Questions are swirling about the security of the personal email service that Hillary Clinton used while serving as secretary of State.
Clinton reportedly used a private email address hosted on a server registered to her Chappaqua, N.Y., home, instead of an official government account.
Security experts are alarmed by the arrangement, warning it likely left critical national secrets vulnerable to hackers and spies.
{mosads}“It’s irresponsible for the top U.S. diplomat to be putting communications at risk in that way,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union (ACLU). “After the president, Secretary Clinton was probably the highest value target for foreign intelligence agencies.”
So how good was Clinton’s security? Experts say they need answers to these questions before knowing for sure.
1.) What type of encryption was Clinton using?
According to Bloomberg, Clinton purchased a commercial encryption product from Fortinet for her personal system.
But security experts have dinged Clinton for relying on a default, self-signed, encryption “certificate.”
“Which is bad,” said Morgan Wright, a cybersecurity consultant who has worked with tech companies like Cisco and Alcatel-Lucent. “You should always get one that’s issued by a certificate authority.”
When constructing a secure email system, it is common practice to purchase an encryption certificate designed for the individual network. The certificates are digital symbols of a trusted connection, meant to express to incoming traffic that it’s entering a safe and encrypted space.
Without an encryption certificate issued by an authority like GoDaddy, “you open [the server] up to all sorts of issues,” Wright said, including the potential bulk collection of Clinton’s email messages.
2.) How did her email security compare to the State Department’s?
While a private email service can employ robust defenses, it’s unlikely that Clinton’s system matched the State Department’s security level, experts say.
“Unless she was employing 24-by-7 advanced monitoring, protection and incident response, I just don’t see how she could have as secure a system,” said Jason Straight, chief privacy officer for UnitedLex, which advises corporations on cybersecurity practices.
Straight said the State Department is bound to have more resources devoted to cybersecurity, due to the sheer size of its workforce.
“I just don’t see how on a day-to-day basis with all of the maintenance, monitoring and detection that had to happen that she could have reasonably paid to have the level needed,” he added.
3.) Did foreign countries know about Clinton’s setup?
Analysts think the answer is almost certainly yes.
“It’s likely been something that foreign intelligence agencies have had their eyes on for many years,” Soghoian said.
The State Department has said it doesn’t believe any classified information went through Clinton’s personal email account, but experts said that would have made little different to foreign intelligence agencies.
The National Security Agency (NSA) targeted the personal, unclassified cell phone of German Chancellor Angela Merkel. Even though the phone might not contain the biggest national secrets, it gives hints about political strategies provided valuable intelligence.
“You get leakage of classified information,” Wright said. Key words and phrases can help “identify a classified program or a classified element.”
4.) Who authorized the arrangement?
It’s not clear who in the State Department was consulted about Clinton’s email service, frustrating some in the security community.
“Why wasn’t legal guidance sought? If she’s using her government issued Blackberry, who put it on her Blackberry?” Wright said.
Reportedly, the State Department’s cybersecurity team alerted Clinton’s office about the risks involved with her private email system.
“We tried,” an unnamed security staffer told Al Jazeera. “We told people in her office that it wasn’t a good idea. They were so uninterested that I doubt the secretary was ever informed.”