I Rest My Case

Notwithstanding all of the attention the press has given to the infamous Clinton emails, I have purposefully not mentioned them in this blog since a “lessons learned” piece a year ago and an original response when the news first broke in March of 2015. Now that the FBI has released papers of its inquiry into the matter, with some overarching themes rising to the top, it seemed like a good time to revisit the issue under the banner of a blog that is about law, policy and IT. 

According to the New York Times, here are the key findings in these newly released documents:

• Clinton regarded emails containing classified discussions about planned drone strikes as “routine.”
• She said she was either unaware of or misunderstood some classification procedures.
• Colin L. Powell, a former secretary of state, had advised her to “be very careful” in how she used email.

For starters, how much you want to bet that if as intense an investigation that has gone into Clinton’s behavior were focused on the information management administrative, logical and physical privacy and security practices of the State Department the findings would reveal a lack of policy, uncertain and uneven technical controls, a failure to align IT security with physical security, and not even a hint of training and education about other processes, not least how to bring the classified categorization system in sync with information technologies?

It is no secret that information technologies in the federal government has long been challenged. In the aftermath of September 11, the reported condition of the FBI IT was pathetic. The NSA, of course, has made hay over the last 15 years since, clearly managing my information and yours as well as their own, but their extraordinary rise in resources and intelligence is not to be assumed to be across the board of the federal government. Let’s recall, for example, that in June of 2015, only months after the first press about Secretary Clinton’s emails, the Office of Budget and Management announced that Chinese hackers penetrated its system in 2014 and that tens of millions of personally identifiable records, including vast number of security clearance files, had been breached. As a third data point, note that unequivocal rules disallowing the use of non-State Department servers or accounts for State Department business came only after Secretary Clinton left office.

While I get the political reasons for why this issue has consumed so much public bandwidth, I am a bit mystified as to why the press has not paid more attention to the weaknesses of State Department’s information technology structures and management. [N.B. when I use the term “information technology or its plural, I use the word “information" as a noun, not an adjective.] It is not sexy. It is complicated.  Information management, which subsumes information technologies, is not really understood or nailed down by anyone, entity or government. Therefore, it does not make good press. But as sure as the day is long, the role that information management played in the Clinton State Department years goes a long way to explain this particular mess.

Let’s break down the parts. For reasons of both privacy and security, Clinton sought an independent mail server. Privacy? She may have made too much of the Republican conspiracy under the influence of Sydney Blumenthal, demonstrating a penchant for defensiveness that she is working mightily now to shed. Still, there is more than enough reason for her to be wary. Any public entity would be a target for manipulation if the political and journalistic forces knew that that she or her husband used a common mail service such as Google or Microsoft.  Google and Microsoft are among the safest servers in the world in terms of technical security, but the fame factor resulted in a decision that is hardly difficult to digest: the Clintons got a private server. 

The Clintons acquired the server before Hillary Clinton became Secretary of State, not because of it. That is an important point … often overlooked in this analysis. A couple of additional data points come now into focus. First, according to the newly released documents, she received no special rules, training or education about use of State Department information technology. I especially like this note from Colin Powell, “be very careful.”  No Sh*t, Sherlock! But of what, exactly? Because of the adage to treat email as fodder for the front page of the New York Times? Because Julian Assange is going – and did, via WikiLeaks – to hack it? Because she is a volatile public figure and therefore a target? All of the above. “Be very careful” hardly begins to describe the circumstance, is not policy or practice, and does nothing to define either the threat or the solution to the challenge.    

Second, if you knew what we all know about the security of the government information technology and you were Hillary Clinton, would you trust it?  I wouldn’t have, not in those years. It may not be an excuse, but I urge unprejudiced readers to consider the point. 

Third, any of you have more than one mail account? Ever send a message intended for one to another account accidentally, especially if using a smart phone device?I have, sue me! To be sure, over the years, after first making this kind of mistake, I have taken administrative and procedural pains not to make that mistake. But it happened. If you have more than one account, or even multiple as I do, I bet you have done it too. 

 James Comey, Director of the F.B.I. did not recommend criminal charges against Secretary Clinton for at three reasons: 

·      She had no intent.  That is the sine qua non of criminal law.  Intent is required to commit a criminal act.  Nothing in the evidence suggests that Secretary Clinton had intent to violate law.

·      There was no law to violate!  The State Department established a policy to use only internal servers for the institutional information after this debacle, not before it.

·      James Comey forestalled an inquiry into the information technology practices of the State Department.  That is almost certainly what defense counsel would have generated in the scope of such a trial against Clinton.  By not bringing charges against her, he skirted the issue.  Or even possibly the embarrassment of a finding of innocence because of the inadequate and negligent nature of the its policies and procedures.  

I stay true to my position in March of 2015 when this story broke originally. Something in the Clinton psychology – and I do mean both the former President and the Secretary – has had them act as if they were above the law. Secretary Clinton should have considered the implications of her use of a privacy server as a potential violation of something, not least the Freedom of Information Act. But in light of all the circumstances, including her own penchant for introverted self-protection, I excuse her. Her clumsy apologies for this “mistake” are a testament not so much to what is at stake with this particular set of emails as they are a window into the personality of a smart introvert, with a strong psychopathy defense, long in the political spotlight, as she remakes herself as genuinely open, trusting and available to U.S. public. 

With that said, I rest my case. Of course, this issue is a political football. Real lessons about information technology policy, nested in on-going efforts of information management approaches and practices, get lost easily in the translation of facts to politics. Were the federal government to offer a better model of information technology governance, we might feel more satisfied that from this legal, political and press maelstrom some good has come out of it.