Hillary, hackers, threats, and national security

I got a point-blank question in the comments earlier this week: Did Hillary Clinton’s home-made mail server put national secrets at risk of being hacked by our enemies?

Depending on the enemies, maybe marginally. But not enough that any security professional that I know of is worried about it. Here’s why.

First, a disclaimer: These are my opinions, not my current or any previous employer’s opinion. This also isn’t an endorsement or condemnation of any political candidate. I’m going to try my best to keep politics out of this and just look at the security problem. It’s an interesting security problem in some ways, so I kind of think it’s unfortunate that a prominent politician is involved.

Let’s get into the factors in play.

Know the enemy. Terrorist organizations generally aren’t advanced hackers. The closest thing to an exception is the Syrian Electronic Army, but their specialty is poorly coded web applications, and they do what they do for attention, not gathering intelligence. Most of the prominent terrorist organizations seem to be pretty good defenders, but when it comes to offense, they don’t have the capabilities of a nation-state. Not today, and certainly not during Hillary Clinton’s tenure as Secretary of State–even the Syrian Electronic Army was a non-factor in those days.

The threat came from countries like China and Russia. Infiltrating a mail server is certainly within the realm of their possibilities, but so is compromising something sitting between the State Department and whoever Hillary was using for an ISP, so they can read the e-mail coming over the wire. Anyone who was interested would have had several options, because e-mail is inherently insecure. That’s why nobody will legitimately ask you to e-mail a credit card number. It’s not safe to send credit card numbers that way.

Speaking of Russia, Russia has thoroughly pwned the State Department’s e-mail system. They’ve been controlling it since late last year, and the State Department can’t eradicate them.

Take a look at Fire Eye’s Threat Map. This tells you who is attacking who today. The Middle East sustains more attacks than it sends out, at least in 2015. This was even more true from 2008-2012. You’ll also note allies are attacking allies. It’s a strange world out there.

It’s easier to do one thing well. I can think of a scenario where Hillary might have been able to run a pretty good shop. She hasn’t said much in the way of detail, except that it’s an Exchange server built by professionals–so much for speculation that the server involved a college intern installing Linux on an old Pentium-75 and opening a couple of ports on a $13 Belkin router–but she didn’t give enough detail to let me say anything one way or the other about the quality. Then again, Exchange is cranky enough that if she tried to do it on the cheap, she probably regretted it quickly. And keep in mind the Clintons are multimillionaires so they could afford to do it right. I don’t know if they did, but for a few thousand dollars, they could have gotten a couple of people to come in and set up something every bit as secure as any corporate e-mail server, set it up on a dedicated line with only two ports open, outsource the DNS, bring in a security pro to patch the server every month, and set up certificates to encrypt the communications between it and government mail servers. It would be possible to set up something that would be very attack-resistant.

They could just as easily be on one extreme or the other, or anywhere in between. I don’t know. But either way, the easiest way to get to her e-mail probably was to attack her workstation, in which case it didn’t matter where the mail server was.

Know your networks. Government secrets fall into three broad classification levels: Unclassified, Secret, and Top Secret. Everything involved in this incident was unclassified. The good stuff–from the enemy’s point of view–happens at the Secret and Top Secret levels. The stuff from the Manning leaks game from a secret network called the SIPRNET, while the stuff from the Snowden leaks came from a top-secret network called JWICS. On unclassified networks, one must assume that China, Russia, and even a good number of friendly nations are listening. Right now, it’s not an assumption in the case of Russia–it’s proven.

It’s likely that Hillary Clinton sometimes had to handle classified communications at home, but if she did that through e-mail, it would be handled through a classified workstation connected straight to the State Department’s secret network, and she would have had a safe for storing all of her classified papers and her workstation’s hard drive when it wasn’t in use. At least that’s how the Department of Defense handles such matters, and the State Department is likely to be very similar.

This is a policy issue more than a security issue. The latent journalist in me hates this, while the security pro in me can think of 30 things that are a bigger deal than this. The journalist in me hates the idea of Hillary Clinton being able to unilaterally decide what’s official business and what isn’t. That made it easy for her to hide things from Freedom of Information Act requests. Chances are traces of all conversations are on government mail systems anyway, but still, this eliminates a check and balance, and I don’t like that. Then again, Hillary isn’t the only politician who has done this–she just happens to be considering running for president, and none of the others, to my knowledge, are right now.