On Classified E-mails

With the election cycle nearing its conclusion, you have undoubtedly heard a lot about Hilary Clinton and her damned e-mail scandal.  In fact, you have probably heard about it far more than you would have liked; because, to put it bluntly, if Republicans aren't talking about Benghazi, then they're probably rambling on about this damned scandal.

The problem is, not many people really understand what the scandal is about, or why it's important in the first place. So, I endeavored to read through a few articles on the Internet, and - more importantly - the FBI documents released on the investigation, in an effort to build a primer on the issue and its relevance to the American Citizen.

This is not a political post; it is a technical primer, and as a result, my conclusions at the end of the post will be focused primarily on the ways in which technicians and engineers can learn from this scandal.  However, that does not mean that this post can completely avoid politics given how politically charged and divisive the topic is.

Memes like this one exaggerate the frequency in which the issue is brought up, but not nearly as much as you might think; and with pretty telling results in the election cycle

Memes like this one exaggerate the frequency in which the issue is brought up, but not nearly as much as you might think; and with pretty telling results in the election cycle


Understanding Classifications


While classified messages did go through Secretary Clinton's private server, the hard truth is that all but 110 of them were classified after the fact.  This is an important distinction to keep in mind, not because it absolves Secretary Clinton of any wrong doing, but because it helps frame the whole political debate. Things can become classified after the fact, and it's generally a bad idea to talk about work outside of work to prevent just that sort of thing, and while Republicans are quick to question Presidential Candidate Hillary Clinton's ability to handle classified information and her alleged ties to foreign governments through the Clinton Foundation, these questions are generally misplaced.

As the remainder of this post will illustrate, the real issue for Presidential Candidate Hillary Clinton isn't her ability to handle classified information, but her ability to prioritize and balance her personal ambitions against her stately duties.  It's worth noting that she isn't the only one facing this issue:  In fact, the single largest issue millennial workers face is convincing employers to help them strike the work-life balance necessary for success in and out of the workplace.  It should no longer be passe to acknowledge that Secretary Clinton, and even a President Clinton, is going to have a complex life outside of her stately duties, and many more politicians who follow after her will as well.

The desire to balance transparency against privacy, and proprietary or secret information against establishing yourself as an industry leader in an increasingly competitive environment means that this is not an issue that begins or ends with Secretary Clinton, and it's important to fully understand the mechanics at play before we issue judgment in the court of public opinion.

This, however, is not a blog post about government classification standards though; so - it's mostly just important to understand that most of the information being handled by Secretary Clinton was unclassified at the time.


The Volume


One discussion point on this scandal is that 2093 out of 62,320 e-mails during Secretary Clinton's tenure are considered classified at this time, of which only 110 were classified when Secretary Clinton received them. While pundits on the left are quick to point out that this is less than 0.2%, the volume itself doesn't really affect national security:  If Secretary Clinton shared 62,000 e-mails about the new Star Wars movie, and one e-mail that President Obama is actually allergic to little green rocks, then this is a huge breach in national security.

This is important for exactly one reason:  Determining intent.  One classified e-mail being leaked to an unclassified computer is an accident; one that usually results in remedial training and a very long day for the security team; whereas 2,000 leaks is probably criminal. The question here isn't "how many e-mails were leaked," but rather "who leaked them?"


So, who is responsible?


The simple answer here is one that they teach officers in most ascension programs:  You're in charge, so you're at fault.  Which means Secretary Clinton is at fault for the systematic failure to properly handle this information; however, that logic only really helps political campaigns against Secretary Clinton and does little to address the issues themselves or understand how the issue came to exist in the first place.

This argument falls apart when reading through the documents released under the Freedom of Information Act which suggest - through the FBIs own investigation - that Secretary Clinton followed security protocol in keeping her personal and professional life separate when at her office in DC, including numerous trips outside of her SCIF to check her personal e-mail, and in properly utilizing couriers, and classified VOIPs to conduct her stately duties (Page 12).

The introduction of classified information onto unclassified systems (personal or government is ultimately irrelevant) was from other people who continuously sent Secretary Clinton classified documents (Page 14), often times without the proper documentation identifying that information as classified (Page 20).  This is particularly troublesome when we consider that Secretary Clinton "relied on State officials to use their judgment when emailing her" (Page 4). 

