Sunday, April 10, 2016

Clinton's email issue and the recent history of the federal government's Swiss Cheese information systems



I was recently asked if the email issue facing Hillary Clinton represents a serious threat to her becoming President.

Since I began working with computers in 1970 and have been using email since the mid-1990's, I had to take some time thinking about this controversy. The problem as it has been described is Hillary regularly, but not always, used a personal email server for State Department business email.

One has to look at the reality that, outside of the military, the federal government's IT systems are generally out-of-date and, based on stories about them being hacked, look more like swiss cheese than bricks. If you are unaware of the long list of U.S. government servers that have been hacked (even interdepartmentally such as when CIA improperly hacked into Senate intelligence committee computers), you really are disconnected from the news.

Anyway, knowing that since the 1980's I have personally owned more sophisticated computer systems than those available at work to almost all federal employees other than those in the military, I felt I needed to take a quick look back at the "big picture" view of the problem rather than from some kind of black and white judgemental view.

Email. According to Wikipedia:
Electronic mail, most commonly called email or e-mail since around 1993, is a method of exchanging digital messages from an author to one or more recipients. Email operates across the Internet or other computer networks.

U.S. Secretaries of State:
  • January 23, 1997-January 20, 2001 - Madeleine Albright, and her predecessors, didn't use email.
  • January 20, 2001-January 26, 2005 - Colin Powell, whose career was in the military where not only was IT funded but employees were expected to understand and use it, received classified information through personal email accounts; stated: "And, in fact, a lot of the e-mails that came out of my personal account went into the State Department system."; stated: "I wish they would release them," Powell said, "so that a normal, air-breathing mammal would look at them and say, 'What's the issue?'"; stated about his complete overhaul of the State Department computer systems:  "What I did when I entered the State Department, I found an antiquated system that had to be modernized and modernized quickly. So we put in place new systems, bought 44,000 computers and put a new Internet capable computer on every single desk in every embassy, every office in the State Department. And then I connected it with software. But in order to change the culture, to change the brainware, as I call it, I started using it in order to get everybody to use it, so we could be a 21st century institution and not a 19th century."
  • January 26, 2005-January 20, 2009 - Condoleezza Rice, didn't use email though some staffers did send or classified information through personal email.
  • January 21, 2009-February 1, 2013 - Hillary Clinton, used a personal email server which has been criticized; when she became Secretary of State the WikiLeaks problem was just coming to light - you may recall that was when secret official military, State Department, and other security information had been compromised because the federal government computer/records systems were/are inadequately secured and woefully out of date.
As someone who has worked with confidential law enforcement information and with computers for over four decades, in 2009 I would have preferred to use a system I designed over the State Department system. The fact that Clinton could use a non-public personal server was better than what many, many government officials were doing.

Which leads us to this 2016 story FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen:
The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data.

The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.

“This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost.

Details regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks.

“Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,” Deepen said.

In June 2011 an "interesting" email problem developed as described in this article:
The targeted phishing scheme that struck hundreds of top U.S. government officials' personal Gmail accounts was neither difficult to perform nor incredibly sophisticated.

The attackers were able to pose as legitimate, trusted senders from the State Department, Office of the Secretary of Defense and the Defense Intelligence Agency by sending e-mails from what appeared -- even on close inspection -- to be real e-mail addresses ending in familiar domains like state.gov, osd.mil and dia.mil.

To accomplish that, the attackers told their mail server to send e-mails from the spoofed addresses rather than their own. Though most e-mail clients like Gmail or Microsoft Outlook don't allow users to do that, that's one of the fields an administrator of an e-mail server can easily change.

When that's done, it's incredibly difficult or sometimes impossible for a user to know that the sender is really an impostor.
I want to believe things are better now, that when John Kerry became Secretary of State on February 1, 2013, the IT used by the State Department was brought up to current standards by the end of Clinton's term and are constantly being upgraded, that things are at least as reliable and secure as that iPhone the FBI struggled to hack. I want to believe that but one has to wonder about the federal government security systems since the CIA improperly hacked into Senate Intelligence Committee computers but the federal government could not hack an iPhone.

And that 2016 Advanced Persistent Threat 6 story seems to squash my wishes that they are doing better.

One could make an argument the primary legal obligation of officials like the Secretary of State is to protect certain classes of information which could become classified at some future date (no known information that was classified at the time an email was sent is contained in the Clinton email disclosed to date). Public records laws notwithstanding, to have used the government's systems in 2009 through 2013 would seem almost a dereliction of that duty because those government systems were so inadequately secured.

Is this whole controversy just politically motivated or a legal threat to Clinton becoming President? Any good attorney would know that the first hurdle to make a legal case is to prove that Hillary, an attorney herself, plotted to have her email set up on a personal server for a nefarious purpose which is illegal. If real evidence of that intent on the part of Hillary exists, then she has more than one problem.

Absent that evidence, I think a pretty good choice was made to use a private server over the swiss cheese technology used by the government in that period.

No comments: