Investigating Hillary Clinton: More than extreme carelessness, a willful and systemic disregard for required security practice

In light of the FBI's pronouncement on Hillary Clinton's email use, presidential email expert David Gewirtz examines recently released government documents that reveal Clinton's pattern of negligence.
Written by David Gewirtz, Senior Contributing Editor

Image: ZDNet

This week marked one of the more unprecedented acts in what has already been a highly unusual campaign season: the director of the FBI provided a detailed assessment of Hillary Clinton's behavior with regard to email management.

Unfortunately, while Director James B. Comey's statement about Secretary Clinton was both of relief to her campaign and damning with regard to her security practices, it was ultimately incomplete.

In this article, we'll take a much deeper dive and look at the specifics of how Secretary Clinton and her staff mismanaged secure information and thereby created a substantial and worrisome security risk for the United States.

This article specifically focuses on security issues with regard to Secretary Clinton's State Department. It does not look at the records management component of our investigation. For that, please read my previous article, Investigating Hillary Clinton: Which secretaries of state violated the Federal Records Act?

In this article, I will provide details behind the following eight troubling observations:

  1. Secretary Clinton's staff was aware of State department policy regarding private devices and servers
  2. Concerns were presented about the Secretary's disregard of this policy and were dismissed with instructions never to speak of them again
  3. A memo concerning security risks of using private email was sent to State Department staffers under Secretary Clinton's own signature
  4. There were multiple instances of known attempts to attack the Clinton's private server
  5. Mrs. Clinton herself demonstrated awareness of the security risks of email through her concern over bad links and phishing attacks
  6. The use of a private email account was problematic not only for security reasons but because messages were being sent to spam
  7. The priority was masking Secretary Clinton's identity rather than solving the messaging or security issues
  8. Known security problems were never reported to Departmental security personnel.

Buckle up. This is going to be a rocky ride.

Sidebar: Read my personal disclosure statement

Ground rules

As discussed in my previous Investigating Hillary Clinton article, there are some ground rules I abide by when I conduct investigations into the practices of officials at the highest levels of the U.S. government. In particular, I rely on declassified or unclassified government statements and documents only.

While these are not necessarily "primary sources," as might be defined in an academic project, they are often as close as it's possible to get during what the government calls an "open source" (as in not classified) investigation.

In this article, I will be discussing elements of Director Comey's statement, along with a detailed investigation report from the US Department of State (USDOS).

Both of these sources cite additional internal investigations and reports, most of which have not been made public. Even so, the aggregate statements made by the FBI and USDOS investigators can be considered "official," because they are statements by authorized members of government agencies. They represent each agency's formal findings.

Many of you have contacted me with concerns that I did not cite specific news articles, which may or may not have had more inflammatory information. That is intentional. When doing this level of investigation -- one intended to stand up to the test of time -- it's critical that hearsay, rumors, and innuendo be filtered out of the process in the quest for a baseline of factual information.

As is always the case with any documents, official or otherwise, what was said or published most likely only scratches the surface. Even so, the information we have available to us via open and declassified information is enough to give us a detailed perspective that, in this case, is damning enough as it is.

Finally, while the political implications of these investigations are fascinating, I will not be discussing those implications in this article. This article is intended solely to provide investigatory disclosure, not political prognostication.

Source materials

In this article, I'll continue to explore the recently released Office of the Secretary: Evaluation of Email Records Management and Cybersecurity Requirements [PDF] prepared by the Office of the Inspector General (OIG) of the United States Department of State Office of Evaluations and Special Projects.

I will also use the transcript provided by the FBI of Director Comey's briefing, Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton's Use of a Personal E-Mail System.

Additionally, we will use two interconnected official documents known colloquially as the FAM/FAH. These are the United States Department of State Foreign Affairs Manual and Department of State Foreign Affairs Handbook. State describes these documents as:

The Foreign Affairs Manual (FAM) and associated Handbooks (FAHs) are a single, comprehensive, and authoritative source for the Department's organization structures, policies, and procedures that govern the operations of the State Department, the Foreign Service and, when applicable, other federal agencies. The FAM (generally policy) and the FAHs (generally procedures) together convey codified information to Department staff and contractors so they can carry out their responsibilities in accordance with statutory, executive and Department mandates.

The FAM/FAH are, effectively, the employee handbooks for State Department employees.

