The FBI's failure to recommend criminal action against Hilary Clinton for use of a rogue email system for her (by her own admission) personal "convenience" is a "your adjective here" failure to support good information security practice.
Consider: Ms. Clinton claimed that none of the emails were classified at the time of the original exchange. She did not specify the level of classification.
- At a minimum, all State Department correspondence is classified "Internal Use Only". There is no "Public" email communication, except through approved messaging channels. Moreover, any of her emails about department affairs as the "chief executive" of the State Department would/should automatically carry a classification of State Department Confidential or higher, much as it would in a commercial enterprise.
- As Secretary of State, she held ultimate responsibility and authority to assure and enforce compliance with State Department policies. Her rogue email system is a compliance failure, and represents an ethical failure and a breach of trust. Even beyond email, her interest in her own personal "convenience" went so far as to ask for an exception to the black out requirements in the State Department SCIF.
- As Secretary of State, she was ultimately responsible for assuring the proper classification of State Department messaging. The FBI identified over 2,000 emails that contained highly sensitive information. It stretches credibility to believe that the information in her emails became so highly-sensitive subsequent to the message exchanges.
As a "weakest link" user, Ms. Clinton's actions were beyond a security risk...they were outright dangerous, and her bias toward personal convenience over good security practice set a totally improper "tone at the top" regarding information security. Would these conditions not constitute an actionable information security policy breach for anyone else in any other organization?
We will remain vulnerable to cyber-security breaches so long as our determination to protect ourselves does not equal or exceed the determination of the threat actors to compromise us. And, we need the strongest support of our leadership and our law enforcement agencies to have any chance of success.
Epic fail for Information Security.