Solution Providers: FBI Probe Reveals Issues With Hillary Clinton's Email Security, Archiving Practices

The FBI Tuesday said it is recommending no charges against Hillary Clinton for her use of private email servers, but some solution providers said the former Secretary of State erred by sending work emails while abroad and not establishing an email archive.

"Nobody [on Clinton's team] seemed to understand the threats or the depth of security necessary for hosting an email server when you're high-profile," David Felton, owner of Canaan Technology in Norwalk, Conn., told CRN. "People weren't advising her."

Although FBI Director James Comey advised against the U.S. Department of Justice charging Clinton, he said the Democratic candidate for president was "extremely careless" in handling sensitive material and spotlighted several IT-specific areas of concern.

[RELATED: Report: FBI Contacted Denver VAR That Helped Manage Hillary Clinton's Email System]

Sponsored post

"Anybody that has sensitive data should be required to have layered enterprise security," Sam Heard, owner of Data Integrity Services in Lakeland, Fla., told CRN. "If you don't, you're asking for trouble."

For solution providers, the most troubling FBI finding was that Clinton used her personal email extensively while outside the U.S., including sending and receiving work emails while in the territory of sophisticated adversaries.

Felton said this presents major risks if Clinton was accessing the email using a BlackBerry or another mobile device that operates on the network of another country.

"The Chinese government is archiving all the information flowing through its network," Felton said. "Given enough time, they can crack anything."

Given the interest in correspondence from a high-profile figure like Clinton, even techniques such as encryption might not provide sufficient protection when operating on a foreign network.

Instead, Felton – who installs and maintains private email systems – would advise clients to ditch their mobile device entirely in a place like China and stick to computers with a fixed virtual private network connection based in the U.S.

Canaan Technology includes a "GEO IP Filtering" firewall that blocks IP addresses registered in 17 countries such as China, Turkey, Russia, Ukraine, Saudi Arabia and Nigeria from establishing a connection to client information. Therefore, clients following Canaan Technology's recommendations cannot use mobile devices containing business information in any of those 17 nations.

In addition, FBI Director Comey highlighted that unlike U.S. government department and agencies – or even commercial services such as Gmail – Clinton's personal email server was not supported by full-time security staff.

Data Integrity Services' Heard said any U.S. Cabinet head holding sensitive information should have a security expert or consultant reviewing practices and procedures and making sure that all people interacting with the server are adhering to recommendations.

More concerning to Canaan Technology's Felton, however, was that Comey didn't identify any security policies or procedures undertaken by Clinton to prevent hostile actors from gaining access to her email. Although the FBI didn't find direct evidence that Clinton's email domain was successfully hacked, Comey said the FBI would be unlikely to see such evidence given the nature of the email system and the potential actors involved.

Clinton would have been wise to employ more security on the perimeter of her email system such as a unified threat management appliance, hardened firewalls and complex passwords with aging mechanisms, Felton said.

Heard said Clinton would have benefited from enterprise-level firewalls and endpoints, encryption and email archiving.

Another item that differentiated Clinton's email setup from a government account or even a commercial account such as Gmail, the FBI said, was the lack of any type of an archiving mechanism. Heard said that anybody subject to government compliance and regulations, such as the Freedom of Information Act, should be archiving all of their information.

But Felton said outside his financial services clients – which are required by the U.S. Securities and Exchange Commission or the Financial Industry Regulatory Authority to archive email – virtually none of his clients elect to archive emails. Clients typically see archiving as an unnecessary cost and, potentially, something that could be used against them during litigation.

Timothy Shea, CEO of Alpha NetSolutions, a $1.7 million Millbury, Mass.-based solution provider, said he makes CEOs using a personal email system in the course of business sign a waiver taking responsibility for the security of that data. He said only three CEOs out of 100 customers have insisted on using their personal email.

’I tell those CEOs, ’You’re the owner of the company. What would you do if one of your employees was doing this?' ’ said Shea. ’I have them sign disclaimers that say using private email as part of a corporate mail system is a violation of best practices to make sure they are taking responsibility for the security of that email and not holding us legally liable.’

Shea said he uses waivers in any and all cases where a client does not take the recommendations the company puts forth.

FBI Director Comey said Clinton didn't actually use a single email server during her four years at the State Department, but rather had several different servers and administrators during that time, with numerous mobile devices viewing and sending email from the servers.

As new servers and equipment were employed, he said old servers were taken out of service, stored and decommissioned in various ways.

Canaan Technology's Felton said the use of several administrators concerns him since it likely resulted in little security continuity or employment of consistent best practices. Specifically, he wondered if the administrators followed a standard operating procedure when shutting down and decommissioning servers.

"Did the IT folks who set up the system or maintained the systems make recommendations that Hillary Clinton ignored?" Shea asked.

The Washington Post reported in August that during her tenure as Secretary of State, Clinton's email system was first maintained by Justin Cooper, a longtime aide to Bill Clinton with no security clearance and no expertise in safeguarding computers, and then by Bryan Pagliano, the IT director for Hillary Clinton's unsuccessful 2008 presidential campaign.

After Clinton stepped down as Secretary of State in 2013, she hired Platte River Networks, a 30-person solution provider based in Denver, to provide the system with better security, durability and a more professional setup. And data protection vendor Datto was used as the disaster recovery site for Clinton's server, news reports revealed in October.

Felton said Clinton would have benefited from bringing a solution provider into the fold much earlier given the resource and expertise constraints often faced by internal IT employees.

"A solution provider is exposed to a much broader level of need," Felton said. "I'm surprised that nobody told her the best person to maintain this for you would be a solution provider."

STEVEN BURKE contributed to this story