Finally, the OIG investigation repeatedly cites a State Department memorandum known as 11 STATE 65111 (June 28, 2011). Unfortunately, I have not been able to find an original of this unclassified document, although the version I'm pointing to here (on the FOX News site) seems to match the extracted portions articulated in the OIG report.

State Department policies during Clinton's tenure

Hillary Clinton became the 67th US Secretary of State on January 21, 2009 and left office on February 1, 2013.

As such, any policies that were in place prior to her entering office in 2009 apply to Hillary Clinton and her staff, while policies enacted after February 2013 do not.

This is important, because there have been some discussions about messages retroactively classified, and about government programs like the Capstone Approach, which was introduced in August of 2013, seven months after Mrs. Clinton left office.

Some of the media reports cite these issues, but it's relatively obvious that, absent an available time machine, guidelines enacted after the Secretary left office should not be used to pass judgement over her behavior while in office.

OIG cites two organizations within the Department of State that manage information security: the Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS). When the OIG conducted its investigation into the Clinton period at State, investigators spoke to IRM and DS officials, and determined that during Clinton's tenure:

Department employees must use agency-authorized information systems to conduct normal day-to-day operations because the use of non-Departmental systems creates significant security risks.

The OIG report goes on to say:

Among the risks is the targeting and penetration of the personal email accounts of Department employees, which was brought to the attention of most senior officials of the Department as early as 2011.

Not only was Mrs. Clinton the serving Secretary of State in 2011, the 11 STATE 65111 document cited in the OIG report is listed as from "SECSTATE WASHDC." In other words, it was sent to State employees under Secretary Clinton's signature.

Over the years, policies at State got more rigorous and sophisticated, but as early as 2005, the FAM required use of authorized information systems. In 2008, the FAM was updated to allow the use of "privately owned computers only with DS and IRM approval."

The OIG report therefore clearly confirmed that the use of private computers, which they describe as "computers, mobile devices, Internet connections and personal email" was not permitted without prior approval. Since that policy was in place when Mrs. Clinton arrived at State, she was subject to its requirements.

In fact, in 12 FAM 625.2-1 (July 28, 2008), written approval of DS and IRM was required. An additional policy described as 12 FAM 683.1 (December 2, 2009) limited the use of PDAs in areas that were strictly unclassified ("such as the cafeteria").

The State Department also had specific guidelines on accessing "sensitive but unclassified" (SBU) information on personal gear. According to what was 12 FAM 682.2-4 (August 28, 2008), "management and employees must exercise particular care and judgement when remotely processing SBU information."

For those with a penchant for reading government policy manuals, please note that this guideline moved to 12 FAH-10 H-173.4 on January 11, 2016.

This policy will be important to remember when we review the FBI director's statement in more detail later in this analysis.

Another relevant policy is 5 FAM 751.2 (February 27, 2002), which prohibited State Department employees "from auto-forwarding their email to a personal email address to preclude inadvertent transmission of SBU email on the Internet."

This, of course, was part of the problem I identified in my book regarding the Bush administration's use of a private email provider out of "an abundance of caution" in complying with the 1939 Hatch Act:

I estimate that more than 103.6 million White House email messages have been sent over the open Internet, via SMARTech, a 12-person Internet service provider located in downtown Chattanooga.

So, while agencies like State identified the risks of open Internet transmission as early as 2002, regulations provided a convenient loop hole for avoidance, and therefore added risk. As we'll see however, Secretary Clinton's office never cited the Hatch Act as their justification for operating a private server. Instead, it's just something they did.

The Department of State made it clear to employees as far back as 2002 that transmission of SBU information over the Internet was strictly prohibited. That got modified during Colin Powell's term as SECSTATE, in part because Mr. Powell insisted on using his own private laptop to communicate to the outside world. Even so, 12 FAM 544.3 (November 4, 2005) states:

Transmissions from the Department's OpenNet to and from non-U.S. Government Internet addresses, and other .gov or .mil addresses, unless specifically directed through an approved secure means, traverse the Internet unencrypted.

Before we move on to specifics of Secretary Clinton's behavior, it's important to note that many of these policies were for sensitive, but unclassified, information. Classified information was subject to far more stringent requirements, some of which the FBI disclosed that Mrs. Clinton violated as well.

Systemic disregard of security policy

A disturbing observation coming out of this analysis is how completely Mrs. Clinton disregarded security policy. Even more disturbing was her apparent lack of regard for the added security requirements for highly classified information.

