“My email server was on property guarded by the Secret Service, and there were no security breaches … The use of that server, which started with my husband, certainly proved to be effective and secure.”
Secretary Hillary Clinton, News Conference, March 10th, 2015
“There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
FBI Director James Comey, 60 Minutes, October 5th, 2014
C-Suite executives can learn some critical lessons about cybersecurity from Secretary Hillary Clinton’s email server fiasco — and not just about the perils of operating a private company server in a Chappaqua, New York suburban basement.
Secretary Clinton’s bold use of her basement email server has cost her credibility and trustworthiness — perhaps even the presidential election. But rather than join the fray of political pundits spouting off about Secretary Clinton’s extreme carelessness or selfish ambition, there is a much more pragmatic and instructive exercise: To extract from Secretary Clinton’s email mess some key takeaways for the corporate C-Suite of what not to say and how not to handle issues of cybersecurity and data breaches.
Secretary Hillary Clinton’s Basement Email Server. During the course of his Benghazi investigation, New York Times reporter Michael Schmidt learned Secretary Hillary Clinton had used a personal email account while serving as secretary of state. It turned out she had also been using a private email server, located in the basement of her family home, some 260 miles to the north in Chappaqua, N.Y.
Later on, it was revealed that Secretary Clinton used her own exclusive email domain, “Clintonemail.com,” warehoused on her basement server, comingling personal emails with official government-related email communications, some of which contained classified and other sensitive State Department information.
The Ensuing Controversy. Since the existence of Secretary Clinton’s basement server became public, the matter has been a source of nonstop news. Private groups have filed lawsuits under the Freedom of Information Act. Congressional committees and inspector general’s offices in the State Department and the U.S. Intelligence Community initiated investigations, and, after determining that the basement server warehoused classified material, the matter was ultimately referred to the U.S. Federal Bureau of Investigation (FBI).
The classified information found on Secretary Clinton’s email server was quite alarming. For instance, at least 47 of Secretary Clinton’s emails from her basement server contain the notation “B3 CIA PERS/ORG,” which indicates the material referred to CIA personnel or matters related to the agency. Ultimately, the FBI determined that:
“110 e-mails in 52 e-mail chains have been determined by the owning [federal agency] to contain classified information at the time they were sent or received. Eight of those chains contained information that was Top Secret at the time they were sent; 36 chains contained Secret information at the time; and eight contained Confidential information, which is the lowest level of classification. Separate from those, about 2,000 additional e-mails were “up-classified” to make them Confidential; the information in those had not been classified at the time the e-mails were sent.”
On May 25, 2016 the State Department inspector general issued a harshly critical report concerning Secretary Clinton’s use of her private basement server for official government business.
However, on July 5, 2016, FBI Director James Comey issued an unusual and unprecedented public “Statement of Investigation” announcing the FBI’s intention to recommend that, with respect to Secretary Clinton’s use of her basement server for government communications (including classified information), the Justice Department should not pursue criminal charges against Secretary Clinton.
The next day, on July 6, 2016, Attorney General Loretta Lynch announced that the Justice Department would not pursue criminal charges against Secretary Clinton concerning her use of a her basement server, removing the threat of an indictment.
The FBI’s Investigative Findings Concerning the Basement Server’s Potential Breach. Although recommending not to pursue criminal charges against Secretary Clinton, FBI Director Comey’s Statement of Investigation and subsequent testimony before Congress contained severe criticisms of Secretary Clinton’s use of her basement server for official communications. In particular, the FBI highlighted the risks created by Secretary Clinton’s insistence on keeping her communications on her private basement server and determined that foreign hackers possibly attacked it:
“We do assess that hostile actors gained access to the private commercial email accounts of people with whom Secretary Clinton was in regular contact from her personal account. We also assess that Secretary Clinton’s use of a personal email domain was both known by a large number of people and readily apparent . . . [Secretary Clinton] also used her personal email extensively while outside the United States, including sending and receiving work-related emails in the territory of sophisticated adversaries. Given that combination of factors, we assess it is possible that hostile actors gained access to Secretary Clinton’s personal email account.”
In other words, sophisticated attackers could have learned about the existence of Secretary Clinton’s private email account; could have then targeted the basement server; and could have then attacked — without leaving any fragments, artifacts, residue, remnants or logging evidence of their infiltration.
