State Dept. audit slams Clinton email habits

A report by the US State Department Inspector General criticises US presidential contender Hillary Clinton for ignoring official guidelines in using a personal email server for official communications.

The Inspector General’s report notes that Clinton, while Secretary of State, used personal email “relying on an account maintained on a private server, predominantly through mobile devices.” The server was located at her house in New York State.

“Longstanding, systemic weaknesses related to electronic records and communications have existed within the Office of the Secretary that go well beyond the tenure of any one Secretary of State,” the report observed.

It further said the State Department, and the Secretary of State’s office especially, “have been slow to recognise and to manage effectively the legal requirements and cybersecurity risks associated with electronic data communications, particularly as those risks pertain to its most senior leadership.”

“Secretary Clinton should have preserved any Federal records she created and received on her personal account by printing and filing those records with the related files in the Office of the Secretary,” the report states.

“At a minimum, Secretary Clinton should have surrendered all emails dealing with Department business before leaving government service and, because she did not do so, she did not comply with the Department’s policies that were implemented in accordance with the Federal Records Act."

The report also notes that she had an "obligation to discuss using her personal email account" but did not get permission from the people who would have needed to approve the technology, who said they would not have done so, if they had been asked.

"According to the current [chief information officer] and assistant secretary for diplomatic security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs," the report reads. "However, according to these officials, [the relevant people] did not — and would not — approve her exclusive reliance on a personal email."

Ms Clinton provided 55,000 pages of records purporting to be all official emails from her personal server for the period she was Secretary of State from 2009 to 2013.

However, the report notes that “Secretary Clinton’s production was incomplete. For example, the Department and OIG both determined that the production included no email covering the first few months of Secretary Clinton’s tenure—from January 21, 2009, to March 17, 2009.

Ms Clinton responded “She does not have custody of e-mails sent or received during the first few weeks of her tenure as she was transitioning to a new address, and we have been unable to obtain these. In the event we do, we will immediately provide the Department with federal record e-mails in this collection…”

Among the recommendations from the report, are that records management policies and procedures be improved so there is more employee compliance including compliance by the Secretary of State.

The report also noted “management weaknesses” at the State Department and elsewhere in the government. These include: a limited ability to retrieve email records; inaccessibility of electronic files; failure to comply with requirements for departing employees; and a general lack of oversight.

The report detailed how some employees who questioned the wisdom of the home server setup were told to stop asking questions, and the audit confirmed apparent hacking attempts on the private server.

It records one incident occurring on May 13, 2011, when two of Ms Clinton’s immediate staff discussed via email the Secretary’s concern that someone was “hacking into her email” after she received an email with a suspicious link.

“Several hours later, Secretary Clinton received an email from the personal account of then-Under Secretary of State for Political Affairs that also had a link to a suspect website. The next morning, Secretary Clinton replied to the email with the following message to the Under Secretary: “Is this really from you? I was worried about opening it!”  Department policy requires employees to report cybersecurity incidents to IRM security officials when any improper cyber-security practice comes to their attention. 12 FAM 592.4 (January 10, 2007). Notification is required when a user suspects compromise of, among other things, a personally owned device containing personally identifiable information. 12 FAM 682.2-6 (August 4, 2008). However, OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department.”

The full report is available at https://assets.documentcloud.org/documents/2842429/ESP-16-03-Final.pdf