If you'll recall from our policy discussion, there are limits imposed on where PDAs (and, by extension, smartphones) are used near classified information. According to the OIG report, Secretary Clinton insisted on using BlackBerry devices instead of a secured smartphone.

This was not unique to Secretary Clinton. President Obama did not want to give up his BlackBerry either. This was back when people actually still used BlackBerry devices.

I wrote three articles discussing the issue for CNN back in 2009. As became clear, Mr. Obama used both a BlackBerry for limited personal communications and a more advanced and secure phone for other communications.

The difference, according to the OIG report, was that Mrs. Clinton insisted on using her BlackBerry in classified areas:

The Assistant Secretary of DS then sent a classified memorandum to Secretary Clinton's Chief of Staff that describe the vulnerabilities associated with the use of BlackBerry devices and also noted the prohibition on the use of BlackBerry devices in sensitive areas. According to a DS official, shortly after the memorandum was delivered, Secretary Clinton approached the Assistant Secretary and told him she "gets it."

Apparently Secretary Clinton didn't fully get it. As the policy discussion stated earlier, State employees were required to get permission to use unclassified private computers. Yet, according to OIG, "OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server."

It is possible Mrs. Clinton didn't ask for approval or guidance because she knew she wouldn't get it from cybersecurity-aware officials. According to the OIG report, "DS and IRM did not - and would not - approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so."

Secretary Clinton also apparently disregarded FAM policy when it came to SBU information. The policy (12 FAM 544.2) states that if SBU information needs to be transmitted outside of the State Department secure environment, "they should request a solution from IRM."

Yet, "OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU."

The OIG report goes on to describe that 12 FAM 682 (August 4, 2008) requires that those employees using personal or private gear submit to what was essentially a security review of their setups.

According to the OIG report, "DS and IRM reported to OIG that Secretary Clinton never demonstrated to them that her private server or mobile device met the minimum information security requirements specified by FISMA and the FAM."

Ironically, it appears that Secretary Clinton's insistence on the use of her personal email system had an unintended consequence: much of her email to State Department staff wound up in their spam bins.

This was discussed in November of 2010 in an email chain. Secretary Clinton's Deputy Chief of staff sent her a note stating, "We should talk about putting you on state email or releasing your email address to the department so you are not going to get spam."

Read that last sentence carefully. It means that not only was Secretary Clinton using a private email address, but that email address was not known by State Department staffers and therefore they could not white list messages coming from her. As a result, some messages coming from the sitting Secretary of State got routed to their spam folders.

Worse, rather than adopting a State Department email address or even letting employees white list her personal email address, Mrs. Clinton told her Deputy Chief of Staff, "Let's get separate email address or device but I don't want any risk of the personal being accessible."

The OIG's review of Mrs. Clinton's email showcases some very odd behavior that was not addressed by the FBI. Secretary Clinton apparently was very concerned about some or all of her email messages being attributable to her.

Before we delve further into this, it's important you understand the role of the Executive Secretary. This is not, as might be in the business world, the boss's private assistant. Instead, according to State:

The Executive Secretariat (S/ES), comprised of the Executive Secretary and four Deputy Executive Secretaries, is responsible for coordination of the work of the Department internally, serving as the liaison between the Department's bureaus and the offices of the Secretary, Deputy Secretary, and Under Secretaries. It also handles the Department's relations with the White House, National Security Council, and other Cabinet agencies.

At the time, the Executive Secretary was a gentleman named Stephen D. Mull. Today, Mr. Mull is the United States Lead Coordinator for Iran Nuclear Implementation. So, when you read the next paragraph, please keep in mind the official making this recommendation is the person now charged with keeping the world safe from Iran's nuclear arsenal.

In August of 2011, Secretary Clinton's personal email server was "down." At that time, according to the OIG report, Mr. Mull in his role as Executive Secretary, said he wanted to provide Mrs. Clinton with two devices, "one with an operating State Department email account (which would mask her identity, but which would also be subject to FOIA requests), and another which would just have phone and internet capability."

It is possible to interpret this statement in two ways. The first, which is disturbing to contemplate, implies that our current lead nuclear coordinator seemed complicit in an activity designed to mask the Secretary of State's identity from Freedom of Information Act requests.

The other interpretation, that if "her identity" is strictly parsed to mean the actual email account, is understandable in that any government employee might not want his or her personal email address made available to the general public.

In any case, the two phone idea never happened because Secretary Clinton's Chief of Staff stated it "doesn't make a whole lot of sense" and ignored the proposal.

