, and
- the personal email account had been hosted on a private server that she owned, and was located in her residence.
A watchdog group within the State Department launched a project one month after the controversy began (April 2015) to gather information, including
- the practices of other Secretaries of State, and
- the relevant laws and/or government policies that were in effect during various administrations.
The group, a.k.a. the Office of the Inspector General (OIG), recently completed their work and published a set of reports to document their findings. The fourth and final report, Office of the Secretary: Evaluation of Email Records Management and Cybersecurity Requirements, was issued on May 26 to address
“efforts undertaken by the Department of State (Department) to preserve and secure electronic records and communications involving the Office of the Secretary” (p.4)
To understand potential security issues regarding Clinton’s email practices, one really needs to first understand “how email works”; that is the main focus of this diary. Below I provide a highly simplified explanation which provides a very limited set of details. In the images below, the top half shows a real world, snail-mail example; the bottom half shows the equivalent situation for email.
STEP 1
In the real world, a person might compose a letter at a desk in their house. In order to mail it, the letter needs to be taken to the Post Office. The mail carrier usually performs this service.
With email, a person will compose a message using an Email Client. In order to “mail” it, the message needs to be sent to an Email Server, which is a (usually dedicated) machine that hosts processes that are equivalent to those of a Post Office. The job of the processes running on this machine is to accept incoming messages and then take the appropriate steps to send them out on the Internet to where they need to go. An Email Client is usually connected to an Email Server via a Local Area Network (LAN) or the Internet; when the user presses the “send” button, the message is then transported from the Email Client (a program on a machine) to the Email Server (a program on a (usually different) machine).
STEP 2
The next step in the process is invisible to most of us. In the real world, the Post Office that has the letter now takes the appropriate action to send the letter to a different Post Office that is closer to where the recipient lives.
With email, a program running on the first Email Server reads the distribution list, makes a copy of the message for each address on the list, makes a call to a DNS server to convert each user-friendly address on the email to an IP address, and then sends a copy of the message to each IP address. Note: each IP address is actually the network location of a computer that is configured as an Email Server. If someone sent to a message to hdr22@clintonemail.com (the address that Clinton used for official business as Secretary of State), the call to DNS would return the IP address of the computer that was located in Clinton’s basement. When a personal email account is “hosted on a private server,” it means that messages sent to that email account are sent to a computer that is (usually) owned and maintained by the owner of the email account.
STEP 3
In the final step, the destination Post Office receives the letter and takes action to deliver the letter to a mailbox associated with that particular person (either a PO box at the post office or a mailbox where the recipient resides). The recipient must go to the mailbox to retrieve the letter, and then they can read it.
With email, when a program running on the destination Email Server receives the message, it puts that message into a mailbox that resides on the Email Server. The next time that the user runs their email program on the Email Client, that program automatically checks the mailbox on the Email Server and downloads any new messages that are found for the user to their Email Client. The Email Client now lists the new message, and the user is able to read it using their email program.
Congratulations! You have now completed Email 101! If you are interested in setting up your own personal email account hosted on your own private server, just follow the easy directions below!
How to Set Up a Clinton-Style Home Email Server
Setting up a server is no simple task. “It’s a pretty big job to maintain a server like that and make sure it’s properly configured,” says Peter Firstbrook, an Internet security researcher at Gartner. Firstbrook says such an endeavor is “highly unusual.” He has not heard of any companies whose executives had set up personal servers for work emails, let alone government officials.
To set a personal email server, someone would need to:
- Buy a server, which is about the size of a desktop computer.
- Buy an operating system to run the server, most likely a version of Microsoft Windows or Linux.
- Buy an exchange program to manage the flow of emails (Microsoft Exchange Server is the most common).
- Buy a digital certificate to certify that the server has been encrypted.
- Buy a domain name (in this case, clintonemail.com).
- Install the software.
- Install virus and spam filters.
- Set up firewalls, including a message-transfer agent, an email-specific firewall.
- Get a business-class Internet connection—a regular consumer connection likely isn’t reliable enough.
- Configure the devices using the server, such as Clinton’s BlackBerry.
For any email account, the hosting provider has the responsibility for maintaining the machines that act as Email Servers; they must provide
- day to day technical support, and also upgrades to all components as necessary.
- sufficient security to protect the machine and the information stored on it.
For email accounts that are hosted on a *.gov server, an IT organization with the federal government is responsible for technical support and security.
For email accounts that are hosted by a provider such as AOL or Google, that hosting provider is responsible for technical support and security.
For personal email accounts hosted on a private server, the owner of the server is responsible for technical support and security.
PUTTING IT ALL TOGETHER
Now that you are an expert on how email works, let go back and review:
- An Email Server is a computer that has a special relationship to one or more Email Clients.
- Setting up a private Email Server is no simple task. It is much more difficult than going to google or yahoo and requesting an email account from them.
You also know that If someone sent a message to hdr22@clintonemail.com (see image above)
- the Email Server for the sender would translate that email address to an IP address (like 208.91.197.27), and then send the message to that IP address — which happened to point to a computer that lived in Clinton’s basement
- the message would be stored at least temporarily on Clinton’s private Email Server (i.e. 208.91.197.27)
Here’s the thing ... persons who are called “hackers,” “spys”, “cyber terrorists,” etc., are also experts on how email works. They know much, much more than has been shown here, including how to “hack into” or “attack” any computer that is accessible on the Internet. That is why most everyone installs firewalls and anti-virus software on their home computers hooked up to the Internet: some hackers enjoy setting traps that will damage the computers of those who run into them. If one doesn’t take necessary steps to safeguard their system, it is vulnerable and most likely can be and will be attacked.
Think about it: if so many Email Servers are able to translate hdr22@clintonemail.com into an IP address, the “bad guys” can translate it too. So they know which machine Clinton is using. They also know that as a Secretary of State, she is routinely involved in situations that involve “state secrets” that might be extremely valuable to know. It’s almost as if the bad guys had been handed a map to buried treasure, with a big red “X” marking the spot.
The government and global corporations understand the importance of cybersecurity and hire experts to review their computer systems and take appropriate action to keep those systems safe. The experts monitor for possible cyber attacks; and if/when those occur, they move quickly to understand the vulnerabilities and eliminate them.
In contrast, Clinton’s personal email account was a late addition to a home-grown solution that had already existed for years and had not been designed with security as a top priority. The OIG report indicates that she did not ask for a review to ensure that it was adequate for her official business, but she had an obligation to do so with Diplomatic Security.
OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server. According to the current CIO and Assistant Secretary for Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. However, according to these officials, DS and IRM did not—and would not—approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so.
During Secretary Clinton’s tenure, the FAM also instructed employees that they were expected to use approved, secure methods to transmit SBU information and that, if they needed to transmit SBU information outside the Department’s OpenNet network on a regular basis to non- Departmental addresses, they should request a solution from IRM. However, OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU. (p. 37)
*DS - Bureau of Diplomatic Security
*IRM - Bureau of Information Resource Management
*FAM - Foreign Affairs Manual
*SBU - sensitive but unclassified
Technical support for Clinton’s private Email Server was provided by two persons with questionable expertise in security:
- “an individual based in New York who provided technical support for Secretary Clinton’s personal email system but who was never employed by the Department” (p.2)
Justin Cooper is a longtime adviser to former President Bill Clinton, and registered the clintonemail.com domain name on January 13, 2009.
- “a Special Advisor to the Deputy Chief Information Officer (2009-13) who provided technical support for Secretary Clinton’s personal email system” (p.2)
Bryan Pagliano worked as an IT director for Clinton's 2008 presidential campaign, and then was hired in 2009 by the state department as a political appointee in what the HR manager described as “not a traditional supervisor/employee relationship.” Turns out that Pagliano was providing technical support to Clinton without the knowledge of his direct supervisors, who
- “believed that [his] job functions were limited to supporting mobile computing issues across the entire Department” (p. 39)
- “did not know he was providing ongoing support to the Secretary’s email system during working hours” (p. 39)
Several hacking incidents are described in the OIG report. Instead of inviting IT experts in to help understand the vulnerabilities and eliminate them, the incidents were apparently not reported to anyone else in the State Department.
Department policy requires employees to report cybersecurity incidents to IRM security officials when any improper cyber-security practice comes to their attention. 12 FAM 592.4 (January 10, 2007). Notification is required when a user suspects compromise of, among other things, a personally owned device containing personally identifiable information. 12 FAM 682.2-6 (August 4, 2008). However, OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department. (p.40)
Finally … you know the FBI investigation we keep hearing about? As it turns out, the focus of the FBI investigation is on security:
WP - FBI looking into the security of Hillary Clinton’s private e-mail setup
The FBI has begun looking into the security of Hillary Rodham Clinton’s private e-mail setup, contacting in the past week a Denver-based technology firm that helped manage the unusual system, according to two government officials.
Turns out the investigation was initiated after the Inspector General from the intelligence community, I. Charles McCullough III,
found information that should have been designated as classified in four e-mails out of a “limited sample” of 40 that his agency reviewed. As a result, he said, he made the “security referral,” acting under a federal law that requires alerting the FBI to any potential compromises of national security information.
“The main purpose of the referral was to notify security officials that classified information may exist on at least one private server and thumb drive that are not in the government’s possession,” McCullough said in a statement, which was also signed by the State Department’s inspector general, Steve A. Linick. — link