Monday, September 14, 2015

Hillary Clinton's Emails Considered Some More


"When it comes to classified information, the standards are not at all black and white..." Brian Fallon, Clinton campaign press secretary, uttered these words last month while trying to explain how classified information ended up on Hillary Clinton’s unclassified, unsecure email server.  Actually Mr. Fallon, the rules are very straightforward.  When in doubt, consult a security classification guide. It is situations like this for which they were written in the first place. And if the SCG doesn't address a specific issue, the rule is "when in doubt, protect the information." 

What kind of information gets classified?  President Obama signed an executive order that makes uniform rules throughout the government for classifying and protecting information.  According to Executive Order 13526, Classified National Security Information, if information falls into one of eight categories, it is considered to be classified.  Below I have listed those categories, taken verbatim from EO 13526:

Sec. 1.4.  Classification Categories. Information shall not be considered for classification unless its unauthorized disclosure could reasonably be expected to cause identifiable ordescribable damage to the national security in accordance with section 1.2 of this order, and it pertains to one or more of the following:

(a) Military plans, weapons systems, or operations;

(b) Foreign government information;

(c) Intelligence activities (including covert action), intelligence sources or methods, or cryptology;

(d) Foreign relations or foreign activities of the United States, including confidential sources;

(e) Scientific, technological, or economic matters relating to the national security;

(f) United States Government programs for safeguarding nuclear materials or facilities;

(g) Vulnerabilities or capabilities of systems, installations, infrastructures,
projects, plans, or protection services relating to the national security; or

(h) The development, production, or use of weapons of mass destruction.

Hillary Clinton’s campaign team has repeatedly tried to dodge responsibility for her distribution of classified information by claiming the information was not marked at the time.  Information found in her email archive contains classified information – all of it unmarked.  Intelligence professionals have combed through [and are continuing to comb through] tens of thousands of pages of email HRC sent/received from 2009-13.  So far, they found lots of classified stuff.  It’s unmarked, but that is irrelevant.  The nature of the material found is such that it was “born classified.”

What sort of information did they find?  They found correspondence between HRC and foreign leaders that fits under the “foreign government information” [EO 13526, Sec 1.4 (b) and Sec 1.4(d)].  They found information about North Korea’s nuclear weapons program [EO 13526, Sec 1.4(h)].  They also found information derived from Sensitive Compartmented Information that if compromised could give away intelligence collection sources and methods [EO 13526, Sec 1.4 (c)].  Additionally, in one email sent to George Mitchell [who was a special envoy for peace in the Middle East], HRC asked him to respond to her private email address, which she knew [emphasis mine] was unclassified.  The information passed between the two was unmarked when it was sent, but subsequently marked as classified.  The date of the classification was the date the emails were sent, not on the day they were marked as classified.  Such “foreign government information” and information dealing with “foreign relations or foreign activities of the United States, including confidential sources” is considered as being classified the minute it is created. “It’s born classified,” said J. William Leonard, a former director of the U.S. government’s Information Security Oversight Office (ISOO).

A lot of HRC’s email is being redacted, with the classification dates being the day the information was created.  She also shared classified information with Sid Blumenthal, who did not [and probably still does not] hold a security clearance.  Hillary Clinton signed non-disclosure agreements when she became Secretary of State.  She also received training on the handling of classified information.  Those are conditions for having access to this sort of information in the first place.  For her to say that she didn’t knowingly send classified information to others is simply false.   As Secretary of State, HRC had original classification authority. She was trusted to judge when information should be marked classified. She should have known that kind of information needed to be protected. By using the excuse that she didn’t know what is or is not classified she admits she lacks the judgment needed to protect the nation’s secrets.  While she had original classification authority, that authority extended only to classified information held within the State Department.  She did not have the authority to downgrade or declassify any information provided by DoD.

Under federal law, information is classified by nature, not by marking. As a result, federal classification authorities deemed that the information was classified the very second it originated.  She was not merely a helpless, passive recipient of classified national security information; she was the originator. And not only did she intentionally originate the classified information, she intentionally disseminated it via an unsecured, unsanctioned private e-mail server.  In my job, whenever I want to send a classified email on SIPRNET, there is another safeguard in place to ensure information is afforded the appropriate protection.  Before I click the “Send” button, Microsoft Outlook asks me for a classification for the email.  Outlook won’t send it until I do that.  The State Department has a system called SMART that does something similar to what I just described.  Mrs. Clinton had this capability available to her, yet she chose to forgo it.  Her defense to date is that she can’t tell the difference between what is classified and what is not classified.  Given such a defense one can conclude that she is either lying or she is incompetent. 

Christopher Budd wrote a very good article about HRC’s email problems for GeekWire.com.  The article is titled Why the Clinton email server story matters — and why it may be worse than you think.  In his article he wrote that from an information security point of view, this can represent one of the most serious branches of data handling for three reasons – 1) The Secretary of State [whomever it is] is a high value target who handles the most sensitive information; 2) Nation-state actors are the most likely to gather the top talent need to collect information against such a high value target; and 3) the combination of reasons 1 and 2 will see the cream of the crop gunning for the target.  Given these reasons, a DIY home email server is the worst possible way to protect sensitive information from a cyberattack or other such hack.   He argues that using something as common as Gmail, Yahoo, or Outlook is still better than HRC’s “solution” because they at least have some expertise in dealing with an external threat.  He also argues that unless HRC’s email server was being protected by the government using the same levels of protection that official servers are, we have no choice but to assume that this server has been compromised by foreign intelligence agents. 


Budd questions if the State Department had clear enough policies and procedures that were communicated effectively enough to its employees about the propriety of using such DIY systems as HRC had done.  He says the answer to this question is important in determining whether this data breach is a failure of one individual or if there is a bigger problem that could repeat with another Secretary of State.

In his conclusion, he states that the subject of information compromise hasn’t been addressed properly [at least not publicly].  The questions not being asked include 1) How secure was the server? 2) Who was protecting it?; 3) Is there evidence of compromise? He hopes that eventually this will receive an appropriate investigation, but is resigned to these details getting “lost in the shuffle” because of the focus on “more interesting, but less important points.”

I will conclude by quoting Judge Emmet G. Sullivan, Federal District Court for the District of Columbia.  He is the one who has ordered the State Department to release HRC’s email archive.  His pithy comment about the entire matter sums it up quite nicely - “We wouldn’t be here today if the employee had followed government policy.