We Asked a Cybersecurity Expert if Clinton's Email System Could Have Jeopardized National Security
Hillary Clinton won't face charges over her use of a private email system while serving as secretary of state, but she still took some risks.
Hillary Clinton prepares to board Air Force One on Tuesday, July 5, 2016. Photo by Jose Luis Magana/AP
On Tuesday, FBI Director James Comey announced that his agency would not be recommending charges over former secretary of state Hillary Clinton's use of a private email server, telling reporters that the bureau's investigators had concluded that "no reasonable prosecutor would try such a case." The announcement attracted harsh words from Clinton's political opponents, like House Speaker Paul Ryan, who wrote that "no one should be above the law," but it almost certainly frees Clinton from the lingering threat of prosecution that has hung over her campaign like a dark cloud.
While Comey acknowledged that the FBI "did not find direct evidence that Secretary Clinton's personal email domain, in its various configurations since 2009, was successfully hacked," he also scolded Clinton for being "careless." The FBI's investigation found that 110 individual messages in 52 email changes contained classified information—and eight of those chains were considered "Top Secret," a category reserved for information that, if unintentionally released, "could be expected to cause exceptionally grave damage" to national security.
In his statement to reporters, Comey suggested that beyond the issue of Clinton's emails, the State Department in general has been too cavalier in its handling of government secrets. While this was not the focus of the FBI's investigation, he said, the agency found "evidence that the security culture of the State Department in general, and with respect to use of unclassified email systems in particular, was generally lacking in the kind of care for classified information found elsewhere in the government."
To learn more about what effects Clinton's apparently lax security protocols could have, I called up Justin Cappos, an assistant professor of computer science at New York University's Tandon School of Engineering and commentator on cybersecurity issues. The conversation below has been edited for clarity.
VICE: Does it look to you like Hillary Clinton jeopardized national security by being "careless"?
Justin Cappos: In general, it doesn't seem like this is immensely horrendous. [Although] anytime that you go and you set up your own server to store some data, whatever things you pass through there, whatever you process, is potentially attackable. It's really up to the person who's maintaining and setting up the server to keep it properly up to date, to look at what's happening on the server, to try to detect intrusions and things, if they've occurred, based on patterns of network traffic or other activity on the server.
What's a little worrying in this case is it's not clear that an extremely high level of scrutiny has been given to the mail servers' security [to] reliably detect these sorts of attacks.
So it seems like a breach was possible, even if the FBI didn't find direct evidence that Clinton's servers were hacked.
It's not uncommon that different [hacking groups], when they go to break into a server, will actually leave some sort of trace. Because they'll go and they'll install a rootkit, or they will modify the firmware or do something else to cause themselves to be inserted and loaded into the system while it's running.
You mean a backdoor. Are you sure attackers didn't just get rid of that backdoor after they used it to steal information?
It would have required someone to intentionally go and do this. I mean, it's possible that they did it, and removed all traces of it. It's also possible that the way they did it was through something that every time—for instance—the server rebooted, it had to be redone. It's also quite plausible that it didn't happen. I would imagine that if somebody's breaking in and they understand what they're getting into, in many cases they would rather have persistent access, even if it increases the potential for being detected.
Comey said the State Department is generally lax about information security. So is it even safe to say that if Clinton used a State Department email server, this information would have been safer?
Actually, the [State Department has] been hacked during some of that time period. The State Department had Russian hackers—or at least allegedly Russian hackers—inside of its mail servers for a while, which presumably would have given them access to all of this information if Hillary Clinton had been using the State Department mail server. And it's unclear if they were also in [Clinton's] mail server.
So to be clear, you're not necessarily saying the emails were safer on the Clinton server?
It was an additional target somebody had to break into, but it's not clear if this helped or harmed security. Let me kind of give you an example to try to make sense of this: Suppose that you work for a company, and you have a bicycle or something from that company, and they give you a bike lock for the bicycle that you have and you lock it with the bike lock—somebody could still cut that bike lock that the company gave you and ride off with that bicycle. It's sort of the company's fault if that happens.
If you put your own lock on that bicycle, and somebody cuts it, then the company might blame you, even if you have a better bike lock, or an equivalent bike lock or maybe it's a slightly worse bike lock but then all of a sudden you get all the flak for it. Because you're the one who [chose] the bike lock.
So on the whole, do you think it's conceivable that these emails could still have some kind of impact for national security?
The issue really comes down to what's in those messages. And that's information that isn't publicly available.
Follow Mike Pearl on Twitter.