PAGES 39-43
Secretary Clinton:
By Secretary Clinton’s tenure, the Department’s guidance was considerably more detailed and more sophisticated. Beginning in late 2005 and continuing through 2011, the Department revised the FAM and issued various memoranda specifically discussing the obligation to use Department systems in most circumstances and identifying the risks of not doing so.
Secretary Clinton’s cyber security practices accordingly must be evaluated in light of these more Comprehensive directives. Secretary Clinton used mobile devices to conduct official business using the personal email account on her private server extensively, as illustrated by the 55,000 pages of material making up the approximately 30,000 emails she provided to the Department in December 2014.
Throughout Secretary Clinton’s tenure, the FAM stated that normal day-to-day operations should be conducted on an authorized AIS yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server.
According to the current CIO and Assistant Secretary for Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. However, according to these officials, DS and IRM did not—and would not—approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so.
During Secretary Clinton’s tenure, the FAM also instructed employees that they were expected to use approved, secure methods to transmit SBU information and that, if they needed to transmit SBU information outside the Department’s OpenNet network on a regular basis to non-Departmental addresses, they should request a solution from IRM.
However, OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU. Similarly, the FAM contained provisions requiring employees who process SBU information on their own devices to ensure that appropriate administrative, technical, and physical safeguards
are maintained to protect the confidentiality and integrity of records and to ensure encryption of SBU information with products certified by NIST.
With regard to encryption, Secretary Clinton’s website states that “robust protections were put in place and additional upgrades and techniques employed over time as they became available, including consulting and employing third party experts.”
Although this report does not address the safety or security of her system, DS and IRM reported to OIG that Secretary Clinton never demonstrated to them that her private server or mobile device met minimum information security requirements specified by FISMA and the FAM. In addition to interviewing current and former officials in DS and IRM, OIG interviewed other senior Department officials with relevant knowledge who served under Secretary Clinton, including the Under Secretary for Management, who supervises both DS and IRM; current and former Executive Secretaries; and attorneys within the Office of the Legal Adviser. These officials all stated that they were not asked to approve or otherwise review the use of Secretary Clinton’s server and that they had no knowledge of approval or review by other Department staff.
These officials also stated that they were unaware of the scope or extent of Secretary Clinton’s use of a personal email account, though many of them sent emails to the Secret ary on this account. Secretary Clinton’s Chief of Staff also testified before the House Select Committee on Benghazi that she was unaware of anyone being consulted about the Secretary’s exclusive use of a should be conducted on an authorized AIS, yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email a count on her private server.
Secretary Clinton’s Chief of Staff also testified before the House Select Committee on Benghazi that she was unaware of anyone being consulted about the Secretary’s exclusive use of a personal email address [151]. OIG did find evidence that various staff and senior officials throughout the Department had discussions related to the Secretary’s use of non-Departmental systems, suggesting there was some awareness of Secretary Clinton’s practices. For example:
In late - January 2009, in response to Secretary Clinton’s desire to take her BlackBerry device into secure areas, her Chief of Staff discussed with senior officials in S/ES and with the Under Secretary for Management alternative solutions, such as setting up a separate stand-alone computer connected to the Internet for Secretary Clinton “to enable her to check her emails from her desk.” The Under Secretary’s response was “the stand-alone separate network PC is [a] great idea” and that it is “the best solution.” According to the Department, no such computer was ever set up.
In November 2010, Secretary Clinton and her Deputy Chief of Staff for Operations discussed the fact that Secretary Clinton’s emails to Department employees were not being received. The Deputy Chief of Staff emailed the Secretary that “we should talk about putting you on state email or releasing your email address to the department so you are not going to spam.” In response, the Secretary wrote, “Let’s get separate address or device but I don’t want any risk of the personal being accessible.”
In August 2011, the Executive Secretary, the Under Secretary for Management, and Secretary Clinton’s Chief of Staff and Deputy Chief of Staff , in response to the Secretary’s request, discussed via email providing her with a Department BlackBerry to replace her personal BlackBerry, which was malfunctioning, possibly because “her personal email server is down.” The then -Executive Secretary informed staff of his intent to provide two devices for the Secretary to use: “one with an operating State Department email account (which would mask her identity, but which would also be subject to FOIA requests), and another which would just have phone and internet capability.” In another email exchange, the Director of S/ES - IRM noted that an email account and address had already been set up for the Secretary and also stated that “you should be aware that any email would go through the Department’s infrastructure and subject to FOIA searches.” However, the Secretary’s Deputy Chief of Staff rejected the proposal to use two devices, stating that it “doesn’t make a whole lot of sense.” OIG found no evidence that the Secretary obtained a Department address or device after this discussion.
OIG identified two individuals who provided technical support to Secretary Clinton. The first, who was at one time an advisor to former President Clinton but was never a Department employee, registered the clintonemail.com domain name on January 13, 2009. The second, a Schedule C political appointee who worked in IRM as a Senior Advisor from May 2009 through February 2013, provided technical support for
BlackBerry communications during the Secretary’s 2008 campaign for President. OIG reviewed emails showing communications between Department staff and both individuals concerning operational issues affecting the Secretary’s email and server from 2010 through at least October 2012. For example, in December 2010, the Senior Advisor worked with S/ES-IRM and IRM staff to resolve issues affecting the ability of emails transmitted through the clintonemail.com domain used by Secretary Clinton to reach Department email addresses using the state.gov domain.
Two staff in S/ES - IRM reported to OIG that, in late 2010, they each discussed their concerns about Secretary Clinton’s use of a personal email account in separate meetings with the then - Director of S/ES - IRM. In one meeting, one staff member raised concerns that information sent and received on Secretary Clinton’s account could contain Federal records that needed to be preserved in order to satisfy Federal recordkeeping requirements. According to the staff member, the Director stated that the Secretary’s personal system had been reviewed and approved by Department legal staff and that the matter was not to be discussed any further. As previously not ed, OIG found no evidence that staff in the Office of the Legal Adviser reviewed or approved Secretary Clinton’s personal system. According to the other S/ES - IRM staff member who raised concerns about the server, the Director stated that the mission of S/ES - IRM is to support the Secretary and instructed the staff never to speak of the Secretary’s personal email system again.
On January 9, 2011, the non-Departmental advisor to President Clinton who provided technical support to the Clinton email system notified the Secretary’s Deputy Chief of Staff for Operations that he had to shut down the server because he believed “someone was trying to hack us and while they did not get in i didnt [sic] want to let them have the chance to. ” Later that day, the advisor again wrote to the Deputy Chief of Staff for Operations, “We were attacked again so I shut [the server] down for a few min.” On January 10, the Deputy Chief of Staff for Operations emailed the Chief of Staff and the Deputy Chief of Staff for Planning and instructed them not to email the Secretary “anything sensitive” and stated that she could
“explain more in person.”
Footnote 151
The pertinent testimony from the former Chief of Staff, who declined OIG’s request for an interview, reads as follows:
Q Was anyone consulted about Secretary Clinton exclusively using a personal email address for her work?
A I don't recall that. If it did happen, I wasn't part of that process. But I don’t believe there was a consultation around it, or at least there's not one that I’m aware of, maybe I should better answer that way based on my knowledge.
Q So no private counsel?
A Not that I'm aware of.
Q Okay. The general counsel for the State Department?
A Not that I'm aware of.
Q Okay. Anybody from the National Archives?
A Not that I'm aware of. But I can only speak to my knowledge, obviously.
Q Sure. And anyone from the White House?
A Not that I'm aware of
Note: I had a terrible formatting issues from pdf, hopefully I have corrected and edited properly. LB