Clinton Email Scandal and The ‘Powell Did it Too’ Defense
Reading through the comments on Doug Mataconis’ two postings on the State Department Inspector General finding that Hillary Clinton repeatedly violated the law by using a private email server (“State Department Inspector General Faults Hillary Clinton, State Dept. In Email Probe” and “Release Of Inspector General’s Report Indicates Hillary’s Email Woes Likely To Continue“) makes it pretty clear that rational discussion of the topic is futile. Clinton supporters will simply ignore any evidence of wrongdoing as unimportant while her detractors damage their credibility by over-selling the national security damage. Regardless, I’m going to attempt to address some canards in the debate.
The most grating of these is the argument that, since Colin Powell also used a personal email account, this is an instance of “It’s okay if you’re a Republican.” No. Here’s what the report says about the matter, starting on page 34 [emphases all mine]:
In his interview with OIG, Secretary Powell explained that, when he arrived at the Department, the email system in place only permitted communication among Department staff. He therefore requested that information technology staff install the private line so that he could use his personal account to communicate with people outside the Department.144 He described his email usage as “daily,” though OIG was unable to determine how many emails he actually sent and received during his tenure.
Various DS and IRM staff told OIG that, before Secretary Powell arrived at the Department, employees did not have Internet connectivity on their desktop computers. The Department’s Chief Information Officer (CIO) and Under Secretary for Management during Secretary Powell’s tenure reported to OIG that they were aware of Secretary Powell’s use of a personal email account and also noted the Secretary’s goal was to provide every Department employee with similar Internet and email capabilities at their desktops. The current CIO and Assistant Secretary for Diplomatic Security, who were Department employees during Secretary Powell’s tenure, also were both aware of the Secretary’s use of a personal email account and recall numerous discussions with senior staff throughout the Department about how to implement the Secretary’s intent to provide all employees with Internet connectivity.
However, it is not clear whether staff explicitly addressed restrictions on the use of non-Departmental systems with Secretary Powell. For example, at the beginning of Secretary Powell’s tenure, the Department had an outright prohibition on both the installation of privately owned computers in Department facilities and the transmission of SBU information on the Internet. 145 By 2002, the Department had established the requirement to connect to the Internet only on OpenNet.146 The CIO and Under Secretary for Management during Secretary’s Powell’s tenure reported to OIG that they believe that these issues were addressed, either by installing a firewall to protect the Secretary’s Internet connection or providing the Secretary with a Department laptop. They also reported having multiple discussions with Secretary Powell about the Department’s implementation of FISMA requirements. In contrast, current DS and IRM officials who worked at the Department during Secretary Powell’s tenure are unsure about the exact configuration of Secretary Powell’s systems and whether staff addressed applicable restrictions with the Secretary. However, they reported to OIG that the Department’s technology and information security policies were very fluid during Secretary Powell’s tenure and that the Department was not aware at the time of the magnitude of the security risks associated with information technology.
So, Powell definitely violated existing policy and quite probably the law. At the same time, he had an exceedingly good motivation for his transgression: State’s byzantine system made it impossible to do his job. He told the people in charge of the Department’s IT system what he was doing, ordered them to fix the system to make the workaround unnecessary, and did it via a Department-installed laptop in his office.
By Secretary Clinton’s tenure, the Department’s guidance was considerably more detailed and more sophisticated. Beginning in late 2005 and continuing through 2011, the Department revised the FAM and issued various memoranda specifically discussing the obligation to use Department systems in most circumstances and identifying the risks of not doing so. Secretary Clinton’s cybersecurity practices accordingly must be evaluated in light of these more comprehensive directives. Secretary Clinton used mobile devices to conduct official business using the personal email account on her private server extensively, as illustrated by the 55,000 pages of material making up the approximately 30,000 emails she provided to the Department in December 2014. Throughout Secretary Clinton’s tenure, the FAM stated that normal day-to-day operations should be conducted on an authorized AIS,147 yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server. According to the current CIO and Assistant Secretary for Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. However, according to these officials, DS and IRM did not—and would not—approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so. During Secretary Clinton’s tenure, the FAM also instructed employees that they were expected to use approved, secure methods to transmit SBU information and that, if they needed to transmit SBU information outside the Department’s OpenNet network on a regular basis to non-Departmental addresses, they should request a solution from IRM.148 However, OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU.
Similarly, the FAM contained provisions requiring employees who process SBU information on their own devices to ensure that appropriate administrative, technical, and physical safeguards are maintained to protect the confidentiality and integrity of records and to ensure encryption of SBU information with products certified by NIST.149 With regard to encryption, Secretary Clinton’s website states that “robust protections were put in place and additional upgrades and techniques employed over time as they became available, including consulting and employing third party experts.”150 Although this report does not address the safety or security of her system, DS and IRM reported to OIG that Secretary Clinton never demonstrated to them that her private server or mobile device met minimum information security requirements specified by FISMA and the FAM.
In addition to interviewing current and former officials in DS and IRM, OIG interviewed other senior Department officials with relevant knowledge who served under Secretary Clinton, including the Under Secretary for Management, who supervises both DS and IRM; current and former Executive Secretaries; and attorneys within the Office of the Legal Adviser. These officials all stated that they were not asked to approve or otherwise review the use of Secretary Clinton’s server and that they had no knowledge of approval or review by other Department staff. These officials also stated that they were unaware of the scope or extent of Secretary Clinton’s use of a personal email account, though many of them sent emails to the Secretary on this account. Secretary Clinton’s Chief of Staff also testified before the House Select Committee on Benghazi that she was unaware of anyone being consulted about the Secretary’s exclusive use of a personal email address.
Clinton’s explanations for why she set up a private server in her basement used her personal devices to do government business have been fluid. None of them have been as straightforward and reasonable as Powell’s. By the time she took office—eight years after Powell did so—the Department’s IT was considerably improved, based on Powell’s orders, thus obviating Powell’s rationale. Additionally, policies were much more stringent and clearly defined. Yet, whereas Powell went out of his way to be above board about failing to comply with policy, Clinton simply ignored it.
Beyond that, it’s important to understand just how much the law and the culture had changed. People reading political blogs are obviously power users of the Internet and, presumably, of email, smart phones, and the like. But recall that the World Wide Web as we understand it didn’t appear until 1993 and most of us were accessing it via AOL discs that were sent to us via snail mail and connecting via 2400 baud modems that tied up our land lines until the late 1990s.
Even in government and education, which pioneered both email and the Internet, systems were generally lousy. When my co-blogger Steven Taylor and I arrived at what was then Troy State University in the fall of 1998, the computers and Internet service were awful. We spent an inordinate amount of time and effort trying to make them meet our needs, often resorting to bringing in our own equipment. Given the scale of the Federal Government, it’s really not that shocking that the State Department had lousy email systems in place in January of 2001.
The world was simply a different place eight years later. Broadband was ubiquitous. Desktops and laptops had become appliances; rather than upgrading equipment which had become obsolete every two years and constantly downloading “utilities” to eke out a bit more productivity, we just turned them on and went to work. By the time Clinton became Secretary, Steven and I had been blogging for six years. Blackberries were becoming obsolete and we were awaiting the third generation iPhone.
So, like the PolitiFact report on this issue that preceded the IG report, I consider the notion that Clinton and Powell did essentially the same thing “mostly false.”