Modernizing Authentication — What It Takes to Transform Secure Access
FBI Director James Comey last week delivered a press conference in which he announced that the FBI would recommend against indicting 2016 U.S. presidential contender Hillary Rodham Clinton. The following day, U.S. Attorney General Loretta Lynch confirmed that the Department of Justice is closing its case regarding Clinton. The day after that, while Comey defended his decision in Congressional testimony, the U.S. State Department reopened its investigation into Clinton.
Clinton has been the object of infosec controversy since March 3, 2015, when the New York Times broke a story revealing that Clinton had "exclusively used a personal email account to conduct government business" during her time as Secretary of State under the Obama Administration, in lieu of any official U.S. government email account. The story also highlighted that these actions may have been unlawful.
Since then -- and quickly -- more details about Clinton's email and information security improprieties poured out into the public eye. Clinton didn't just have a private email account; she had a private domain hosted on a private server -- sitting not in some well-guarded data center, but in her home.
Several dozen State Department staffers facilitated this and/or corresponded with Clinton via her email address and now face potential career fallout. The server reportedly hosted private email accounts for other top State Department officials under Clinton, as well as for both Clinton's daughter Chelsea and longtime Clinton family advisor Justin Cooper.
All this happened, reportedly, despite explicit warnings from the State Department's cybersecurity team that she should not be doing what she was doing.
The Clinton email controversy gives information security professionals the perfect opportunity to ensure some data protection best practices are in place. Aside from the obvious "shadow IT" issues that go with using personal devices and personal email, here are three tips you can take away from Clinton's email saga to improve your organization's data security.
Make Data Stewardship a Priority for All
Despite refusing to move forward with prosecuting Clinton, Comey leveled harsh accusations that evidence demonstrates that Clinton and her colleagues were "sloppy," "negligent," and "extremely careless" in how they handled classified information passing through her private server.
"Participants who know or should know that information is classified are still obligated to protect it," said Comey at his press conference, who further stated that none of the emails found with classified information should have ever been found on a non-classified server such as Clinton's because of the danger of data compromise.
The lesson here is that everyone in your organization -- from "should-know-betters" like C-suite executives and IT professionals to the hoi polloi of administrative staff and workers in non-IT departments -- must be well trained and accountable for the information they handle, receive, read and are exposed to every day.
System-use policies and the like must be well implemented, and employees at all levels must receive training. Instill in them a sense of responsibility so that they will be inclined to treat corporate data as their own -- if not better.
Expect a Data Breach and Manage the Risk
The danger of data compromise that Clinton exposed classified information to is so substantial that, although the FBI has uncovered no direct evidence of an actual breach, the law enforcement agency is not able to rule out the possibility either.
"We [at the FBI] assess that it is possible that hostile actors gained access to Secretary Clinton's personal email account," said Comey at his press conference.
Indeed, several of Clinton's emails containing sensitive foreign intelligence data were compromised and leaked in March 2013 when Romanian hacker Marcel Lazar Lehel, a.k.a. "Guccifer," hacked not Clinton's server but longtime Clinton advisor Sidney Blumenthal's AOL email account.
In any case, it should be clear that there is no such thing as a perfectly secure email system or a perfectly secure organization. "There are only two kinds of organizations," MIT engineering and IT professor Stuart Madnick, who also serves as Director of the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, has said at numerous symposiums and conferences at MIT over the past couple of years. "Those that have been hacked and those that don't yet know they have been hacked."
One way or the other, bad guys are going to find some data of yours that you do not want them to see. Former Secretary of Homeland Security Michael Chertoff, therefore, recommends redundancy and in-depth, multi-layered security practices -- expecting eventual data breach of some kind -- as opposed to "hard on the outside, soft in the middle" practices known as "M&M security."
"'Prevention, prevention, prevention, that's all I'm focused on,' is gonna be doomed to failure," said Chertoff in his keynote address at the Advanced Cyber Security Center's 2014 annual conference. "You're not gonna eliminate the risk of cyber attacks; this is about managing the risk."
Indeed, this is the philosophy behind the NIST Cybersecurity Framework, which is not only a strongly recommended InfoSec framework but is also legally or pseudo-legally mandated for certain types of organizations.
Clarify When Information Is Proprietary and What to Do with It
Want to make sure your organization's proprietary data stays protected? Make sure that the people handling it understand how to tell what information is proprietary, and when.
House Democrats attempted to defend Clinton during the hearing, coaxing Comey into testifying that Clinton may not have noticed or may not have understood "tiny, little" markings of "(C)" next to some paragraphs in her emails -- with those marks indicating, per State Department practices, that the information accompanying them is to be treated as classified.
"It's possible that she didn't understand what a '(C)' meant when she saw it in the body of an email like that," testified Comey, who further indicated that before his investigation, he likely would have automatically assumed that a State Department official would know what the '(C)' meant. "[It's] not that she would have no idea what a classified marking would be, [but] it's an interesting question whether she ... was actually sophisticated enough to understand what ['(C)'] means."
Debate lingers over whether the (C)-marked information in question should have been or even was in fact classified, but the takeaway is clear. Either Clinton's intent or Clinton's lack of "sophistication" may have endangered classified data. Furthermore, Clinton has plausible deniability with regard to actual wrongdoing because of poorly applied procedures.
In your own organization, assume nothing. Employee policies -- which employees should read, understand, acknowledge and receive effective training on -- should make it crystal clear how to tell proprietary data from "regular" data. You may even have different levels of "proprietary," with different policies and procedures for each level. (This acknowledges that your staff cannot reasonably be expected to treat every single email and memo as top secret.)
Further ensure that procedures for denoting how proprietary information is are consistently followed so there can be no argument later about inconsistencies. Leave no room for doubt.
Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate communications and data privacy consultant, writer, speaker and bridge player. Follow him on Twitter at @JoeStanganelli.
(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)