Clinton email highlights frustrating reality of bypassed IT policies

Don't like security restrictions on communications and devices? Just ignore them.

An email recently released by House Democrats isn't just a political response to Hillary Clinton's usage of personal technology while Secretary of State.

The email between Clinton and General Colin Powell is a perfect example of what some call Shadow IT, and a common problem IT teams face daily with executives and senior officials.

In January of 2009, Secretary Clinton emailed General Colin Powell, one of her predecessors, with a question. What were the restrictions placed on him with regard to his usage of a BlackBerry? Did he use one in his personal office?

Clinton was frustrated, because the Defense Security Service (DSS / DS) knew he had one and used it, but no one knew how he did it. She wanted to use hers at the State Department, but she had hit some roadblocks. So how did he manage to get around DSS restrictions?

"I didn't have a BlackBerry," General Powell said in his response.

"What I did do was have a personal computer that was hooked up to a private phone line (sounds ancient.) So I could communicate with a wide range of friends directly without it going through the State Department servers. I even used it to do business with some foreign leaders and some of the senior folks in the Department on their personal email accounts."

He goes on to say that he used a PDA in spite of "all sorts of nonsense" from the CIA and NSA "about how they gave out signals and could be read by spies, etc."

General Powell's staff even went so far as to open a PDA up for inspection so the intelligence and security experts could, "try to explain to me why it was more dangerous than say, a remote control for one of the many TVs in the suite."

"They never satisfied me and NSA/CIA wouldn't back off. So, we just went about our business and stopped asking," he said, concluding his answer to Clinton's questions.

General Powell just described what some in the security industry call Shadow IT. It's more of a marketing term really, one that helps vendors sell product based on various types of monitoring, but the underlying issue itself is real. Essentially, Shadow IT is any service or technology that's used without an organization's approval.

Don't allow employees to store things outside of their shared network drive? That's okay; they'll use USB drives, email documents to themselves, or create a Dropbox account for when they need to work from home. Shadow IT can also include Excel spreadsheets, localized database installs, Skype, or any SaaS offering that someone can use on their own.

The pain of Shadow IT exists because people feel the organization's IT policies don't make sense or impede workflow. So instead of working with the policy or with the organization to change the policy, employees will simply look for ways to bypass the restrictions on their own.

Let's look at that quote again:

"So, we just went about our business and stopped asking."

Everyone who has ever worked on a helpdesk can share stories about executives who have disabled anti-Virus, requested a different OS configuration, demanded administrator rights, or demanded additional software installation and support. It's a nightmare really.

But since the early 2000's, technology has enabled all employees (not just executives or senior officials) with a power that resides outside of the IT department's control. They don't need permission from IT to register for a service; all they have to do is click a button. So, as consumer-based IT offerings appeared, employees stopped asking and demanding – they just went about their business.

The email was released for political reasons, but the lesson here isn't just about public politics – it's about corporate politics too.

General Powell wanted something; he didn't like the reasons given when his requests were denied, so he just bypassed policy and did it anyway. He used his unknown (and perhaps even unapproved) IT access to conduct business outside of normal operating channels, because it was convenient and that's how he wanted things done.

Again, the actions described in this email are commonplace; this isn't a one-time issue in government or private sector IT. It's a regular battle that's fought daily in cube farms across the globe.

Working in IT is hard enough, but the pressure is compounded when executives and senior officials feel they know better than the experts do.

Telling the CEO no is never a wise career move and the same can be said for giving such directives to a four star General. Sadly, there's very little anyone can do to stop it. Because when they ignore policy or directives – and they will – all the IT team can do is sit there and take it.

As for General Powell's issues with his PDA and the skepticism around what the CIA / NSA / DSS were saying, Lesley Carhart (@hacks4pancakes) covered that issue rather well in a recent blog post.

"Personal communication devices, and to a greater extent smartphones, are a game changer. Every function that a cold war -era industrial or military spy could want of a bug is a standard feature of the smartphones that billions of people carry everywhere. Most have excellent front and rear facing cameras. They have microphones capable of working at conference phone range. They have storage capable of holding hours of recording, multiple radio transmitters, and integrated GPS. James Bond’s dream."

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)