Tag Archives: Clinton

What Does Mike Pence’s Use of A Personal Email Account Teach Us?

The Washington Post is reporting that Vice President Mike Pence used a personal email account to conduct government business when he was Governor of Indiana.

The Veep says that his use of a personal email account is different than Clinton’s use of a personal email account and I do not want to turn this into a political blog.  Pence said he didn’t break the law and I believe him.  That doesn’t mean that doing what he did wasn’t extremely reckless.  There were emails between him and Homeland Security regarding very sensitive terrorism matters that have no place being discussed on AOL.

There are some similarities that can’t be ignored:

  • Both used personal email accounts for government business
  • It appears that neither one violated the law at the time by using personal email accounts.
  • Emails from both accounts were publicly disclosed – one by a hacker and one after the fact by the government.
  • Emails in both accounts contained sensitive information, although, some of Clinton’s emails may have contained classified information even though none were marked with classified markings (either of which is a problem!)
  • Both email accounts contained emails, the content of which, according to each owner, was too sensitive to release publicly.

One thing that is different is that Pence’s email was known to be hacked while Clinton’s email is only speculated to possibly have been hacked.

So what can you or I learn from this situation and what might we do differently?

The first thing is to understand that normal email – in VP Pence’s case, it was an AOL account and in Clinton’s case it was a personally managed email server – is likely not very secure. Period.

Second is that if you plan to use email for sensitive information – which apparently both people did – you need to take extreme measures to protect it – which apparently neither person did.

Third, when it comes to the intersection of security and convenience, if you are going to use email for sensitive communications, security needs to win.  In neither case did that happen.

In THEORY (but only in theory), the privately run email server of Hillary Clinton COULD HAVE BEEN more secure than a public email server run by AOL because AOL has designed it’s email service to be used by grandma to get pictures of her grand-kids and a private email server can be designed to do whatever the owner decides is important.

If you are an executive of a company, of a state or of a country, you need to either understand enough about cybersecurity to make critical decisions (which is unlikely to be the case) or consider security important enough that you have people on your team who you can trust and count on to do that for you.

Public email servers like Google, Microsoft and AOL will NEVER be able to do that – it isn’t what you are paying for (which is pretty much zero).   You do, in fact, get what you pay for in this case.

While the Veep likely broke no laws by using a personal email account, if those emails were too sensitive to publicly release,  then the use of a public, consumer grade email solution shows, at a minimum, extremely poor judgement.

Executives need to become modestly technically adept and surround themselves with people who have the appropriate technical skills.  Then they need to do what those people tell them to do.

It seems like neither Pence nor Clinton did that.

For executives in private industry, it is unlikely that they will have classified emails in their inbox, but it is highly likely that they will have emails that are too sensitive for public release.

So why the <bleep> are they sending that kind of stuff over public email.  Regardless of what Google or any other general purpose public email provider might say, in reality, with the exception of a handful (literally) of security oriented email providers – all very small – no commercial email is encrypted in a way that you should consider safe from compromise and disclosure.

THAT is the message I want to deliver today.  It has nothing to do with either Pence or Clinton.  They are just the opportunity to discuss the issue.

So, executives —

SECURITY or CONVENIENCE – pick one.  And if you pick convenience and your emails show up in Wikileaks or the New York Times, don’t say you were not warned.

Consider yourself warned.

Information for this post came from the Washington Post.

Facebooktwitterredditlinkedinmailby feather

NSA Refused Clinton A Secure Blackberry

THIS IS NOT A POLITICAL POST.  But the story does have, I think, an extremely important message to all corporate I.T. and security people.

Here is the Clinton story. Judicial Watch, the conservative PAC that has been driving the Clinton email investigation got some documents under a Freedom of Information Act request that are enlightening.

Apparently, Clinton was not a computer user, but someone gave her a Blackberry and, after a while, she became addicted to it.

