Hillary Clinton’s use of a private email server while secretary of state raised questions among security experts Wednesday about whether she might have compromised sensitive government information.
Analysts said they don’t yet know entirely how it worked. But at least one expert who looked at the scant public records available on the account – email@example.com – said the arrangement would have permitted private spam and virus filter company McAfee to access her emails if it wanted to.
“The email traces all end at McAfee,” said Brian Reid, a cybersecurity expert with Internet Systems Consortium. “If nothing else, they have and had the technical ability to read her email. This does not mean they did, only that they could have.”
Experts said they still need to know whether and how her email was encrypted, who administered and had access to the account, and whether there was an authentication process.
And they cautioned against assuming the private system was automatically more risky than government email. The State Department system in November was forced to briefly shut down its entire unclassified email system after an apparent hacker attack.
“We can’t assume that her email account was any less secure than a State Department account,” said Reid. “At the same time, it’s possible it was less secure. We need to know more to know for sure.”
For a second day, Obama administration officials refused to provide much detail on Clinton’s email arrangement, deferring security and technical questions to her office, which would not comment.
The separate legal and ethical aspects of the matter, however, came under fresh scrutiny. The congressional committee investigating the 2012 Benghazi attacks announced a subpoena for all correspondence from the server to investigate conduct it said “raises significant issues for transparency.”
The domain name “clintonemail.com” was created on Jan. 13, 2009, according to Reid, who checked the public records on the account. Those records showed that Clinton’s emails were routed to McAfee for spam and virus filtering.
A hacker could not have cracked her email based on the public information available, Reid said.
“Whoever set this up was an expert. It was set up in such a way that the email cannot be followed,” he said. “It is not possible to draw any conclusions at all about the disposition of the email once it reached McAfee. The only way it can be traced further is to get the information from McAfee.”
McAfee did not respond to questions.
Reid, one of the creators of the first firewalls, and others who study the intersection of government and online security came up with three three key questions that experts would need to know in order to make an assessment of the Clinton server’s security:
▪ Whether or how the email was encrypted. “There are different types of encryption,” Reid said. “It depends on what you use and how you use it.”
▪ What type of authentication did she have? Authentication ensures that the user is in fact the account holder. A password is the first level of authentication. However, the federal government is now moving toward fingerprint verification as well.
▪ Who had access to the server to read her emails? If it were a private server that she ran, that might have better shielded her account. But the administrator of the server would still have to stay on top of the latest security breaches to protect her account.
Without these measures, cybersecurity analysts said, a private company would be in a position to mine Clinton’s emails. Although she did not use the account for classified matters, there’s still concern that hackers could have accessed correspondence on sensitive policy discussions.
“A Chinese hacker could be interested in finding out what her stance is on diplomacy in China,” said Paul Rosenzweig, a cybersecurity consultant and a former Homeland Security deputy assistant secretary with the Bush administration.
Rosenzweig said he would be surprised if Clinton didn’t set up some kind of security measures. But the question is whether they were sufficient.
“This is not something you can do on the fly for $50,000,” he said.
White House Press Secretary Josh Earnest acknowledged the private server posed security questions, but he said he was not equipped to answer them. He noted that there is an “entirely separate classified system for transmitting classified information.”
He said it was “hard for me to sort of assess what sort of vulnerability may have been created by the establishment of a separate network,” adding that “obviously, even large networks like ones that I operate on and ones that employees at the State Department operate on, are not invulnerable to intrusion.”
The AP reported the account was registered to Clinton’s family home in Chappaqua, N.Y., and could have meant she set up a private server at her home. However, Reid said it’s unclear whether the server was run out of her house or not.
At the State Department, spokeswoman Marie Harf deferred to Clinton on questions about the logistics and security of how the email account was configured. She couldn’t answer whether a state.gov email had been offered and rejected.
Harf said she didn’t know whether any in-house cybersecurity experts had expressed concern about the setup. She said she wouldn’t respond to “anonymous claims” to that effect.
She repeated the department’s stance that Clinton’s email setup wasn’t in violation of any policy, saying there was no prohibition on the use of private email and, at the time, no time requirement for when work-related correspondence needed to be turned over to the government’s archivists.
“It’s not prohibited – was not then, is not now,” Harf said.
She also took issue with what she called two inaccurate claims in reports about the email flap. Harf said unequivocally that Clinton used just one address, not multiple email accounts as some news reports suggest. And, Harf said, the Benghazi committee was not, as some members claim, the first to have “brought this email account to light.”
Indeed, the existence of the firstname.lastname@example.org account was first revealed two years ago, in March 2013, in a report by the online muckraking site The Smoking Gun. The report cited “Guccifer,” a Romanian hacker who’s now serving time in Bucharest for online attacks against public figures.
Guccifer, according to The Smoking Gun, obtained Clinton’s private email address by hacking into the AOL email account of Sid Blumenthal, who was a senior White House adviser to President Bill Clinton and later advised Hillary Clinton on her 2008 presidential campaign.
Lesley Clark and Anita Kumar of the Washington Bureau contributed.
Subpoena from Benghazi panel
A House investigative committee issued subpoenas late Wednesday afternoon to the State Department, seeking a deeper look into former secretary of state Hillary Rodham Clinton’s nearly exclusive use of personal emails to do her official business during her tenure, the committee confirmed Wednesday.
The House Select Committee on Benghazi, which first discovered Clinton’s use of a personal email based on a home server in its inquiry into a fatal 2012 terrorist attack on a U.S. diplomatic compound in Benghazi, Libya, is asking for all emails related to the attack from all Clintonemail.com accounts and any other staff members’ personal accounts.
“The Select Committee on Benghazi today issued subpoenas for all communications of former Secretary of State Hillary Clinton related to Libya and to the State Department for other individuals who have information pertinent to the investigation,” according to a statement by committee spokesman Jamal Ware. “The Committee also has issued preservation letters to internet firms informing them of their legal obligation to protect all relevant documents.”
The move escalates the panel’s conflict with Clinton and could complicate her expected run for president.