What This Cybersecurity Expert Thinks We Should Know About Hillary Clinton’s ‘Private’ Email System

Ken McIntyre /

Americans deserve specific answers from the Obama administration about Hillary Rodham Clinton’s exclusive use of private email during her four years as the nation’s top diplomat to foreign governments, a leading cybersecurity expert says.

In an interview yesterday with The Daily Signal, Paul Rosenzweig said the U.S. government needs to get to the bottom of basic questions about the security of Clinton’s private email system while she was secretary of state, including the strength of protections against intrusions and who else had access to sensitive correspondence.

Government officials need to “capture all the emails” as soon as possible, Rosenzweig said, and then analyze the correspondence for evidence of hacking, improper deletions and other unusual activity.

“We appear to know that Hillary Clinton used a separate [Internet] domain, clintonemail.com, for official communications,” he said, adding:

What we don’t know is what steps if any were taken to maintain the security of those communications against outside intrusions. Such steps might include encryption, two-factor authentication for login, advanced intrusion-detection systems on the server maintaining the data, audits and controls, and other access restrictions—who else could access it?

But, Rosenzweig cautioned, “None of this is to say that anything is actually wrong.”

Clinton, the overwhelming favorite for the Democratic nomination for president next year, served as secretary of state under President Obama from 2009 through early 2013.

“First off, [government] should capture all of the emails. She doesn’t get to choose, right?”–@RosenzweigP on @HillaryClinton’s emails.

Clinton’s personal control of her official email communications was disclosed by The New York Times, then detailed by the Associated Press, which along with outlets such as Bloomberg has continued to flesh out the story.

For Rosenzweig, what the government needs to do is pretty simple:

First off, it should capture all of the emails. She doesn’t get to choose, right?… And then somebody ought to do an audit or analysis, maybe the Department of State’s inspector general. And look, I’d be perfectly willing to get an answer that says they did the state of the art and there’s no evidence of a hack. That’s no guarantee that there wasn’t a hack [but] I’d be much happier than I  am now.

The practices of the former first lady and U.S. senator came to light, sparking a media hullabaloo, as a House select committee probing the deadly terrorist attacks in Benghazi, Libya, in 2012 said it obtained, from Clinton’s staff, thousands of pages of emails that had not been supplied in previous congressional demands for documents.

The special Benghazi panel, chaired by Rep. Trey Gowdy, R-S.C., last night announced it had issued subpoenas to Clinton for “all communications” from her “related to Libya” and to the State Department “for other individuals who have information pertinent to the investigation,” spokesman Jamal D. Ware said.

“The committee also has issued preservation letters to Internet firms informing them of their legal obligation to protect all relevant documents,” Ware said.

BREAKING: @HouseBenghazi issues subpoenas for all communications from Secretary Clinton related to #Libya. http://t.co/mmMVyKfcid #Benghazi

— John Boehner (@SpeakerBoehner) March 4, 2015

More than five hours later, Clinton tweeted her first comment on the growing controversy about what she calls “my email”:

I want the public to see my email. I asked State to release them. They said they will review them for release as soon as possible.

— Hillary Clinton (@HillaryClinton) March 5, 2015

A former policy official at the Department of Homeland Security, Rosenzweig founded the Washington-based consulting firm Red Branch. He is the author of a book on cyber warfare and lectures on cybersecurity.

As someone who spends much of his time advising clients on law and policy on keeping systems secure, Rosenzweig has some other questions:

I would be very interested in knowing who if anyone else in the State Department was aware of this choice. Did any of them approve it? Disapprove it? Get overruled? I’d be very curious to know what the Department of State’s CIO [chief information officer] at the time thought of this.

Although a lawyer who specializes in national and homeland security, Rosenzweig refrained from commenting on the legal aspects of the email practices of Clinton and at least one of her top aides at State.

However, Steven Aftergood, director of an anti-secrecy program for the Federation of American Scientists, told The Daily Signal that use of private accounts to conduct the public’s business is especially “problematic” because it “insulates the email from the normal operation of government oversight.”

That oversight, Aftergood said, includes congressional review and requests from the public and press under the Freedom of Information Act.

“It seems clear @HillaryClinton’s actions were contrary to policy and good government.”-@saftergood @FAScientists

“For years, agencies have instructed officials that any official emails transmitted through private email accounts must be copied and archived in government databases. As of last year, that is now a requirement of law,” said Aftergood, whose project targets government secrecy in national security matters. “Since Secretary Clinton’s tenure predated the change in the statute, it is unlikely that she violated the law. But it seems clear that her actions were contrary to policy and good government.”

Aftergood said Clinton’s practice risked making the nation vulnerable because her emails were of  “intense interest to foreign intelligence services.” She may not have transmitted classified material, he said, but her correspondence “would be highly sensitive.”

“Finally,” Aftergood said in an email to The Daily Signal, “withholding such email in private accounts deforms and distorts the historical record. It’s bad all around.”

Some political observers, Democrats and Republicans alike, suggest that Clinton’s electronic communications appeared to be set up to get around federal record-keeping requirements.

“It doesn’t matter if the [private computer] server was in Foggy Bottom, Chappaqua, or Bora Bora,” House Speaker John Boehner said yesterday, referring to State Department headquarters and the home owned by Bill and Hillary Clinton in Chappaqua, N.Y. “The Benghazi select committee needs to see all of these emails, because the American people deserve all of the facts.”

>>> Commentary:  How the Cyber Threat Intelligence Integration Center Will Work

Rosenzweig, a former fellow at The Heritage Foundation, suggested that one unknown danger resides not so much in the possibility that Clinton’s private email account was less secure than an official State Department account, but in the government’s ignorance of the identity of her information technology manager.

That person or company conceivably had access to Clinton’s emails to her counterparts and other figures in such nations as Russia, China and Iran. By the same token, unfriendly forces in such foreign governments could have exploited  ways to “harvest” and target her non-official account, Aftergood and Rosenzweig said.

Although an audit of Clinton’s email setup wouldn’t necessarily confirm an intrusion, experts with the correct tools should be able to tell whether files are missing.

“In theory,” Rosenzweig said, “she could have asked someone to maintain the account that would have made it as secure as anything else.”

Security, he said, “really depends on the resources invested.”

Clinton’s routine would not have been tolerated even rarely by a State Department contractor, the cyber- and homeland security consultant said. If caught using private email for official business, “you wouldn’t be a State Department contractor very much longer.”

“We haven’t heard from Hillary Clinton yet,” Aftergood cautioned before her late-night tweet.  “I think she needs to spell out her perspective on what happened and why.”

He added in an email to The Daily Signal:

If significant doubts still linger about whether all of her official emails have been transferred back to the State Department, then a neutral third party—perhaps an official from the National Archives—could be tasked to do a forensic analysis of the Clinton email server to ensure that no such emails have been wrongly withheld.

Asked whether government officials, up to and including Obama, had a responsibility to ensure the secretary of state adhered to prescribed practices, Aftergood said:

Yes, someone should have spoken up. It may be awkward for junior staff to do so, but the White House, the archivist of the United States, and department records managers all had a duty to articulate the email preservation policy clearly and effectively.

This report has been updated.