Is Clinton’s use of a private email server a big deal or not?

A little more than a week after the New York Times first reported that she used a personal email address rather than a government account during her tenure as Secretary of State, Hillary Clinton addressed the situation in a press conference in New York on March 10. Amid the many swift, often partisan, reactions to the somewhat unsatisfying explanation she offered are two broader questions that may turn out to be more relevant than whether Clinton was, intentionally or inadvertently, keeping from public scrutiny any details about her work as Secretary of State. While it seems fairly obvious that her decision to handle her email on her own was a poor choice, the significance of that decision by itself can only be measured with the benefit of as-yet-undetermined details about whether she complied with federal record-keeping regulations and whether the private server and the communications it handled were secured sufficiently to provide adequate protection, particularly against unauthorized disclosure.

The first of these is whether Clinton’s use of a personal account and corresponding privately managed email server violated federal regulations (particularly including but not limited to the Federal Records Act) or State Department or other executive branch requirements. The Times initially reported the situation using language that strongly implied Clinton might have violated federal law, but subsequent articles more accurately described government regulations and State Department guidelines and email preservation capabilities that were in place during Clinton’s time as Secretary. The revised consensus opinion seems to be that personal email use was discouraged but not forbidden, although individuals using personal instead of government email accounts were clearly obligated to ensure appropriate security measures were in place to protect email communications. Federal records management regulations do require agencies to create and preserve documentary materials (in paper or electronic form) that relate to the conduct of official duties by agency personnel or to the transaction of public business. By furnishing her government-related emails to the State Department, Clinton would be doing precisely what federal regulations require. There is a separate but related question as to whether Clinton should have turned over the entire contents of the email server to the government for review, instead of first removing what she considered to be personal communications. While Clinton opened herself to scrutiny by preemptively separating (and apparently deleting) her personal email, the relevant records management regulations clearly distinguish “federal records” from “personal files,” the latter being defined as “documentary materials belonging to an individual that are not used to conduct agency business” and explicitly “excluded from the definition of Federal records.” (36 CFR §1220.18)

The second question is whether Clinton’s private email system should be assumed to be insecure or at least less secure than the system operated by the State Department. There are at least two dimensions to consider on this point, because the answer depends both on how effectively the Clinton email server was initially configured and maintained over time and on the security of the government email that she should presumably have used instead. Most industry observers and government security types assume that the stringent security requirements derived from FISMA and other applicable regulations make it unlikely that a private email server – even one set up at the request of a former President of the United States – could match the security controls in place for an executive agency. The State Department, however, is not in the strongest position to make such a comparison, since suspected intrusions into its own email system prompted State to temporarily shut down the entire system last November and again as recently as yesterday. Potential breaches notwithstanding, maintaining the security of an Exchange server is not a one-time undertaking, but instead requires regular maintenance, monitoring, and updates. It remains unclear what level of day-to-day operational support Clinton’s email system has or who actually manages the server on the Clintons’ behalf.

Clinton invited some skepticism when she stated during the press conference that “there were no security breaches” of the email server, which was reportedly installed and maintained within the Clinton’s personal residence. It seems likely that, if the server had been implemented incorrectly or in a manner that exposed security vulnerabilities, someone might have drawn attention to any such weaknesses, particularly in the time since Clinton’s use of the clintonemail.com domain was publicized in 2013. The Clintons have not provided any rationale for choosing a Microsoft Exchange server (although it may have been something of a default since Exchange is widely used across the government). The email server, which remains active and Internet-reachable via Outlook Web App, can easily be found, researched, and presumably subjected to scans or attempted penetration attempts, yet to date there is only speculation as to how secure (or insecure) the server might be. It does appear that the Clinton email server permits the use of username and password credentials for access, in contrast to the two-factor authentication in place at the U.S. House of Representatives, for instance, which requires users to have a RSA SecurID token to authenticate. There are many federal civilian agencies that rely solely on usernames and passwords, so if the Clintons chose to do the same that would not be outside the government norm. Security analysts might be more interested to know what sort of intrusion detection system or network monitoring, if any, is in place to watch the server for signs of unauthorized access attempts.