Tag Archives: Cybersecurity

Clinton Official Statement: Email Security Sections

Following up my posting of the relevant section of the press conference transcript, Business Insider has posted the full official statement as well. Here are the relevant sections related to email security.

Was classified material sent or received by Secretary Clinton on this email
address?

No. A separate, closed system was used by the Department for the sole purpose of
handling classified communications which was designed to prevent such
information from being transmitted anywhere other than within that system,
including to outside email accounts.

How did Secretary Clinton receive and consume classified information?

The Secretary’s office is located in a secure area. Classified information was
viewed in hard copy by the Secretary while in the office. While on travel, the
Department had rigorous protocols for her and traveling staff to receive and
transmit information of all types.

Where was the server for her email located?
The server for her email was physically located on her property, which is protected
by U.S. Secret Service.

What level of encryption was employed? Who was the service provider, etc?

The security and integrity of her family’s electronic communications was taken
seriously from the onset when it was first set up for President Clinton’s team.
While the curiosity in the specifics of this set up is understandable, given what
people with ill-intentions can do with such information in this day and age, there
are concerns about broadcasting specific technical details about past and current
practices. However, suffice it to say, robust protections were put in place and
additional upgrades and techniques employed over time as they became available,
including consulting and employing third party experts.

Was the server ever hacked?

No, there is no evidence there was ever a breach.

Was there ever an unauthorized intrusion into her email or did anyone else
have access to it?

No.

What was done after her email was exposed in February 2013 after the hacker
known as “Guccifer” hacked Sid Blumenthal’s account?

While this was not a breach of Secretary Clinton’s account, because her email
address was exposed, steps were taken at that time to ensure the security and
integrity of her electronic communications.

Clinton Press Conference Transcript: Email Security Sections

For those following the Clinton Email Situation, I’ve gone ahead and taken the full press conference transcript that Time posted and have pulled out the sections that pertain specifically to questions around the email server and its security.

CLINTON: Yes?

QUESTION: Did you or any of your aides delete any government- related e-mails from your personal account? And what lengths are you willing to go to to prove that you didn’t?

Some people, including supporters of yours, have suggested having an independent arbiter look at your server, for instance.

CLINTON: We did not. In fact, my direction to conduct the thorough investigation was to err on the side of providing anything that could be possibly viewed as work related.

That doesn’t mean they will be by the State Department once the State Department goes through them, but out of an abundance of caution and care, you know, we wanted to send that message unequivocally.

That is the responsibility of the individual and I have fulfilled that responsibility, and I have no doubt that we have done exactly what we should have done. When the search was conducted, we were asking that any email be identified and preserved that could potentially be federal records, and that’s exactly what we did.

And we went, as I said, beyond that. And the process produced over 30,000 you know, work emails, and I think that we have more than met the requests from the State Department. The server contains personal communications from my husband and me, and I believe I have met all of my responsibilities and the server will remain private and I think that the State Department will be able, over time, to release all of the records that were provided.

QUESTION: Madam Secretary, two quick follow ups. You mentioned the server. That’s one of the distinctions here.

This wasn’t Gmail or Yahoo or something. This was a server that you owned. Is that appropriate? Is it — was there any precedent for it? Did you clear it with any State Department security officials? And do they have — did they have full access to it when you were secretary?

And then separately, will any of this have any bearing or effect on your timing or decision about whether or not you run for president? Thank you.

CLINTON: Well, the system we used was set up for President Clinton’s office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.

So, I think that the — the use of that server, which started with my husband, certainly proved to be effective and secure. Now, with respect to any sort of future — future issues, look, I trust the American people to make their decisions about political and public matters. And I feel that I’ve taken unprecedented steps to provide these work-related emails. They’re going to be in the public domain. And I think that Americans will find that you know, interesting, and I look forward to having a discussion about that.

QUESTION: Were you ever — were you ever specifically briefed on the security implications of using — using your own email server and using your personal address to email with the president?

CLINTON: I did not email any classified material to anyone on my email. There is no classified material.

So I’m certainly well-aware of the classification requirements and did not send classified material.

(CROSSTALK)

QUESTION: (OFF-MIKE)

CLINTON: Because they were personal and private about matters that I believed were within the scope of my personal privacy and that particularly of other people. They have nothing to do with work, but I didn’t see any reason to keep them.

“Hi We’re from the Government, We’re Here to Help You”

Yesterday the President announced a new executive order “to promote information-sharing within the private sector and with the government” around cybersecurity (I HATE that term).

I work in the private sector he’s talking about and have for nearly 20 years now. And I’ve seen and been part of a lot of really important collaboration and information sharing between government agencies and the private sector.

So I generally think this sort of thing is a good thing. The bad guys of all stripes always benefit when dealing with divided defenders.

But I don’t think this can and will be as successful as it could be or needs to be.

Because the fact is that in the security and privacy community, there’s a lot of lingering suspicion and bad feeling around the activities that government agencies are alleged to have engaged in as a result of the Snowden disclosures.

Information sharing will only happen and so only works where there’s trust. And a lot of people I know in the security and privacy space lost a lot of trust in the US government in the wake of those claims.

And that trust hasn’t been rebuilt or regained at all because there still hasn’t been an upfront discussion about what is and isn’t going on. And in that vacuum, a lot of people are assuming the worst, rightly or wrongly.

I’ve taken a very moderate stance on this all myself. I’ve worked with some very good people with intelligence backgrounds so don’t fall into the facile “the NSA is evil camp”. But I also don’t fall into the other, “the NSA can do no wrong” camp either. My views are more nuanced with an underlying respect, gratitude and appreciation for those people willing to do hard, thankless work to protect us (having done a lot of that myself).

Regardless of my own views on this all though, the fact remains that for any information sharing program to succeed, there has to be trust. And it’s hard to argue there’s trust to fuel information sharing when one of the biggest, most important players is involved in a lawsuit to prevent having to disclose information it believes it shouldn’t have to.

In the end, it’s too bad because the horrible way the Snowden disclosures have been handled in terms of a response will undermine what is an important initiative that ultimately will benefit everyone.

This is yet another example that how you handle and respond to what you do is at least (if not more) important than what you do itself.