The OIG report also shows something of a misinformation campaign waged between Secretary Clinton's immediate staff and those of the various bureaus within State. According to the OIG report, two staff members in S/ES-IRM discussed concerns about Secretary Clinton's personal use with an unnamed person who was then the Director of S/ES-IRM.

The following three statements from the OIG report relate to this situation:

The Director stated that the Secretary's personal system had been reviewed and approved by Department legal staff and that the matter was not to be discussed any further.

OIG found no evidence that staff in the Office of the Legal Advisor reviewed or approved Secretary Clinton's personal system.

The Director stated that the mission of S/ES-IRM is to support the Secretary and instructed the staff never to speak of the Secretary's personal email system again."

So, that worked out well.

At this point, it's clear that security policies were regularly violated. The question any reasonable IT person might ask is whether Mrs. Clinton or her staff actually understood the implications of a violation in email security. There are two documented instances that seem to demonstrate they were, in fact, aware of the risks.

The first incident disclosed in the OIG investigation concerns hacking attempts against Secretary Clinton's personal email server.

On January 9, 2011 a person described as "the non-Departmental advisor to President Clinton who provided technical support to the Clinton email system" (in other words, the Clintons' personal geek) contacted the State Department Deputy Chief of Staff for Operations. In an email, the advisor wrote, "We were attacked again so I shut [the server] down for a few min."

Note the phrasing of "attacked again," implying that there were previous known attacks against the Clintons' private server.

An email chain resulted, going from the Deputy Chief of Staff for Operations to the Chief of Staff and the Deputy Chief of Staff for Planning stating that they should not email Secretary Clinton "anything sensitive" and that she would "explain more in person."

The second documented incident showing Secretary Clinton's awareness of security concerns took place on May 13, 2011. On that day, "two of Secretary Clinton's immediate staff discussed via email the Secretary's concern that someone was hacking into her email after she received an email with a suspicious link."

OIG reports, "The next morning, Secretary Clinton replied to the email with the following message to the Under Secretary, 'Is this really from you? I was worried about opening it!'"

This clearly shows that Hillary Clinton herself was aware of the risks of a phishing attack, email identity impersonation, and suspicious links. It also shows the possibility that her devices or those of her associates might have been compromised.

The report by FBI director Comey seems to confirm this assessment. Mr Comey stated, "...we assess it is possible that hostile actors gained access to Secretary Clinton's personal e-mail account."

The OIG report points out that 12 FAM 592.4 (January 10, 2007) requires "employees to report cybersecurity incidents to IRM security officials when any improper cyber-security practice comes to their attention."

12 FAM 682.2-6 (August 4, 2008) states "Notification is required when a user suspects compromise of, among other things, a personally owned device containing personally identifiable information."

And yet, "OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department."

The FBI's analysis

Now that you understand the inside story of Mrs. Clinton's use of personal email while at the Department of State, let's look at the statistics reported by FBI director James Comey:

110 e-mails in 52 e-mail chains have been determined by the owning agency to contain classified information at the time they were sent or received.

Eight of those chains contained information that was Top Secret at the time they were sent;

36 chains contained Secret information at the time; and eight contained Confidential information, which is the lowest level of classification.

These were from the 30,000 messages provided to the FBI. In addition, after additional recovery efforts, the FBI was able to identify "three of those were classified at the time they were sent or received, one at the Secret level and two at the Confidential level."

Director Comey stated that the FBI was not going to recommend criminal charges be filed against Mrs. Clinton, stating there was no evidence of overt criminal behavior or disloyal intent.

Instead, Comey accused Clinton of extreme carelessness:

Although we did not find clear evidence that Secretary Clinton or her colleagues intended to violate laws governing the handling of classified information, there is evidence that they were extremely careless in their handling of very sensitive, highly classified information.

When we think of carelessness, we often think of sloppiness or lack of care. Google defines "careless" as "not giving sufficient attention or thought to avoiding harm or errors," "(of an action or its result) showing or caused by a lack of attention," and "not concerned or worried about."

In my nearly decade-long investigations into government management of email at the very highest levels, one pattern has become apparent: email security is never given the attention it deserves by those in power.

Based on my detailed analysis of Secretary Clinton and her staff with regard to their use of email, it now appears clear that the issue was not about a lack of knowledge or understanding of the security issues regarding email.

Instead, like Janice in Accounting, it seems they just didn't give a f*ck.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Editorial standards