The 10 Biggest Tech Mistakes Hillary Clinton Made With Her Private Email Server

Risky Business

Investigations by the FBI and Office of Inspector General concluded that Hillary Clinton made of a number of IT errors in the setup and maintenance of her private email server while she was U.S. Secretary of State.

FBI Director James Comey made a 15-minute statement Tuesday on his department's yearlong investigation into Clinton's email practices, while the State Department's Office of Inspector General released an 83-page report in late May looking into email records management and cybersecurity practices at the department, with a particular focus on Clinton's 2009 to 2013 tenure.

From sending work emails while based in unfriendly countries to not notifying authorities of a hacking problem on her private server, here are the 10 most notable mistakes Clinton made with her private email server based on reports from the FBI and Office of Inspector General.

10. Clinton's Servers Had No Archiving Whatsoever

FBI: "Because she was not using a government account -- or even a commercial account like Gmail -- there was no archiving at all of her emails."

Anybody subject to government compliance and regulations, such as the Freedom of Information Act, should be archiving all of their information, Sam Heard, owner of Data Integrity Services in Lakeland, Fla., told CRN.

But David Felton, owner of Canaan Technology in Norwalk, Conn., told CRN that outside his financial services clients – who are typically required to archive email by regulators – virtually none of his clients elect to archive emails. Clients typically see archiving as an unnecessary cost and, potentially, something that could be used against them during litigation.

9. Clinton Failed To Request Or Obtain Guidance For Her Server Setup

Inspector General: "Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their [the Bureau of Diplomatic Security] offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. … Yet OIG [Office of Inspector General] found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server."

Alpha NetSolutions, Millbury, Mass., makes CEOs using a personal email system in the course of business sign a waiver taking responsibility for the security of that data, CEO Timothy Shea told CRN, noting that such behavior is a violation of best practices. Shea said only three CEOs out of 100 customers have insisted on using their personal email.

8. Department Heads Would Have Nixed Clinton's Personal Email Setup Due To Security Risks

Inspector General: "DS [the Bureau of Diplomatic Security] and IRM [the Bureau of Information Resource Management] did not – and would not – approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM [Foreign Affairs Manual] and the security risks in doing so."

Authorities would have a much better chance of finding and prosecuting someone who hacked into a federal government server than someone who hacked into Clinton's private server, Canaan Technology's Felton said in March 2015. Government email systems also have security and encryption features that are extremely rare to find on a private server, Data Integrity Services' Heard said in March 2015.

7. Clinton Used Several Different Servers, Administrators And Mobile Devices

FBI: "Secretary Clinton used several different servers and administrators of those servers during her four years at the State Department, and used numerous mobile devices to view and send email on that personal domain. As new servers and equipment were employed, older servers were taken out of services, stored, and decommissioned in various ways."

The use of several administrators concerned Canaan Technology's Felton since it likely resulted in little security continuity or employment of consistent best practices. Specifically, he wondered if the administrators followed a standard operating procedure when shutting down and decommissioning servers.

6. Clinton's Server Crashed During Hurricane Sandy, And The State Department Couldn't Help

Inspector General: "An email exchange between [Huma Abedin, Clinton's Deputy Chief of Staff at the State Department] and another member of the Secretary's staff revealed that the server located in Secretary Clinton's New York residence was down. Thereafter, [Bryan Pagliano, see slide No. 4] met with [State Department] staff to ascertain whether the Department could provide support for the server. [Department] staff reported to OIG [Office of Inspector General] that they told [Pagliano] they could not provide support because it was a private server."

The email system installed at the Clintons' Chappaqua, N.Y., home crashed for days in October 2012 after Hurricane Sandy hit the area, The Washington Post reported in August. The server could have been made more durable by having more than one Internet provider; redundant firewalls; and a dual power supply, with electricity coming from both the grid and a generator, Canaan Technology's Felton said in August.

5. Clinton's Servers Were Not Supported By Full-Time Security Staff

FBI: "These emails were housed on unclassified personal servers not even supported by full-time security staff, like those found at Departments and Agencies of the U.S. Government – or even with a commercial service like Gmail."

Any U.S. Cabinet head holding sensitive information should have a security expert or consultant reviewing practices and procedures and making sure that all people interacting with the server are adhering to recommendations, said Data Integrity Services' Heard.Canaan Technology's Felton also said adhering to good, sound network security practices is key.

4. Supervisors Doubted Staff Could Support Clinton's Email System During Work Hours

Inspector General: "[Supervisors] believed that [Pagliano's] job functions were limited to supporting mobile computing issues across the entire [State] Department. … They did not know he was providing ongoing support to the Secretary's email system during working hours. They also told OIG that they questioned whether he could support a private client during work hours, given his capacity as a full-time government employee."

Pagliano served as IT director for Hillary Clinton's unsuccessful 2008 presidential campaign and became an IT specialist in the U.S. State Department after Clinton was named Secretary of State in January 2009. Pagliano took the Fifth Amendment in front of the House Select Committee on Benghazi and in a lawsuit filed by Judicial Watch, and only agreed to speak with the FBI after the government granted him immunity.

3. Clinton Didn't Notify Security Staff When Hacking Issues Forced Them to Shut Down Server

Inspector General: "[Justin Cooper] notified [Abedin] that he had to shut down the server because he believed 'someone was trying to hack us and while they did not get in i didnt [sic] want to let them have the chance to.' Later than day, [Cooper] again wrote to [Abedin], 'We were attacked again so I shut [the server] down for a few mins' … OIG [Office of Inspector General] found no evidence that the Secretary or her staff reported these incidents to computer security personnel."

Notification is required when a user suspects compromise of, among other things, a personally owned device containing personally identifiable information, according to the Inspector General. Justin Cooper was a longtime aide to Bill Clinton with no security clearance and no expertise in safeguarding computers, The Washington Post reported in August. He was never employed by the State Department.

2. Alternatives To Clinton Taking BlackBerry Into Secure Areas Were Raised, But Not Adopted

Inspector General: "In response to Secretary Clinton's desire to take her BlackBerry device into secure areas, her Chief of Staff discussed … alternative solutions, such as setting up a separate stand-alone computer connected to the Internet for Secretary Clinton 'to enable her to check her emails from her desk.' The Under Secretary's response was 'the stand-alone separate network PC is [a] great idea' and that it is 'the best solution.' According to the Department, no such computer was ever set up."

Clinton never demonstrated to the Bureau of Diplomatic Security or the Bureau of Information Resource Management that her mobile device or private server met the minimum information security requirements specified by the Federal Information Security Management Act or the Foreign Affairs Manual, according to the Inspector General.

1. Clinton Sent Work Emails While Located In The Territory of 'Sophisticated Adversaries'

FBI: "She also used her personal email extensively while outside the United States, including sending and receiving work-related emails in the territory of sophisticated adversaries."

This presents major risks if Clinton was accessing the email using a BlackBerry or other mobile device that operates on the network of another country, said Canaan Technology's Felton. Countries such as China archive all of the information flowing through their network, Felton said, and can take as much time as they need to crack encrypted messages. Felton advises his clients to ditch their mobile device entirely in a place such as China and stick to computers with a fixed virtual private network connection based in the U.S.