Former Secretary Of State Hillary Clinton Took Security Risk With Custom Email Server, Partners Say
Technology solution providers told CRN Friday that Hillary Clinton, during her four-year tenure as Secretary of State under the Obama administration, jeopardized the security of her emails by hosting them on a private server.
"There's no security reason to do this," David Felton, owner of Canaan Technology in Norwalk, Conn., told CRN. "Absolutely none."
Most channel partners CRN spoke with said the best thing Clinton could have done, from an IT security standpoint, is to use an official government email account. But Clinton did not, opting instead to exclusively use a personal email account for all official interactions during her 2009 to 2013 tenure as U.S. Secretary of State, The New York Times reported Monday.
Unlike politicians such as Mitt Romney or Sarah Palin – who conducted official business using free email services operated by Microsoft and Yahoo – Clinton's emails landed at a server registered to her family's home in Chappaqua, N.Y., which was physically located in the area, the Associated Press first reported Wednesday.
While the move afforded Clinton greater privacy -- government officials would be unable to access her email for any reason without her consent -- channel partners said it also compromised her ability to prevent or respond to a breach.
"On the surface, the government should have a much more secure system because they have the resources," Felton said.
Although it remains unclear what – if any – security measures Clinton took to protect communications on her private email server, Felton said the servers run by the federal government offer key security advantages.
Most notably, Felton said authorities would have a much better chance of finding and prosecuting someone who hacked into a federal government server than someone who hacked into Clinton's private server. That's because federal employees are provided with many additional resources to determine the origin and severity of a break-in, he said.
"I would always choose a government-run email system over a civilian-run one," Felton said. "You don't run a mail server out of your house when you have the ability to run it by someone much better and more securely."
An email server also requires constant monitoring to ensure that every door to the system remains locked. Unless Clinton kept full-time IT staff at her home, Felton said the manpower required for continuous security would have proved formidable.
Government email systems have security and encryption features that are extremely rare to find on a private server, according to Sam Heard, owner of Data Integrity Services in Lakeland, Fla.
Lou Person, founder and president of New York-based brightstack, said Clinton's use of a personal email account goes against best practices in the corporate world, particularly for industries with strict compliance standards such as finance and health care.
"It's a dangerous practice," Person said.
Canaan Technologies installs and maintains homebrew email systems akin to the one Clinton is said to have run, and Felton said most of the installation requests come from small business owners or wealthier individuals who've been hacked on a consumer service such as Gmail. He hsaid he has never once had a public sector employee ask to conduct official business on a homebrew system.
Still, Felton said a homebrew server is likely more secure than a free email service since the IT service provider that installed and maintains the system has skin in the game. But that accountability isn't there with Google, Yahoo or Hotmail, Felton said since no money was exchanged and they're dealing with millions of accounts at once.
Heard disagreed, saying private email systems typically lack passwords or encryption and usually have security more on par with a Gmail or MSN.
Person urged companies to learn a lesson from the Clinton controversy and strengthen their corporate policies around device management and email to prevent something like this from happening in their workplace. He said businesses should also review the mobile device management offerings on the market today to ensure the technology they're employing is up to date.
"Companies should follow best practices and train their folks on the right way to use email," he said.
Sarah Kuranda contributed to this article