FBI Failure: Will Not Recommend Action on Clinton eMail

Opinion Article:

The FBI's failure to recommend criminal action against Hilary Clinton for use of a rogue email system for her (by her own admission) personal "convenience" is a "your adjective here" failure to support good information security practice.

Consider: Ms. Clinton claimed that none of the emails were classified at the time of the original exchange. She did not specify the level of classification.

  • At a minimum, all State Department correspondence is classified "Internal Use Only". There is no "Public" email communication, except through approved messaging channels. Moreover, any of her emails about department affairs as the "chief executive" of the State Department would/should automatically carry a classification of State Department Confidential or higher, much as it would in a commercial enterprise.
  • As Secretary of State, she held ultimate responsibility and authority to assure and enforce compliance with State Department policies. Her rogue email system is a compliance failure, and represents an ethical failure and a breach of trust. Even beyond email, her interest in her own personal "convenience" went so far as to ask for an exception to the black out requirements in the State Department SCIF.
  • As Secretary of State, she was ultimately responsible for assuring the proper classification of State Department messaging. The FBI identified over 2,000 emails that contained highly sensitive information. It stretches credibility to believe that the information in her emails became so highly-sensitive subsequent to the message exchanges.

As a "weakest link" user, Ms. Clinton's actions were beyond a security risk...they were outright dangerous, and her bias toward personal convenience over good security practice set a totally improper "tone at the top" regarding information security. Would these conditions not constitute an actionable information security policy breach for anyone else in any other organization?

We will remain vulnerable to cyber-security breaches so long as our determination to protect ourselves does not equal or exceed the determination of the threat actors to compromise us. And, we need the strongest support of our leadership and our law enforcement agencies to have any chance of success.

Epic fail for Information Security.

Rate this article: 
Average: 2.3 (3 votes)
Article category: 

There are 3 Comments

The Congressional Hearings with FBI Director Comey shed some light on this.  You can almost see the early discussions at the FBI to answer the questions: How do we protect Clinton and dodge the political bullet this situation represents?   The Answer: Investigate for Criminal Intent (ignoring the violations of security policy).
There was never any question of criminal intent, only an intent of "personal convenience."  The FBI wasted everyone's time and money, but hey! Nicely dodged, FBI.  Director Comey defended the FBI's action as consistent with direction from Congress.
In follow-on, perhaps recognizing the limitations of the FBI investigation, the U.S. State Department announced today that they would be re-opening their own investigation.