But, the seventh floor at Foggy Bottom (State Department HQ, mahogany row) was a wireless free zone for security reasons, so she had to leave her Blackberry in a locker outside, just like the rest of us do when we enter a SCIF or high security area.  The effect of that was that she would be without email access for hours at a time and would run outside on breaks to check her email.

In fact, they crafted an office for her, outside the SCIF, so that she could go read her emails a couple of times a day.

In an effort to solve this problem. Donald Reid, the State Department’s coordinator for security infrastructure said that he repeatedly asked the NSA what their solution was for the President’s Blackberry addiction and was “politely told to shut up and color“.  Great quote.  Probably not for the NSA, but I like it.

So  what did Clinton do?  She did what every executive will do in the face of being told no.  She told them to F@#$ Off and used her own Blackberry, insecure as it was.

NSA did have a secure phone, called a SME-PED.  SME-PED stands for Secure Mobile Environment Portable Electronic Device.  Think about holding a brick up to your face and talking into the brick.  People that I know who have one call it a Franken-phone.  It was a horrible device and never accepted in the military – except when forced on low ranking soldiers.  I recall many stories of military brass asking their keepers to borrow their personal phone to make calls, the SME-PED was so bad.

SME-PED

Not only were SME-PEDs horrible to use, they cost, according to Ars, almost $5,000, which, to spend on the SoS, is not a big deal.  On top of it, according to some special ops folks who showed me one (but wouldn’t let me touch it even though I had a clearance – I didn’t have a need to know), the rules for handling it were unworkable also.  You basically had to treat it like the classified information it contained.

Condaleeza Rice, Clinton’s predecessor in the Secretary of State position had received waivers for her and her staff to use their own Blackberrys.  But now, under the new administration, they wanted Clinton to use this brick, the SME-PED.

The SME-PED was only cleared to store information classified at the SECRET level, not TOP-SECRET or Compartmented information, so even if she used one, it would not be able to store the information that people are now complaining they have found some instances of, unmarked and classified after the fact, on her Blackberry.

All that was background.  Here is the important part and if you don’t already know this, you should.

IF YOU (I.T. OR SECURITY) TELL PEOPLE IN YOUR ORGANIZATION THAT THEY CAN’T DO SOMETHING THEY THINK IS IMPORTANT, FOR SECURITY REASONS, THEY WILL DO IT ANYWAY IF THEY THINK THEY CAN GET AWAY WITH IT.

I have been having the conversation with a friend of mine in the DoD who keeps saying that if he did what Clinton is accused of doing that he would get fired and likely brought up on charges.  And I have no doubt that he is right.

But, executives have different rules.  Colin Powell used his personal email.  he said the State Department computers were totally unusable.   Condi Rice and her entire staff used Blackberrys.  No one got in trouble for doing that.  You could counter that Rice got permission to do that – Powell did not – but Clinton asked for permission and was told to shut up and color.  My friend points to General Patraeus who didn’t risk having his emails compromised;  he willing gave them to his mistress.  There is no question about whether his emails were compromised, we know they were.  And, he was the Director of the Central Intelligence Agency.  Should he, kind of, know better?  Not to mention, having a mistress is kind of a violation of military rules.

What happened to the General?  Well, he had to retire.  Sadness.  He was ordered to pay a $100,000 fine and serve two years probation.  Granted, this was much more serious penalty than the 100 hours of community service that Sandy Berger got for removing classified documents from the National Archives, but he didn’t give them to his mistress.

According to CBS, the Pentagon considered retroactively removing one of General Patraeus’ stars (demoting him), but decided not to because he apologized.

So, apparently, if you are Brass and you break the law, violate the Uniform Code of Military Justice and give classified documents to your mistress, but say you are sorry, then we are good?  He doesn’t have to forfeit his pension of $230,000+ a year.  And, of course, he has a private sector “consulting” job working for KKR making seven figures a year (see here).

None of this is unusual, but the point is, DON’T TELL PEOPLE THEY CAN’T;  THEY WILL THUMB THEIR NOSE AT YOU AND DO IT ANYWAY.

Just my two cents.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather