Former U.S. Secretary of State Hillary Clinton's decision to use a private email server ran afoul of the government's IT security and record retention requirements, according to a report by the department's inspector general released today.
This use of a private email server did not go unnoticed within the Department of State's IT department. Two IT staff members who raised concerns about Clinton's use of a private server were told not speak of it.
Clinton was secretary of state from 2009 to 2013 and during that period she used a private email server in her New York home.
This report by the Department of State's Inspector General about Clinton's use of a private server makes clear that rules and regulations were not followed. It says that Clinton would not have received approval for this server had she sought it.
Clinton had an obligation, according to this report, to consult with the IT department, which is called the Bureau of Information Resource Management (IRM).
Investigators said in 2010 two IT staff members "each discussed their concerns about Secretary Clinton's use of a personal email account in separate meetings" with a top-level IT official.
They were told the director stated that the mission of the Executive Secretariat, Office of Information Resources Management "is to support the Secretary and (an official) instructed the staff never to speak of the secretary's personal email system again." The people involved in these discussions were not identified.
The IT staff members were told "that the secretary's personal system had been reviewed and approved by department legal staff and that the matter was not to be discussed any further." But the inspector general "found no evidence" that a department legal adviser reviewed or approved Clinton's personal email system.
The report also found "no evidence that the secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server."
According to the current CIO, the report said, "Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs."
However, the report notes, according to these officials, The Bureau of Diplomatic Security and IRM "did not -- and would not --approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM [Foreign Affairs Manual] and the security risks in doing so."
The problem of not involving IT in the decision-making seems obvious. In a footnote, the report relays this security incident:
"On May 13, 2011, two of Secretary Clinton's immediate staff discussed via email the Secretary's concern that someone was "hacking into her email" after she received an email with a suspicious link. Several hours later, Secretary Clinton received an email from the personal account of then-Under Secretary of State for Political Affairs that also had a link to a suspect website. The next morning, Secretary Clinton replied to the email with the following message to the Under Secretary: "Is this really from you? I was worried about opening it!"
The issue with this, the report explained, was multifaceted. "Department policy requires employees to report cybersecurity incidents to IRM security officials when any improper cyber-security practice comes to their attention... Notification is required when a user suspects compromise of, among other things, a personally owned device containing personally identifiable information... However, OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.