When the director of the FBI, James Comey, said that Secretary Clinton had been careless in her handling of classified documents sent over her private server, I felt unsettled. Whether your inclination is to defend or admonish her, the private server set up by Clinton raises lots of questions. Many more than Comey’s testimony actually answered.
I asked Dave Aitel, CEO, Immunity Inc if the suggestion that Secretary Clinton’s server was breached was only a fear tactic. Aitel said, “It’s possible that it’s a fear tactic, but it’s also a reality that it was likely breached. There is a 50/50 chance that it was actually breached, there is a 100% chance that information going to the server was collected by foreign intelligence.”
A strong possibility, Aitel said, is that she was hacked, but no one left malware on the disc.The bottom line, based on the evidence, said Aitel is that she left the front door open, a virtual ‘please come in’.
“She, on her own, hired the smallest, least competent IT firm who is also the most likely to keep their mouth shut--they aren’t going to talk about it,” said Aitel. OK, but why would she do that?
“That’s why it looks so fishy," said Aitel. "Why would anyone go to all those extremes to keep it quiet? There is something to hide. There is no other reason why she would go to these extremes. No one hires an IT firm for convenience. That’s just ridiculous. You let your job take care of it. She was clearly lying about it."
Given her stature, I questioned whether she was ever even aware of the technical logistics of how the server was set up. She's not versed in IT, so she hired a firm to take care of the technology for her. Aren't they the ones who were careless here? Whether she hired an IT firm with the intent of keeping them quiet or not, how could they not put security protocols in place?
“Even Gmail has sophisticated tools to protect data at rest and in transit. Some are to prevent from hackers getting in, and some to see where they go. There are tools for filtering email to notice anomalous logins. There are probably 100 different tools and methodologies,” Aitel said.
None of these measures were taken to secure the private email server of the Secretary of State, though, and there is still no evidence to determine whether her server was breached.
Michael Gregg, COO of Superior Solutions said, “Honestly, if we are looking at nation states, you aren’t going to expect to see evidence. They are going to do a good job at covering their tracks. For the first few months, it was just set up as an email server on the web. Anyone could find that.”
I think an obvious follow up question that no one has addressed is, If anyone can find it, why didn’t the US government find it? Gregg said, “Whether people inside the US knew about it is a separate issue.”
Why?
“We do security assessments and pen tests,” Gregg said, “and any time we have someone going to China, Russia, Eastern Europe, we give quite a bit of information about being careful at what they do. Only use encrypted email and on email servers that meet a certain standard. Her server didn’t meet those sorts of requirements.”
Again, I go back to the question, Why? How has any of this been convenient or beneficial for Clinton? Gregg said, "To some degree it's somewhat scary because either she didn’t know or doesn’t understand, or she did know and thought that her access and usability overrode concerns for security."
What many in the intelligence community fear is that she doesn’t understand. "This is really an issue of most importance. The number of companies and government entities from power to gas. If there is some other type of war or outbreak, those systems are going to be targeted," Gregg said.
Looking forward, Aitel said, "There is about an 80% chance that she is going to be our next President. How is this going to impact her presidency? Is she going to have difficulty talking about cyber security?"
Several pressing issues will demand that the President be able to rationally and intelligently create policies that will impact national security. Aitel said one of the most important of those issues is negotiating privacy shields with Europeans.
"That's intense policy work. There is also handling the “Snowden” effect and other matters that happened on her watch, like Wiki Leaks. The Apple vs IBM encryption debate. Technology on encryption law enforcement. You can’t have it both ways, and if you don’t understand the policy, you think you can have it both ways," Aitel said.
The one thing that is clear in the aftermath of Comey's indictment of Secretary Clinton is that he set a precedent: moving forward, we are leaving no room for carelessness in cyber security.