So by now we have all heard about Hillary Clinton’s email….she has been sending far too many forwards of chain-mails, and cat meme’s.  Ok so in reality the controversy is over her private email server.  Now if you are the casual american voter, you just hear a sound bite about email, get outrage and think, “that is unpatriotic and terrible”.   While having a personal email server and using it in conjunction with state department official business is a piss poor decision especially when you are the fourth in line for the presidency and a high profile individual, there is an even larger underlying issue.  The real issue with Mrs. Clinton’s email scandal isn’t the fact that she did this, it is the common issue of circumventing security for convenience.

What we need to look at first and foremost is an understanding of where this server started.  It started in 2008 for her then failed presidential bid.  This honestly is rather understandable.  Honestly if I was using something for years and then moved into another position I may still use it as well, we all do it in one way or another. However here are a few extremely important facts about that server

  • It had a large attack surface
  • For the first two months as Secretary of State all emails were not encrypted
  • one of the domains used was (obvious attack target)

These are just a few key points of issues with this server.  Now let’s understand the role of secretary of state

Under the Constitution, the President of the United States determines U.S. foreign policy. The Secretary of State, appointed by the President with the advice and consent of the Senate, is the President’s chief foreign affairs adviser. The Secretary carries out the President’s foreign policies through the State Department and the Foreign Service of the United States.

Created in 1789 by the Congress as the successor to the Department of Foreign Affairs, the Department of State is the senior executive Department of the U.S. Government. The Secretary of State’s duties relating to foreign affairs have not changed significantly since then, but they have become far more complex as international commitments multiplied. These duties — the activities and responsibilities of the State Department — include the following:

  • Serves as the President’s principal adviser on U.S. foreign policy;
  • Conducts negotiations relating to U.S. foreign affairs;
  • Grants and issues passports to American citizens and exequaturs to foreign consuls in the United States;
  • Advises the President on the appointment of U.S. ambassadors, ministers, consuls, and other diplomatic representatives;
  • Advises the President regarding the acceptance, recall, and dismissal of the representatives of foreign governments;
  • Personally participates in or directs U.S. representatives to international conferences, organizations, and agencies;
  • Negotiates, interprets, and terminates treaties and agreements;
  • Ensures the protection of the U.S. Government to American citizens, property, and interests in foreign countries;
  • Supervises the administration of U.S. immigration laws abroad;
  • Provides information to American citizens regarding the political, economic, social, cultural, and humanitarian conditions in foreign countries;
  • Informs the Congress and American citizens on the conduct of U.S. foreign relations;
  • Promotes beneficial economic intercourse between the United States and other countries;
  • Administers the Department of State;
  • Supervises the Foreign Service of the United States.

The real issue here is the level of trust that is needed and the sensitive information that can continuously be at risk to endangering the american people and the nation as a whole if it were to get in the wrong hands. This is why it is such a huge deal and will not be dropped.

In all fairness we need to understand that any email that she sends, even if it is a hilarious cat meme and nothing else needs to be marked as Classified simply due to the systems used and the position itself.  This is from Executive Order 13526

Sec. 1.2.  Classification Levels.  (a)  Information may be classified at one of the following three levels:

(1)  “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.

(2)  “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.

(3)  “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.

So what really needs to be known is what was the classification of the emails?

The counter argument is the fact that countless other politicians and cabinet members have used their personal emails in relation to their duties as well.  That is more than likely true, but here is the true issue with the Clinton email controversy….not adhering to federal guidelines and standards.  This is not only an issue with Mrs. Clinton this is a serious problem within not only our government, but also our corporations.  When people come into a position of power they have a sense of entitlement and have the assumption that laws and regulations do not apply to them and it’s no big deal if they don’t have a secure password or follow NSA guidelines, because they are really busy and really important and don’t have time to protect their data and accounts. Here is a perfect example

Clinton spokesman Nick Merrill defended Clinton’s use of the personal server and email accounts as being in compliance with the “letter and spirit of the rules.” Clinton herself stated that she had done so only as a matter of “convenience.”

Let us not forget the the head of the CIA Director John Brennan had his AOL email account compromised by a teenage. The documents were largely draft forms of agency memos and other notes.

One of the documents was Brennan’s security-clearance background form that contained personal information about his wife and family members, including addresses, birthdays and Social Security numbers.

Another example of a government not adhering to security standards would be the OPM data breach of 2015.  A March 2015 OPM Office of the Inspector Generalsemi-annual report to Congress warned of “persistent deficiencies in OPM’s information system security program,” including “incomplete security authorization packages, weaknesses in testing of information security controls, and inaccurate Plans of Action and Milestones.”(OPM)

The other major issue besides the 20 plus millions individuals information that was compromised is the fact the then OPM’s Chief Information Officer Donna Seymour was slowing efforts in the investigation of the data breach and then resigned two days before she was supposed to give testimony about the data breach.

In 2013 Target had a data breach of over 40 million customers data. They had requested that verizon help with a probe of  why the breach could have happened. This is from verizon’s investigation for the dates of December 21, 2013 to March 1, 2014, notably found “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.”

The report also noted that “while Target has a password policy, the Verizon security consultants discovered that it was not being followed. The Verizon consultants discovered a file containing valid network credentials being stored on several servers. The Verizon consultants also discovered systems and services utilizing either weak or default passwords. Utilizing these weak passwords the consultants were able to instantly gain access to the affected systems.”

Default passwords in key internal systems and servers also allowed the Verizon consultants to assume the role of a system administrator with complete freedom to move about Target’s sprawling internal network.

Target had failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to ex-filtrate data from Target’s network.

The point is the true problem is complacency and a sense of entitlement, and the issue is not only in government but in corporate America as well.  However when it comes to government officials, they need to be held accountable for their actions, because like in the case of the CIA director’s hack his family’s information was taken, and with the OPM data breach it was like lives of millions of families were affected.  There has been no accountability except resigning from their positions. This is not enforcing rules that were put in place to protect data and people.