"When it comes to
classified information, the standards are not at all black and white..." Brian Fallon, Clinton campaign press secretary,
uttered these words last month while trying to explain how classified
information ended up on Hillary Clinton’s unclassified, unsecure email
server. Actually Mr. Fallon, the rules
are very straightforward. When in doubt, consult a security classification
guide. It is situations like this for which they were written in the first
place. And if the SCG doesn't address a specific issue, the rule is "when
in doubt, protect the information."
What kind of information gets classified? President Obama signed an executive order that makes uniform rules throughout the government for classifying and protecting information. According to Executive Order 13526, Classified National Security Information, if information falls into one of eight categories, it is considered to be classified. Below I have listed those categories, taken verbatim from EO 13526:
Sec. 1.4. Classification Categories. Information shall not be considered for classification unless its unauthorized disclosure could reasonably be expected to cause identifiable ordescribable damage to the national security in accordance with section 1.2 of this order, and it pertains to one or more of the following:
(a) Military plans, weapons systems, or
operations;
(b) Foreign government information;
(b) Foreign government information;
(c) Intelligence activities
(including covert action), intelligence sources or methods, or cryptology;
(d) Foreign relations or foreign
activities of the United States, including confidential sources;
(e) Scientific, technological,
or economic matters relating to the national security;
(f) United States Government
programs for safeguarding nuclear materials or facilities;
(g) Vulnerabilities or
capabilities of systems, installations, infrastructures,
projects, plans, or protection
services relating to the national security; or
(h) The development, production, or use
of weapons of mass destruction.
Hillary Clinton’s campaign team has repeatedly tried to
dodge responsibility for her distribution of classified information by claiming
the information was not marked at the time.
Information found in her email archive contains classified information –
all of it unmarked. Intelligence
professionals have combed through [and are continuing to comb through] tens of
thousands of pages of email HRC sent/received from 2009-13. So far, they found lots of classified
stuff. It’s unmarked, but that is
irrelevant. The nature of the material
found is such that it was “born classified.”
What sort of information
did they find? They found correspondence
between HRC and foreign leaders that fits under the “foreign government
information” [EO 13526, Sec 1.4 (b) and Sec 1.4(d)]. They found information about North Korea’s
nuclear weapons program [EO 13526, Sec 1.4(h)].
They also found information derived from Sensitive Compartmented
Information that if compromised could give away intelligence collection sources
and methods [EO 13526, Sec 1.4 (c)]. Additionally,
in one email sent to George Mitchell [who was a special envoy
for peace in the Middle East], HRC asked him to respond to her private email
address, which she knew [emphasis
mine] was unclassified. The information
passed between the two was unmarked when it was sent, but subsequently marked
as classified. The date of the
classification was the date the emails were sent, not on the day they were
marked as classified. Such “foreign
government information” and information dealing with “foreign relations or foreign
activities of the United States, including confidential sources” is considered
as being classified the minute it is created. “It’s born classified,” said J. William Leonard, a
former director of the U.S. government’s Information Security Oversight Office
(ISOO).
A lot of HRC’s email is being redacted, with the
classification dates being the day the information was created. She also shared classified information with
Sid Blumenthal, who did not [and probably still does not] hold a security
clearance. Hillary Clinton signed
non-disclosure agreements when she became Secretary of State. She also received training on the handling of
classified information. Those are
conditions for having access to this sort of information in the first
place. For her to say that she didn’t
knowingly send classified information to others is simply false. As Secretary of State, HRC had original
classification authority. She was trusted to judge when information should be
marked classified. She should have known that kind of information needed to be
protected. By using the excuse that she didn’t know what is or is not
classified she admits she lacks the judgment needed to protect the nation’s
secrets. While she had original
classification authority, that authority extended only to classified
information held within the State Department.
She did not have the authority to downgrade or declassify any
information provided by DoD.
Under federal law, information is classified by nature,
not by marking. As a result, federal classification authorities deemed that the
information was classified the very second it originated. She was not merely a helpless, passive
recipient of classified national security information; she was the originator.
And not only did she intentionally originate the classified information, she
intentionally disseminated it via an unsecured, unsanctioned private e-mail
server. In my job, whenever I want to
send a classified email on SIPRNET, there is another safeguard in place to
ensure information is afforded the appropriate protection. Before I click the “Send” button, Microsoft
Outlook asks me for a classification for the email. Outlook won’t send it until I do that. The State Department has a system called
SMART that does something similar to what I just described. Mrs. Clinton had this capability available to
her, yet she chose to forgo it. Her
defense to date is that she can’t tell the difference between what is
classified and what is not classified.
Given such a defense one can conclude that she is either lying or she is
incompetent. Christopher Budd wrote a very good article about HRC’s email problems for GeekWire.com. The article is titled Why the Clinton email server story matters — and why it may be worse than you think. In his article he wrote that from an information security point of view, this can represent one of the most serious branches of data handling for three reasons – 1) The Secretary of State [whomever it is] is a high value target who handles the most sensitive information; 2) Nation-state actors are the most likely to gather the top talent need to collect information against such a high value target; and 3) the combination of reasons 1 and 2 will see the cream of the crop gunning for the target. Given these reasons, a DIY home email server is the worst possible way to protect sensitive information from a cyberattack or other such hack. He argues that using something as common as Gmail, Yahoo, or Outlook is still better than HRC’s “solution” because they at least have some expertise in dealing with an external threat. He also argues that unless HRC’s email server was being protected by the government using the same levels of protection that official servers are, we have no choice but to assume that this server has been compromised by foreign intelligence agents.
Budd questions if the State
Department had clear enough policies and procedures that were communicated effectively
enough to its employees about the propriety of using such DIY systems as HRC
had done. He says the answer to this
question is important in determining whether this data breach is a failure of
one individual or if there is a bigger problem that could repeat with another
Secretary of State.
In his conclusion, he states
that the subject of information compromise hasn’t been addressed properly [at
least not publicly]. The questions not
being asked include 1) How secure was the server? 2) Who was protecting it?; 3)
Is there evidence of compromise? He hopes that eventually this will receive an
appropriate investigation, but is resigned to these details getting “lost in
the shuffle” because of the focus on “more interesting, but less important
points.”