“Longstanding, systemic weaknesses” prevented the State Department from meeting record-keeping requirements detailed in the Federal Records Act and kept the agency from properly managing associated cyber-security risks, according to an Inspector General's report released Tuesday that found transgressions stretching across a 20-year period.
As expected, the IG report took issue with former secretary of state Hillary Clinton's use of a private email server while in office, noting that before leaving office she did not comply with State Department policies for preserving records or surrendering emails that dealt with agency business. The IG report agreed with the National Archives and Records Administration (NARA) that “Clinton's production of 55,000 pages of emails mitigated her failure to properly preserve emails that qualified as Federal records during her tenure,” but called the production “incomplete.”
But, the IG report stressed, Clinton's tenure wasn't the only one marked by poor record-keeping habits and departures from established rules and policies around electronic records.
Former secretaries Colin Powell as well as current secretary of state John Kerry used personal email while some of Condeleeza Rice's staff members did. Madeleine Albright was the only one to get off mostly scot-free, in large part, because the report pointed out, during her stint as secretary, “desktop unclassified email and access to the Internet were not widely available to Department employees.”
Clinton's email practices have become a hot-button topic as in her run for the Democratic presidential nomination after a Senate committee investigating the deaths of Americans in Benghazi discovered she used a private email server for State business. And indeed, the IG report noted, the former secretary of state nearly exclusively used her personal email to conduct official business without requesting or obtaining guidance or approval to do so.
Some of Clinton's staff discussed concerns over her use of private email and that “the non-Departmental advisor to President Clinton who provided technical support to the Clinton email system notified the secretary's deputy chief of staff for operations that he had to shut down the server because he believed ‘someone was trying to hack us and while they did not get in i didnt [sic] want to let them have the chance to.'”
"It's well known that the most sophisticated cyber-criminals target people, not machines, which makes it all the more crucial that organisations educate their users as a first line of defence. This is a very good example of the worst possible practice, not only highlighting the problems of 'bring your own device' but 'bring your own server' as well,” Matthew Ravden, chief marketing officer and vice president at Balabit, said in comments emailed to SCMagazine.com.
Overall, the State Department “and the Office of the Secretary in particular have been slow to recognise and to manage effectively the legal requirements and cyber-security risks associated with electronic data communications, particularly as those risks pertain to its most senior leadership,” the IG report said.
But the State Department doesn't differ wildly from other government agencies which have given short shrift to records management. The IG report referred to a 2010 Government Accountability Office (GAO) report which found that the bulk of agencies don't give records management priority and that policies and procedures are outdated.
“In its most recent annual assessment of records management, NARA identified similar weaknesses across the Federal Government with regard to electronic records in particular,” the IG report said. “NARA reported that 80 percent of agencies had an elevated risk for the improper management of electronic records, reflecting serious challenges handling vast amounts of email, integrating records management functionality into electronic systems, and adapting to the changing technological and regulatory environments.”
Those weaknesses can have a profound impact on cyber-security. “Department employees must use agency-authorised information systems to conduct normal day-to-day operations because the use of non-Departmental systems creates significant security risks,” the IG said, noting that threats and attacks against the State Department have increased over the last decade. “One of the primary reasons that Department policy requires the use of Department systems is to guard against cyber-security incidents.”
Since 2002, Department employees have been prohibited from auto-forwarding their email to a personal email address “to preclude inadvertent transmission of SBU [sensitive, but unclassified] email on the internet.”
And indeed, the State Department has issued numerous warnings about those risks.
"This incident really does highlight the need to educate users as a first line of defence,” Ravden said. "There are sophisticated activity monitoring solutions available today that can track a user in real time when they are operating within an organisation's established IT infrastructure. But as soon as they go off the grid and start using personal email on mobile devices, accessing private servers or public clouds, they really are at the mercy of cyber-criminals."
To bring the department up to speed and strengthen its record-keeping and cyber-security postures, the IG recommended that the State Department's Bureau of Administration should continue to issue guidance through periodic regular notices discouraging personal email use; develop a quality assurance plan to address vulnerabilities in records preservation, and conduct an inventory of all electronic and hardcopy files.
The IG also suggested improving policies and procedures for compliance with records management requirements and regularly notify employees “of the risks associated with the use of non-Departmental systems.” The agency, too, could benefit from regular audits of computer usage and establish administrative penalties for employees who don't comply with record-keeping rules and department policy to only use authorised information systems for day-to-day operations.
Some security professionals believe that the State Department needs to add more bite to its bark. "Due to the ever-increasing number of threats and their sophistication, using the tools available to protect your devices, your network and your email servers is essential," Craig Kensek, security expert at Lastline, said in emailed comments to SCMagazine.com. "For people with a law degree, there is a vast difference between 'guideline' and 'mandatory guideline' (call it a requirement).”
"Mandatory" should have been the order of the day, years ago, Kensek said. "I can see encrypting emails – both on the server and in transit – becoming a requirement in certain sectors of the government. Meanwhile there are numerous stories in the press about this particular server being hacked."