In most cases (there are about five exceptions), the classified information received by Secretary Clinton was received without being properly marked and controlled by the person who sent it; placing the blame for that leak on the sender, not the Secretary. Unfortunately, as is the case when you mislabel things, Secretary Clinton "relied on State officials judgment" and treated this information as unclassified and replied to it, talked about it, and propagated it as if it were unclassified.  To make matters worse, she did this on not only her government systems, but her private e-mail servers as well, exacerbating the problem.


So, How Did They Do It?


Buckle up:  This section is super technical.

Actually, it isn't. 

If you have ever attended a university that gives you an e-mail address, or three, it can be pretty cumbersome to keep track of all of your different e-mail accounts.  Throw in the fact that you're no longer 17 and maybe "macdaddy82" isn't an e-mail you want to put on your resume, and you have a serious e-mail problem on your hands.

So, how do you handle it?

You forward your e-mail! It's a pretty simple process, and the effort it takes to do this is significantly less than the effort it takes to forward your mail with the US Post Office!  At only 12 steps, it takes about five minutes to set this up in Gmail, and only a little extra time to have a similar system in place for Microsoft's Outlook and virtually every other mail system used by the US Government.  It's hardly nefarious.

You can't tell by looking at it, but I have about eight e-mail addresses funneled to this one dashboard.  And, before Google's Inbox program, I deleted things after I replied to them as well!

You can't tell by looking at it, but I have about eight e-mail addresses funneled to this one dashboard.  And, before Google's Inbox program, I deleted things after I replied to them as well!


Why is this important?


As I mentioned at the top of this post, my aim here was to create a technical primer and a case-study for engineers, developers, and technicians to help prevent similar (if smaller) breaches in national or corporate security. While your business may not be handling TOP SECRET information, you undoubtedly want to keep your corporate secrets away from competitors almost as much as the U.S. Government wishes to keep their national secrets away from adversaries. 

1. User Training

This is a huge leak and some of the responses that Secretary Clinton gave as a result of it are troubling:

  • [Clinton does] "not pay attention to the level of classification, and took all classified information seriously." (Page 20)
  • "There is no policy for communicating around the holidays, and it was often necessary to communicate in code or do the best you could to convey the information"  (Page 27)
  • Clinton could not recall ever having received any training as a classification authority

While other responses show some hope:

  • When receiving a phishing e-mail, Secretary Clinton forwarded the e-mail to the security authorities, and sent a separate e-mail to the sender asking, "Is this really from you? I was worried about opening it!" (Page 30)

These responses show a mixed user training program at the State Department where users - and in this case Secretary Clinton is "just" a user - know better than to fall for phishing attacks, but still think it's appropriate to "talk in code."  Additionally, even though the vast majority of the classified e-mails were unclassified at the time (absolving Clinton and her aides of any wrong doing), the idea that this information may one day be reclassified never occurred to them.

It becomes important to understand that, not only do users need to understand how to protect information, but understand how "talking in code" helps hackers, and how not all proprietary, or classified, information is created equally.  Users must understand the business' priorities in order to understand the severity placed behind its security policies.

2. Administrator Training

Telling the Secretary of State "no" is probably an incredibly difficult thing to do; however, whenever you set up e-mail forwarding that increases the stakes. Government owned computers are not immune to classified spillage, nor are they treated with any less severity when they occur, but whenever government assets are linked to private assets (even something as simple as e-mail forwarding), that is a security flaw.  Now anything that happens to the government computer or e-mail address will happen to the personal one as well, and often times the inverse is true as well.

To translate this into corporate speak: Bring Your Own Device (BYOD) - enough said?

3. Improving the User Experience

Users do stupid things.  Users do more stupid things when the programs they need to do their job don't work the way they need them to.  What Secretary Clinton did was a stupid thing - not criminal, and certainly not treasonous - but she did it because the tools she needed were not provided by government assets. While this does not absolve Secretary Clinton, it does frame the motivations that led to this questionable judgment, and can help prevent future occurrences of it in the future.