Understanding The Clinton Security Breach
by Paul Henninger
As details have emerged around Hillary Clinton’s use of a personal email server for government business, pundits on both sides have latched on to specific disclosures to either excoriate or defend HC and Co.; everyone is in essence trying to figure out if there really is anything to see here or if this is just a politically motivated witch hunt. It’s interesting for a second to take the politics out of it and examine whether were this someone else entirely this would constitute a serious security breach. And to jump punch line: it’s a really freakin’ serious security breach that realistically created some serious risks that never should have existed.
In order to understand or evaluate the breach it’s we should look at 4 things. Was it a breach? How serious was the breach? What motivated the breach? And what’s the fallout from the breach?
Was it a breach? Absolutely. Hillary Clinton and her team used a private email server that they setup without permission from their employer and used it to conduct business. It also matters that her employer deals in highly sensitive and often classified material and that apparently that material actually leaked out “into the clear”. This latter point is important. The reason security professionals worry about breaches is that some networks are more secure than others. That is to say that a motivated third party is going to have an easier time gaining access to the devices and data on less secure networks so it’s important to worry about setting up secure networks and making sure the users of those networks don’t subvert that security by going around them. In this case, while it’s debatable how good the US government was at the time at creating secure networks, the State Department network was a presumably highly secure network and the Hillary Clinton private cloud, by all appearances, was not a very secure network at all. The use of that private cloud was definitely a breach in two important ways: one, sensitive data was moved against regulation (or law, as the case may be) off the secure network onto an insecure network. That’s a breach! And two, it’s very likely that the same devices were used to access both networks. That means that devices that were supposed to be secure because they were using a secure communications network were compromised by the use of a homebrew, insecure communications network. It’s as important that Hillary or one of her staff could have downloaded malware sent to that less secure email account by accident as it is that they knowingly sent data outside of the secure network. That’s a breach!
Why is that a breach? Let’s look at the other things that are security breaches, that companys that take this stuff seriously worry about, and put the Clinton Private Cloud breach into context. Secure companies worry if you put data on a USB key. People use USB keys because they are convenient and secure networks often make it hard to move data around (so that bad guys have a hard time stealing that data). Security people freak out when you use an insecure data transfer technology precisely because you are putting your own convenience (I want to move data easily) ahead of the security of your company. This is a breach! It’s also a breach to save company documents onto a personal computer. To use personal email to move or view or forward company data is a breach!
Let’s examine the why of using personal email. Using personal email to move company documents is a special category of breach. Although it’s not a very smart way to do this, it’s considered a highly sensitive breach because people use personal email to do things they shouldn’t be doing. They use it to steal lists of customers. They use it to steal IP. They use it to communicate with the press when they’re not supposed to be communicating with the press. I’ve even seen people work for a competitor via private email while they were still employed by my company. These are all very bad things to do! So when people use personal email to move company data, security professionals and managers that know what they are doing tend to look at this with a great deal of suspicion. In this case, Hillary Clinton and her team claimed to be using the private cloud because it was more convenient. It actually seems logical to conclude that they were using it to avoid the surveillance in place on the government email systems. And this is what makes it not only a breach but a very bad breach! Yes, secure email systems are less convenient and can make certain things a pain. But they are the way they are for a reason! Surveillance of email is there to protect the stakeholders in a governing entity. In this case the stakeholders are the citizens of the United States! We are supposed to be able to ask for information about what our elected or appointed officials are doing in some cases. Those officials are not supposed to avoid that possibility and put themselves, their data, their devices and the entity they work for at risk to avoid scrutiny! That’s a breach!
How bad a breach is an interesting question but past a certain point it kind of doesn’t matter. If you leave your laptop at an airline lounge by accident that’s a breach and embarrassing but it’s a minor breach. The laptop should be secured and encrypted and you didn’t do something on purpose so the likely damage is minimal and maybe you recovered the laptop so probably nothing bad happened. So it’s a breach, but a minor breach. Maybe ease up on the free booze. It’s a good idea for a variety of reasons… Anyway, using a private email system for official communications that are supposed to be secure? That’s not a minor breach. There doesn’t appear to have been a compromise of that system by a foreign agent or hacker but who knows? I’d be more surprised that that system wasn’t compromised. It was used by a high profile government employee who is almost certainly the target of foreign surveillance. It would be really easy to see that she is using an insecure network for secure communications. And it would be REALLY easy to compromise that network. So I don’t think it’s safe to assume that we got lucky. It very well could have been compromised. And that compromise can occur in two directions! Someone bad could have read those emails and collected that data AND someone bad could have used that network to get malware onto a secure network or device. Did that happen? I don’t know! But security managers only separately care if it did happen. If very likely could have happened so it’s considered a very serious breach.
So it was a breach. And it was a serious breach. Now what about the motivation. Like I said, if you accidentally left your laptop in the airline lounge or were stupid and connected to work email via an insecure wifi network because you absolutely had to get that email from the client, that was stupid but you didn’t do it on purpose. The Hillary Clinton email breach is much worse because it was on purpose. We don’t know exactly why they set it up but they definitely appear to have used it because they found the level of security and scrutiny on the official network to be inconvenient. And they used it over and over, many times, not just once when they were in a fix. So in terms of motivation, the breach was on purpose, was done knowingly to subvert the security of the network, and was done by multiple people working together over a long period of time. This is very, very bad. This is definitely the kind of thing security managers get you fired for if they can. People make mistakes and that’s a real problem but this wasn’t a mistake. This was a plan that a group of people executed to undermine the security of an important network. This plan was at best motivated by convenience. That’s a really big problem and someone should get in serious trouble for it.
Which brings us to the final question. What’s the fallout from the breach? Well, we don’t know exactly what information was in the clear and we don’t know if it was compromised by the bad guys, but someone is operating as though it were. You have to assume that that information was actually compromised if it’s really sensitive. So that’s part of the fallout. A bunch of people are now running around reworking the operations of a secure organization doing relatively important business because someone didn’t care enough about the security and real implications of their actions. At best that’s a cost that Hillary Clinton and co. should have to answer for and at worst they’ve made it harder for the State Department to do business which is pretty bad. The current State Department appears to need all the help they can get… But the point is, even if we don’t know if that data ended up in the wrong hands, you have to assume it did. Because it’s very possible that it did! When someone exposes thousands of customer records in the clear, you have to assume something bad happened to those customers because it probably did!
So what about the fallout for the people responsible for the breach? Well, now we really do enter the realm of politics because unfortunately whether and how someone is held accountable for this kind of thing has to do with who they are as much as what they did. Hillary Clinton is and was powerful enough that she probably skates by on most things like this. But the reality is that this was a pretty bad one. A normal person definitely gets fired and probably prosecuted for this kind of breach. But Hillary Clinton isn’t a normal person, which kind of makes it worse! But also makes the situation murky. But if we un-murk the situation, a group of people engineered a very bad breach that exposed very sensitive data, devices and networks and they did it on purpose to get around the security that was there to protect them and others. And we should be really clear about this: that’s really, really bad. This isn’t a political tempest in a teapot. It’s a good example of why network and internet security continues to be a huge problem. Not only do important people continue to take it less seriously than they should but when it’s not convenient they ignore it. That kind of thing has to stop.