Even more scathing is that, at the time of any data breach, Secretary Clinton’s email server may have included all 60,000 of her emails – including both the 30,000 emails she had opted to disclose to the State Department as well as 30,000 other supposedly “irrelevant personal” emails reportedly destroyed when, according to the FBI, her attorneys “cleaned Secretary Clinton’s devices in such a way as to preclude complete forensic recovery.”
Ironically, foreign intelligence agencies and state sponsored terrorists apparently have more access than the State Department to whatever emails, data files and other information Secretary Clinton hid on her basement email server.
Secretary Clinton’s Response. While apparently somewhat regretful of her decision to use of a private server from her home’s basement to conduct State Department business, Secretary Clinton and her supporters have remained steadfast in their conviction that there was never any sort of data breach of her basement server and that all data contained therein was secure.
Specifically, Secretary Clinton and her campaign have said that her server — there were actually several, in succession — was never hacked.
They note that although the State Department inspector general’s report found what looked like several attempts at “spear phishing” — fake emails intended to get a user to click on a link that would install malware on a computer — there is no evidence that those links were activated.
Secretary Clinton’s supporters also assert that no one has yet to discover any of her emails for sale or opted to publish them – thus, there was never any breach. They further assert that the basement server had “some” cyber protection software (without any further detail), which would thwart any attack.
Overall, Secretary Clinton, and her campaign, have always maintained that the server was secure. President Obama even backed her up in an interview on CBS’s “60 Minutes.” “I don’t think it posed a national security problem,” the President said.
Servers Located Anywhere, Especially in the Basement of a New York Suburban Home, Are Not Secure. No expert would ever attest that Secretary Clinton’s basement email server was never breached. Every company can experience a data breach—and probably already has. That is why companies are beginning to shift cybersecurity practices away from prevention and detection and into a paradigm of incident response. Traditional data breach protections do not detect quickly enough, or act nimbly enough, to counter today’s sophisticated and clandestine data breaches. Even the State Department’s own servers were compromised by a cyber-attack — Russian hackers have bedeviled State Department’s email system during the past several years and continue to pose problems for technicians trying to eradicate the intrusion. No system is ever 100% safe.
When companies trying to prevent data breaches rely too much upon customary protections of intrusion detection and firewalls, they are just as misguided as parents trying to prevent their kids from catching colds by relying upon hand-washing and multiple clothing layers. The smarter method for combating data breaches (like colds) is to focus efforts and preparation on how to contain, treat, and cure the problem, as fast and as painlessly as possible.
Company executives should preach this realism, rather than the fantasy of ironclad security (regretfully espoused by Secretary Clinton). This is the new paradigm of cyber-security: where technological infrastructure has expanded dramatically; where data-points reside on multiple platforms (including employee devices, vendor networks, and the cloud); and where data breaches don’t define victim companies; how companies respond to them does.
C-suite executives should steer clear of bold assertions of impenetrability like those made by Secretary Clinton, which can evidence a lack of understanding and sophistication of fundamental cybersecurity principles.
Secretary Clinton’s Basement Server Was Not Secure. Secretary Clinton’s basement server was not protected by a bona-fide cybersecurity team; did not employ a full-time or part time chief information security officer (CISO) and had no incident response team at its disposal.
Apparently, the bulk of the security of the basement email server rested in the hands of Bryan Pagliano, the young campaign IT staffer who set it up, and then accepted a political appointment with State Department — a rare, perhaps even unprecedented hiring about which internal emails reveal he was under qualified.
In fact, Mr. Pagliano’s resume clearly shows that he had neither experience nor certification in protecting email systems against cyber security threats — and he has since taken the Fifth Amendment and refused to answer any questions about the email server. As established by the FBI, Secretary Clinton’s server was essentially defenseless. FBI Director James Comey stated:
“None of these emails should have been on any kind of unclassified system, but their presence is especially concerning because all of these emails were housed on unclassified personal servers not even supported by full-time security staff, like those found at agencies and departments of the United States government — or even with a commercial email service like Gmail.”
Secretary Clinton’s server also reportedly had several obvious vulnerabilities. First, according to the Associated Press, her basement server allowed users to connect openly over the Internet to control it remotely, but lacked the requisite additional protective measures for such a configuration.
Remote-access software allows users to control another computer while traveling away from that computer and are often a source of cyber-attack. Secretary Clinton’s basement server appeared to accept commands directly from the Internet without such protections; without any form of encryption; and not through a more protective virtual private network or VPN, which would typically utilize enhanced protections, such as an encrypted tunnel.
Further, records show that Clinton additionally operated at least two more devices on her home network in Chappaqua, New York, that also were directly accessible from the Internet. One reportedly contained similar remote-control software that also suffered from security vulnerabilities inherent in virtual network computing (which typically lack encryption), while the other appeared to be configured to run websites, which created additional vulnerabilities.
Avoid Indefensible Declarations. Secretary Clinton’s supporters assert in her defense that no one has yet to discover any of her emails for sale or opted to publish them – thus, there was never any breach. But Secretary Clinton’s devices, especially her email server, were obvious targets for cyber-attacks. Infiltrating a home-brew email server is not at all far-fetched, especially given the break-ins at RSA, Sony and the U.S. government itself, and just because Secretary Clinton’s emails were not posted in BitTorrent or elsewhere on the so-called Dark Web, is not evidence that there was no cyber-attack.
Secretary Clinton’s campaign has also insisted that the server did have some cyber protection software, though they have never provided any details. While software protections are important, they are not the panacea or silver bullet that can stop cyber-attacks. Nothing can stop all cyber-attacks from happening. Even if security software is updated constantly to reflect threats that change every day. There are a myriad of ways (e.g. zero-day exploits; social-engineering schemes and many more techniques) for a determined, state-sponsored attacker to get in.
When discussing cyber-attacks, C-Suite executives should avoid the temptation to issue bold declarations and defenses – the risks of losing all credibility far outweigh any benefit. Stating any sort of cybersecurity absolute can be easily discounted and disproved not just by seasoned cybersecurity experts but even by high school computer science students.
Email is Not Secure. Secretary Clinton cannot possibly know whether her email was secure. Most Internet email protocols remain vulnerable to a wide range of attacks. In addition, emails can be spoofed; they can be read in transit; and they can be intercepted. No cybersecurity expert will ever claim that unencrypted email is secure. Email is one of the least secure communication services that exists today.
In fact, although not independently verified, a Romanian hacker known as “Gluccifer,” speaking with Fox News, claimed (from a detention facility before he pleaded guilty to charges of identity theft and unauthorized access to protected computers) that he easily – and repeatedly – breached Secretary Clinton’s personal email server in early 2013.
The 44-year-old Lazar said he first compromised the AOL account of Clinton confidant Sidney Blumenthal’s in March 2013, and used that as a stepping stone to obtain access to secretary Clinton’s server.
In describing the process, Lazar said he did extensive research on the web and then guessed Blumenthal’s security question. Once inside Blumenthal’s account, Lazar said he saw dozens of messages from the Clinton email address road map to get to the Clinton server. Once he established a foothold in the Blumenthal account, he could glean intelligence from that system, and then move to other systems like secretary Clinton’s.
Secretary Clinton denies that Lazar successfully infiltrated her basement server, her campaign said in early May: “There is absolutely no basis to believe the claims made by this criminal from his prison cell. … We have received no indication from any government agency to support these claims, nor are they reflected in the range of charges that Guccifer already faces and that prompted his extradition in the first place.”
Testifying before the U.S. House of Representives Oversight Committee, FBI Director Comey noted that Lazar, who also boasted (and purportedly released) documents he exfiltrated from email servers of the Democratic National Committee, was indeed interviewed by the FBI while authorities conducted their investigation into Secretary Clinton’s basement server. Contrary to claims made to the media, however, Director Comey revealed that Lazar failed to access Mrs. Clinton’s server and confessed to the FBI that he was lying.
However, whether true or not, Gluccifer was right in that Secretary Clinton, merely by emailing Blumenthal, increased the risk and likelihood of a cyber-attack upon her basement server.
Use the Right Nomenclature. In the film Ironman 3, Tony Stark (no relation) asks Colonel James Rhodes to reveal his password, so Tony can infiltrate a government computer system. Colonel Rhodes resists, stating “Well, look, I gotta change it every time you hack in, Tony.” Tony Stark replies:
“It’s not the eighties, nobody says ‘hack’ anymore. Give me your login.”
Even the unsophisticated nomenclature Secretary Clinton uses, such as discussing her server’s purported safety from “hackers,” can further aggravate harm to her credibility.
The complexity, sophistication and variety of a new wave of cyber-attacks continue to swell and proper nomenclature is important. So-called “hacking” is dying from the cyber lexicon along with the historically simplistic and naïve image of mischievous teenagers wreaking havoc from computer terminals in a university library.
What has appropriated these now-antiquated notions are a litany of new-fangled cyber-attack root causes with dramatically expanding attack vectors, including: denial of service assaults; malware intrusions; advanced persistent threat (or “APT”) terrorist acts; rogue employee and “bad leaver” episodes; social media exploits; mobile device attacks; ransomware demands; cloud computing infiltrations; and human error events.
While Secretary Clinton, like many leaders of her generation, almost gleefully admits to a lack of sophistication regarding technology, she should not have embraced her inadequacies. Even using incorrect technical jargon, which can happen to lay persons as well as MIT graduates, is still never fitting for c-suite executives — especially in the area of cybersecurity, where the slightest misstatement can trigger lawsuits, class actions, regulatory investigations and even criminal penalties.
Be Precise. Secretary Clinton claims that with respect to her server, there were “no security breaches.” But what exactly does she mean by that assertion – it is plainly vague. With respect to cybersecurity incidents involving data contained on a server, computer, laptop, tablet or other device, the characterization of any cyber-related event demands precision and accuracy. For instance, whether data is targeted; accessed; or exfiltrated are critical distinctions — and each characterization has different consequences and requires a particular evidentiary foundation of digital forensics, malware-reverse-engineering and old-fashioned gumshoe detective work.
Ultimately, when C-Suite executives communicate with their constituencies (shareholders, partners, customers, regulators, insurance carriers; employees and other interested parties), in addition to transparency and objectivity, words and characterizations must be crafted and chosen prudently.
Secretary Clinton opted to use broad conclusions and sweeping characterizations, which given their imprecision, if stated in a corporate context, could trigger class actions, regulatory and/or criminal investigations and shareholder wrath. Secretary Clinton fell into a trap that has caught many other corporate titans and leaders, because characterizing data breaches and cyber-attacks is a tremendous challenge and should be left to experts. The best practice is to avoid the temptation to utter wide-ranging declarations and instead, stick to facts based upon evidence and expert opinion.
Moreover, avoid situations requiring the proving of a negative (like Secretary Clinton did by asserting “there have been no data breaches”). From a strictly logical perspective, it is always challenging (and sometimes impossible) to prove a negative fact. Instead, statements concerning any cyber-related investigation should begin with a vivid description of investigatory steps taken and end with findings. For instance, state something along the lines of: “We have examined thoroughly the email server (including its deleted recoverable files, unallocated and slack space or the boot sector) and we have found no evidence of the remnants, artifacts, or fragments of any possible cyber-attacks.”
Encourage Neutrality, Objectivity and Impartiality. When it comes to a possible security breach on her basement server, Secretary Clinton opted to investigate the situation herself. This is never prudent. Having the same internal team that is responsible for a possible data security failure or even a technological glitch also investigating the cybersecurity of a server is an inherent (and obvious) conflict of interest.
Strong leaders seek answers from independent and neutral sources of information. Otherwise, risks are not properly exposed and examined, and they become exacerbated rather than assuaged. Remarkably, so many leaders fail to grasp this critical necessity for independence.
To handle cyber-related crisis, corporate leaders should:
- Engage a former prosecutor from an independent and neutral law firm (never engaged before) together with a digital forensics firm to conduct an investigation and report its findings to the board;
- Report the investigation’s progress to shareholders, regulators, law enforcement and other constituencies every step of the way; and
- Disclose the details of the incident to those persons compromised.
Instead of trying to characterize the mishap, strong leaders always begin with these three steps, which evidence strong corporate ethics; fierce customer dedication; and steadfast corporate governance.
By navigating problems with integrity and transparency, corporate leaders can shift the tides in their favor, seizing the opportunity to reinforce strong business ethics; fierce customer dedication; and steadfast corporate governance.
Perhaps, given the nature of politics and elections, Secretary Clinton could not interject objectivity and neutrality – because the result would inevitably spin beyond her control. But C-Suite executives and boards of directors are not politicians and do not have the luxury of conducting self-serving investigations; they have fiduciary obligations to shareholders and others to seek the truth and they should do so with independency and candor. Otherwise, no one will take them seriously and their findings will lack credibility and integrity.
Physical Security is Inexorably linked to Cybersecurity. Although perhaps naïve, Secretary Clinton’s assurances that the U.S. Secret Service agents keeping her family safe were also keeping her data and emails safe, were actually not completely irrelevant.
Contrary to many popular notions of hacking, cyber-attacks can sometimes begin with a physical breach. For instance, a cyber-attack can start when an outsider surreptitiously gathers fodder for a social engineering scheme (such as a spear-phishing campaign) or when an insider (such as a bad leaver) gains access to a company’s network and wreaks havoc, without initially using malware or other clandestine technological means.
Concerns about physical security should already be incorporated into a company’s cybersecurity approach. Many of the IT security management standards or frameworks such as ISO/IEC 27001:2013, the Information Security Forum Standard of Good Practice for Information Security and NIST’s Cybersecurity Framework all cover the need to manage physical access and apply relevant controls to protect IT assets.
The connection between physical security and cybersecurity became particularly apparent in a 2014 cyber-attack using a piece of malware called Tyupkin for illegally withdrawing funds from eighteen ATMs in Malaysia. According to published reports and Interpol, the attackers worked in two stages. First, they gained physical access to the ATMs and inserted a bootable CD, which installed the Tyupkin malware. Next, after rebooting the system, the attackers gain control of the infected ATM while the malware runs in an infinite loop waiting for a command.
The malware-in-the-ATM attack is a good reminder that a company should consider the importance of physical security. To insert the disc and infect the machine with the virus, the attackers literally opened the ATM’s top panel. Once the disc was ejected, they closed the panel, and their accomplices withdrew money by typing automatically generated codes, usually sent to vendors through their mobile phone.
Cybersecurity efforts should always involve a review of physical security of facilities, including management’s plans for reception and entry checkpoints; ID scanner and other access records; video or still footage; physical logs; and even elevator and garage records.
Of course, physical security of a server is just one step in securing its contents, and its virtual security is always the most significant risk. But physical security concerns are important and should never be taken lightly.
Final Thoughts. With respect to the possibility of a data breach of her basement email server, Secretary Clinton made some fundamental mistakes when exercising damage control:
- She made indefensible, broad and sweeping cybersecurity-related declarations that would inevitably be easily proven wrong;
- There was no independence, credibility or objectivity to support her assurances and conclusions; and
- Her characterizations and lack of precision prompted even greater confusion, concern and outrage.
In short, Secretary Clinton’s statements not only exacerbated her already troublesome situation, but her misguided posture provided critics with additional fodder for further pummeling — and even prompted a lengthy and exhaustive federal criminal investigation.
Perhaps Secretary Clinton’s asserted, for example, that “there were no security breaches,” because taking such a definitive position was the only choice which would allow her to survive politically. After all, admitting to the possibility of a data breach of her server would be an admission of knowingly compromising U.S. national security – not a desirable label for someone running for president. C-Suite executives however, should not follow her lead, and instead, should consider the important lessons learned from her ordeal.
Data security incidents, technological “glitches” and the like can happen anytime and remain an unfortunate fact of life for every company. What’s most important is often the response to an incident rather than the incident itself. When managing a data breach and leading a response, the best C-Suite executives:
- Express themselves with candor and transparency;
- Ensure that there is independence, objectivity and neutrality in their investigative process;
- Steer clear of bold and indefensible representations; and
- Speak with facts, certainties and a bona-fide notion of humility.
Otherwise, CEOs, CFO’s, CIO’s, CISOs and the rest run the risk of sounding too much like politicians, and not enough like smart, engaged, responsible and conscientious corporate executives.
*John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He has also served for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime. He also served for five years as managing director of a global data breach response firm, including three heading its Washington, D.C. office. Mr. Stark is also the author of, “The Cybersecurity Due Diligence Handbook,” available as an eBook on Amazon, iBooks and other eBook distribution sites.