It was the best of times, it was the worst of times. Currently, the chattering class is in a titter about the fact that Special Advisor to the President of the United States, Ivanka Trump, consistently used a personal email account for official government communications in violation of records retention requirements imposed by regulation.
Lock. Her. Up!
Or, ho hum. No big deal. Partisans on both sides of the political spectrum are arguing from J’Accuse to cries of hypocrisy. This is exactly what did in former Secretary of State Hillary Clinton. Or, this is totally different. So let’s see what’s the same and what’s different.
Personal email for official business
In both cases, a government official used a non-government email account for communications about official matters. That’s a no-no for many reasons. First, there’s the problem of control and monitoring. Official government accounts are used for official communications because (1) they are routinely monitored for compliance and security purposes; (2) they carry with them the imprimatur of official (binding) communications which a “prodigy.com” account may not; (3) they are subject to data retention and deletion requirements administered by government officials. In both cases of Ivanka and Hillary, they argue (with some merit, but not a lot) that their “official” communications WERE lawfully preserved — if not by them, then by the official government recipients. Yeah – maybe. But official communications with non-US government officials, with foreign governments, business leaders, etc. were not preserved. So in both cases there were potential violations of data retention laws.
Hillary relied on a long-standing practice by her predecessors of using — at least for a time — non-governmental email accounts. This reliance was misplaced. Ivanka asserts that she used personal email accounts because of her hectic travel schedule and the need to be flexible in her communications. Exactly what Hillary said.
What’s more significant — in both cases — is not that the principals used personal email accounts, but that those who received official government communications FROM these personal accounts did nothing. On this one, the Trump administration officials – having made such a fuss about the use of personal accounts — are squarely to blame. Just as nobody had the temerity to tell the powerful Secretary of State that she could not use her personal email accounts, apparently nobody had the huevos to tell Ivanka that her personal emails were verboten.
So, lesson here? Follow the rules and speak up.
Secretary of State vs. Advisor
A second distinction is that Hillary was a cabinet-level official — indeed the most powerful cabinet level official — and a former White House resident, former U.S. Senator, and hardly a political neophyte, while Ivanka was merely the owner of a clothing brand, and should hardly have been expected to know better. Certainly we want to hold high-ranking officials to high standards, but in both cases they should have known better.
Separating personal from business
In both cases, Hillary and Ivanka gave the contents of their emails to their personal lawyers who pawed through them for the winnowing of “purely personal” emails and “official government” emails. Meh. Big deal. In reality, we do this all the time — but usually at the time we create an email. So we decide if our email is a corporate or government communication, and use the appropriate account for that function. While doing so after the fact is, to a great extent bass ackward, if the sorting is done according to appropriate guidelines by a responsible party, it’s not a huge deal. Sure, it will be subject to criticism, but again, that doesn’t mean it wasn’t done right.
Deleting non-business (non-government) communications
Hillary was criticized because, after her lawyers identified and preserved the government related emails, she ordered that her personal emails be deleted or “bleached.” One of the biggest problems with aggregating personal and government or corporate emails accounts is not the impact on the government or corporate account, but the inevitable loss of privacy in the personal account. Assuming the sorting was done conscientiously, and that there is no other duty to preserve personal communications (like a subpoena or warrant) then delete away! As long as you use a color-safe bleach.
Private server vs. cloud server
OK, here’s where the rubber meets the road. Hillary used a home-grown private server, while Ivanka used some commercial — likely cloud-based – email server.
Big. Freaking. Deal.
And I mean that in both senses. A private server offers a much smaller attack surface, can be controlled in a much more granular manner, can be more effectively hardened, and represents a much smaller monitoring assignment. It can be made much more secure than a server that has to serve the needs of millions of users, and that stored billions of communications. Companies face this dilemma every day — whether to insource or outsource critical information processing and the security thereof. Insourcing provides for greater control, granularity and specificity. Outsourcing allows for economies of scale, teams of threat hunters, consistency and auditability, and sharing of knowledge. Indeed, while there’s no indication of any successful attacks on Hillary’s private server (and hundreds of successful attacks on the State Department’s servers), this may simply mean that nobody was watching — or watching closely enough. So the fact that the non-government email server was in a massive server farm in California (or Brazil) rather than in Chappaqua, is essentially a wash.
