Thursday, June 30, 2016

Government server security is a joke - why the attack on Hillary Clinton?

It's time to quit pretending that Hillary Clinton's use of a private email server is a bigger scandal than the sorry state of government computer systems including the State Department's.

I keep getting asked about the Clinton email investigation. So let me answer all your questions.

The issue of Hillary Clinton's private email server. Her explanation is that she wanted to use her Blackberry cell phone.

The thing is, I have a close friend who is about her age who loves the Blackberry and despises the smart phones like the iPhone and Samsung Galaxy phones. I'm actually older than both of them, so I understand why they feel that way. For the Millennials let me show you why:

For you iPhone Millennials, that's a Blackberry. While it is a phone first, it also can do texts and email. But unlike the "smart" phones you love, it has a real keyboard. And it is a QWERTY keyboard for those of us who spent decades typing, first on typewriters and then on computer keyboards. We make far fewer mistakes and we don't want the phone using some kind of auto-correct to change the words we type.

Like it or not, the Secretary of State should be able to use a Blackberry if she wants to, without some tech security wonk insisting she fumble with the latest hot smartphone. In making this statement I have credentials as a tech wonk.

I began working with a computer in 1970 - an IBM 360 - and was operating a computer services business in 1980 with Tandy Model II's. I maintained a sustained level of expertise with computers and the internet since. A decade ago I quit assembling computers and I don't run my own server because in both cases the complexities have compounded and maintenance is a nightmare for one old man. With that said, let's take a look at the truth about that whole government email/server security issue.

It is not unreasonable to assert that some of, if not most of, the worst computer operations in large organizations in the United States can be found in federal and state government.

And based on hacks during the first 15 years of the 21st Century, some of the world's least effective security measures could be found being used in the federal government's computer operations at:
  •  The White House
  • The Department of Energy
  • The Internal Revenue Service
  • The Office of Personnel Management
  • The Army Corps of Engineers
  • NOAA
  • US Postal Service
  • The Department of Education
  • The FBI
  • The Department of Homeland Security
  • Nuclear Regulatory Commission, and
  • The State Department
The State Department is one of the worst. And it's simply because, unlike you or me or even the Clinton's, in order to update their equipment and software federal government agencies must use a 19th Century acquisition process that looks something like this:
  1. prepare a description of a need which must be integrated into the department's budget request (a one year process);
  2. get an appropriation from Congress (typically a two year process);
  3. get the General Services Administration (GSA) to prepare a complete request for bids (typically at least a six month process);
  4. get the GSA to receive and review the bids, issue a contract to the lowest bidder, and then issue a notice to proceed (another six months);
  5. monitor the work of the lowest bidder and sometime around 18 months into the work, fire them and hire someone else - not the lowest bidder - to actually finish the job at 400% of budget (another two years);
  6. teach everyone to use the system (another six months);
  7. discover that the "new" system is completely out of date and was out of date by the time Congress appropriated the money because this is 21st Century  and to be even moderately secure technology must be substantially upgraded in an ongoing 18 month cycle.
It appears that when he was Secretary of State Colin Powell used AOL email. He correctly felt that the State Department system was too primitive. He was used to the military where Congress provided blanket funding for updating state-of-the-art computer systems frequently using the military's own personnel. (Still it must be noted that The Joint Chiefs of Staff took its email system off line because of some suspicious probes over the weekend of July 25, 2015 - but that system provided warnings.) To his credit, Powell did initiate the process described above to assure that the next Secretary of State would have a system only two or three generations behind current standards.

Just to make it clear that I'm not creating a picture of a problem that doesn't exist, consider the following recent stories:
And, consider this 2006 story Hackers attack State Department computers which is an indicator of what was going on prior to 2012 after which we started getting more transparency about this matter from the federal government.

Finally, we can't ignore these November 2015 stories Iranian Hackers Attack State Dept. via Social Media Accounts and Facebook Notifies State Department Employees of Iran Hacks nor can we ignore this 2016 story ISIS-aligned hackers leak confidential info on 43 US State Dept employees.

For a more thorough review of 21st Century federal government computer security failures you can download and read Security Matters (1.8Mb PDF file).

So when Hillary reluctantly said her using a  private server "was bad judgment", as someone who can lay claim to at least some computer/device expertise I wholeheartedly disagreed with her. She did not use bad judgement.

First, there was no security reason to not use her own server as the State Department's servers offer almost no viable security.

Second there is no reason, indeed no excuse, to make the Secretary of State use a device that is awkward to use for her.

Finally, if it is so important to the American people to have the State Department retain control of the emails for all time, Congress should have funded any and all equipment and systems needed for the Secretary of State to function.

A nice negligible annual lump sum of $330 million ($1 a year per American citizen as an additional cell phone service tax because they think this is really important) to be spent as needed by nerds hired from those funds by the Secretary of State to do nothing but provide computer services and devices that are secure and also convenient solely for the Secretary of State and her/his staff. Most importantly, the spending of those funds must be exempt from all General Services Administration purchasing procedures.

The ultimate point here is that yes, there were rules put in place under the guise of security requirements. As with typical government bureaucracy, the rules focused not on the needs of employees nor were they realistically related to security. They just looked good on paper so that those who should be concerned didn't have to be - the rules looked good because they implied there was sufficient security in place when, in fact, frustrated tech employees knew better and knew the government environment will never allow for sufficient security because the mostly-tech-ignorant public elects mostly-tech-ignorant politicians to Congress.

And by the way, the FBI needs to divert from the Clinton investigation resources needed to do something properly computer security related so that we don't keep reading stories like Hacker Claims Breaching FBI Server, Exposes Details of 80 Miami Police Officers.

Let's quit pretending that Clinton's private server is a bigger scandal than the sorry state of our government computer technology. When Congress has funded for our government agencies proper computer technology by levying an excise tax on smartphones and tablets, then we can worry about whose email is stored where.

Finally, don't pretend that this is some reason not to vote for Hillary Clinton. It is only some reason to not vote for Republican candidates for Congress who have not addressed the subject of security for federal computers systems nor provided adequate funds for that security.

No comments: