John Montana

The Hillary Clinton email brouhaha has in many respects taken front and center in the political arena. But leaving aside the politics of it, there are many records management and information governance aspects of the whole affair that are important and valuable to those of us in the records and information management business, regardless of our political leanings and regardless of our desired outcome. So, let’s have a look at what we can learn from the episode, and what we might do differently in our own organizations based on that learning.

There are some facts that are essentially uncontested because both sides in this dispute agree on them:

  • Clinton set up her own email server
  • she used it to conduct official State Department business
  • the server was outside of the control of normal government information management processes
  • Clinton retained it after leaving government service and only returned it in a wiped condition 2 years later
  • the emails produced by her purporting to be her entire repository of official business, were the product of a review conducted entirely by her and her personal subordinates
  • some of the emails contain information which was classified or otherwise restricted

Some other facts are not quite so agreed-upon, but the recent Inspector General report appears to make a compelling case that they are indeed facts:

  • Clinton did not obtain permission for the set up, nor would she have received it from security officials had she sought it
  • subordinates who realized what was happening and raised the issue were effectively silenced
  • there was concern about the security of the whole arrangement, and at least some evidence that hacking was attempted, if not successful

I know a man who does Black Box work for the NSA. I’m interested in that sort of thing, so I’ve had a lot of conversations with him over the years (not to worry – he tells me absolutely zero about the specifics of his own job and his own projects, we only speak in generalities, but that’s more than interesting enough), and one of the things we’ve talked about is how you go about breaking into secured systems. One comment that he made has stuck with me for a long time: you don’t attack the system, you go after the people, because they are the weak link, and if you find the person who’s the weak link you can make the most secure system fail through them.

In this case, the State Department had secure systems through which classified information could have been sent and should have been sent. Personnel, including Clinton, were briefed on security policy and on the use of those systems. So in theory, based upon the process in place in the policies and procedures and training surrounding that process, Clinton’s email should have been secure. But it was not.

Why? Because Clinton and her close subordinates elected to do an end-around. And it turns out that doing so was trivially easy. And it likewise turns out that because she was a relatively high status individual, any complaints or concerns could be squelched with relative ease. For purposes of this discussion, it doesn’t matter what her motives were, or whether her server was hacked or not. What matters is that it turned out to be a simple matter for her to sidestep the entire security process and make that information available for hacking on what appears to have been a relatively unsecure server. And the United States government, with all of its resources and all of its technical expertise, could do nothing to stop her. The Secretary of State was the weak link, and compromised the system for four years.

What could have been done to prevent this? Realistically, the answer is probably ‘nothing’. The reality is that if a person with either technical sophistication or a reasonably high-level of authority chooses to defeat your system, they can, and there’s probably nothing you can do about it. In fact, they don’t even need either of the above, merely a will to defeat the system. The only difference between a high level person doing the defeating and a low-level person doing the defeating is that the low-level guy may possibly be able to do less damage – although Edward Snowden and Chelsea Manning would seem to refute that notion pretty effectively.

That isn’t to say that personnel – in government, private business or elsewhere – are corrupt, or interested in destroying your organization, or out to get rich at your expense. It’s simply this – policies, procedures and processes begin as words on a page. If you are not careful, that’s exactly what they remain. It’s very easy to write a compliant policy that conforms strictly to the letter of the law, and demands all sorts of things of your personnel. It’s quite another to get those personnel to actually comply with your policy. Certainly, there are cases where their decision to not comply is self-serving, however as often as not, probably much more often than not, the reason they feel compelled to defeat your policy is that your policy may interfere with actually getting their jobs done. And they want to do a good job, and try to do a good job, but if company policies are hindering those goals then they’ll often try work-arounds. So it isn’t enough to write a policy, or to inform your employees of the policy, you need to think about whether or not that policy is effective, whether or not it assists them in the performance of their duties, and the extent to which compliance with it interferes with the day-to-day performance of those duties. Because if you haven’t thought all of those things through, even your most dedicated personnel will find themselves compelled to consider some other “solution.”