Classified information vs. No classified information (yet)
Much is made (and appropriately so) of the fact that some of the information in Hillary’s email was classified, while there’s no current indication that any of Ivanka’s was. Classified information, by its nature, should never be on an unclassified computer or network, much less a non-government email account.
Here we have to make a few distinctions from a culpability and impact perspective. First, much of the materials which were deemed classified were classified after the fact. In theory, government officials could pour through Ivanka’s currently unclassified emails and retroactively classify a whole bunch of them. Lock her up? Hardly. The fact that emails are subsequently classified (or that they should have been classified at the time) does not make the sender/recipient culpable – particularly from a criminal perspective.
Then we have to distinguish between those “marked” and not marked classified. If a document or the contents of an email is properly marked classified, then the sender/recipient has notice that the matter is classified and should definitely not be using a personal account to communicate – indeed, they should not be using an unclassified government account to communicate. If the document is not marked classified, but simply refers to something that should be classified, then you have a judgment call. Does the sender/recipient know — or should they know – that the materials were classified at the time? This is not generally an easy call given the broad categories of things we classify, and the fact that a single document may contain both classified and unclassified information. That’s why we use paragraph classification markings.
Certain information is routinely marked classified prospectively but not retrospectively. The Secretary of States’ schedule and who she is meeting with is confidential before the meeting, but may not be after the meeting has occurred. Same for Ivanka. Emailing either of these woman a copy of their own schedules is technically a violation of the laws regarding classified information, and a security risk, but one that, if not excusable is at least understandable.
Sender/Recipient or Forwarding. I make a distinction — for practical but not legal purposes — between sending, receiving and forwarding classified information. Again, knowingly failing to protect such information violates the law in all three situations, but they are fundamentally different from a practical standpoint. If you create a classified document — knowing it contains classified information — and send it to others in an unclassified account — that’s the most culpable. If someone else sends you a classified document to an unclassified account, well, shame on them (mostly). And if someone sends you a document containing classified information and you forward it to others, well you’re both responsible, but frankly this happens every single day. It shouldn’t. But it does. So even if retrospective or prospective classified information is found on Ivanka’s personal account, it may be a huge deal, or it may be a minor deal. It’s certainly a violation of the rules, but as former FBI Director James Comey would say, “no reasonable prosecutor would prosecute such a case.”
The real lessons
Now let’s get politics and hypocrisy out of the picture. The real lessons here are that people will do what they want/can to get what they think is their job done. Convenience trumps (no pun intended) security. If rules get in the way of “efficiency” the rule will be mostly ignored. Concerns about security — even security of very sensitive information — run secondary to issues of control, convenience, ease of use, or just plain old comfort. Even when the lessons of security have been drummed into your psyche – with chants of “Lock her up” resonating from the rafters, well-meaning people will still choose convenience.
And that’s a challenge — probably the biggest challenge — to infosec professionals. This “command and control” infrastructure of “thou shalts” and “thou shalt nots” is untenable in the long run. There’s a story about a University in the UK that had no paved pathways, but simple turf lawns between the buildings. They waited to see where the people walked (where the turf was worn down) and then put the pathways there, rather than putting the pathways where they wanted the people to go, or where they assumed the people would go.
Infosec should be more like that. Find a way to allow people to do their jobs. Find a way to make infosec easy. And convenient. And unobtrusive. And not invasive. And protective of privacy. Your job is to lock it down. Oh, and people will still find a way to screw it up. Because, well, because they’re people. And if all else fails, you can resort to Plan B: “Lock her up.”