Last week I wrote Who is the information security preferred candidate? A look at presidential election 2016. In four criteria related to information security, each candidate was split 50/50, which mimicked the overall popular vote.
In the days following, Secretary Clinton largely blamed FBI Director James Comey for her election loss. After the dust of history subsides in the coming decades, historians will determine Comey’s real impact. What can be said now with near certainty is that Clinton might have been a pretty good president had she used Pretty Good Privacy (PGP) software.
Had she used effective email security software (I selected PGP since it makes for a catchy title), it would have changed her email catastrophe into a non-issue.
For the final 18 months of the campaign, Clinton had to deal with issues surrounding the private email server she used for some of her official communications, rather than approved State Department email accounts which are maintained on government owned and managed systems.
Clinton’s folly gave Donald Trump a significant advantage since he turned it into a worst-case scenario, where classified secrets were made known to the worst enemies of the US. And without logging to show actual access to the email, we’ll never know for sure. The episode turned into a he said/she said about the contents of the messages, and if adversaries could have read them. Had she used PGP, there would be no debate and things would have pretty much ended there.
The use of message encryption would have enabled Clinton to say that she was wrong, but that even had messages gotten into the hands of our enemies, they wouldn’t be able to read them. Such an approach would have concluded the issue and she could have walked away with the equivalent of an information security misdemeanor.
Clinton could have based her mea culpa on the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) that states that if protected health information is breached, but was secured via a minimum approved standard of strong encryption, then a covered entity does not have to declare a breach, nor take the expensive and potentially embarrassing steps of notifying patients or insureds.
In September 2015, a contrite Clinton told ABC News David Muir that using a personal email account while Secretary of State was a “mistake” and that she was “sorry” for it.
Rebecca Herold, president of SIMBUS360 and CEO, The Privacy Professor said that she performed over 100 security assessment at the same time Clinton was Secretary of State and owner of a private email server. Most of the business executives and others within the organizations she was auditing were also using private email accounts, most of which were not their own private email servers in their home, but free services like Yahoo! Mail and Gmail.
Like most of the executives in those 100+ assessments performed by Herold, Clinton’s desire to use email was quite high and it seems the awareness of the associated data security risks was quite low, which made for an information security risk perfect storm.
Had Clinton used PGP, or some other strong encryption method, she could have taken a more offensive approach to the accusations and stated that even though others before her in the Cabinet had also used private email accounts, it was still a mistake to use a private server.
However, she could have also pointed out that since she did strongly encrypt all her messages, and associated data, that the messages and data were unreadable by any adversary. She could have even joked that even the NSA couldn’t break the encryption. Had Trump belabored the point, she could have even turned the table and pointed out that had Trump used the good security she had in place, he also would not have been embarrassed by media leaks.
The cautionary tale of the Hillary Clinton email controversy is that a little email encryption goes a long way. Strong email security is an essential element; be it of a presidential campaign or a corporate security endeavor.
Clinton didn’t necessarily even have to spend a lot of money on a commercial secure email gateway. Open source email security systems such as MailScanner or Apache James are easily and freely available.
During the campaign, Clinton raised and spent nearly $1 billion. She could’ve used these open source tools or even enterprise software like PGP or Proofpoint for a few thousand dollars. That’s a pretty compelling example where information security can obviate a career-ending mistake. And that’s a classic example of what could have been a great return on security investment.