The ability of states to access, control and restrict secure online communications is incredibly important. Recent allegations of inappropriate conduct by former Secretary of State Hillary Clinton continue to plague the U.S. State Department as more details emerge as to the extent of the lapses in security caused by Clinton’s use of a personal email address. In place of using an official .gov email address, Clinton conducted official business on her personal email address which was connected to a private server located on her New York property during her tenure as America’s top diplomat. Clinton isn’t the first official to use a personal email address, or to use a private server, to conduct official government business but is certainly the most high-profile in recent memory. On top of the obvious legal and political ramifications of this latest episode, the security aspect needs to be heavily scrutinised to ensure that infrastructure and systems were not breached by outside entities. Questions remain to be asked, what could have been done to ensure that top-secret communications were given the appropriate safeguards and how has this latest episode highlighted deficiencies on the institutional level?
Managing risk in a digital world
In the face of clunky and out-dated I.T. capabilities, politicians and government officials are often tempted to use personal email to conduct official government business. A recent example is the dismissal of former U.S. Ambassador to Kenya, Scott Gration, for using an unsecured internet connection to access his email account to conduct official state business - out of the bathroom of the embassy. This temptation, for fast, accessible and user-friendly communication techniques, needs to be balanced with an online operating environment that can prevent intrusion by unfriendly outside forces. The evolution of the internet and modes of communicating have often outpaced the ability of states and bureaucracies to provide streamlined, up-to-date and practical email systems that also allow high levels of encryption and security across extensive work forces.
The 34,000 employees of the State Department use a series of unclassified and classified communication systems to implement America’s diplomatic initiatives in some of the most hostile regions of the world, far from the labyrinthine headquarters in Washington, D.C. The unclassified email system of the State Department has recently been the target of malicious intrusions by suspected Russian hackers. Though it is always a worst-case scenario when possible vulnerabilities are identified and exploited by external entities, the subsequent detection and remedying of the situation by highly trained I.T. professionals allows systems to be thoroughly checked and updated to (hopefully) prevent similar intrusions happening in the future. When email, or entire servers, are not made accessible to trained technicians, serious doubt is cast upon the integrity and security of these systems.
The existence of a private server at Clinton’s rural New York property is a clear example wherein the ability of government I.T. technicians to ensure the security and integrity of email systems is circumvented. There are multiple questions that remain unanswered as to the integrity of Clinton’s private server. Who built it? Was it professionally maintained? Was it sufficiently updated? Was it scanned for vulnerabilities? Clinton has claimed that Secret Service officers stationed at her property (on account of her husband’s presidential past) provided security for the server, but this only explains its physical security. Questions like these are important as they go to the heart of what it means to be truly secure in a digitised world. Security commentators state that the U.S. government is a “constant target” of relentless hackers originating from China, Russia and unknown sources. In addition to the State Department, multiple government agencies have been hacked including the White House, the U.S. Postal Service and the National Oceanic and Atmospheric Administration.
Conducting statecraft in the digital realm
Successful diplomacy begins and ends with the state's ability to control the release of information, to securely liaise with overseas representatives and to ensure the robustness of operating systems, both domestically and around the world. As was highlighted by ‘Cablegate’, when Wikileaks published thousands of U.S. diplomatic cables from its 274 embassies and consulates around the world, diplomacy without opacity and security becomes toothless, as diplomats feel they cannot accurately or instinctively relay information back home. Emails contain much more than the written content. Information such as IP addresses and email headers, which can be used to geographically trace the route and trajectory of messages, are often more valuable than the content of emails themselves.
The weakest link in any system is, and always will be, the human element. To address extensive hacking of its networks, the State Department, could overhaul hardware systems at great expense, create different layers of classification and encryption or provide air-gapped technology. But while employees may clamour for increased mobility and heightened accessibility, the risk of technological infiltration is unavoidable.
William Read is the Cyber Security Fellow at Young Australians in International Affairs.
This article can be republished with attribution under a Creative Commons Licence. Please email publications@youngausint.org.au for more information.
Image Credit: Perspecsys Photos (Flickr: Creative Commons)