The name of the game is You Make the Call.
You are the State Department's designated chief information security official. It is Jan. 22, 2009. Hillary Clinton has just been sworn in as the 67th secretary of state. And you've just gotten word that your new boss isn't going to use the department's email server at all. She's going to do all her emailing through a private email server that was designed to serve the big-time security needs of her husband, former President Bill Clinton, in their Chappaqua, N.Y., home.
Here's what you think you understand (but don't actually know firsthand): You're sure Clinton mainly wants to finally control all access to her emails so her political enemies can't continue to get at her communications. After all, she has been under withering attack from Republicans who have been trying to eyeball her records and emails since before the Clintons ever came to Washington, back when they were involved in an Arkansas land deal called Whitewater. It's easy to understand why she seems to be suffering from an info insecurity crisis.
(Peek ahead: Eventually Clinton would exercise total control over her emails. After leaving her job, she would yield to pressure, send the department some 30,000 emails and delete from her server another 30,000 she says were personal. But in this role-playing, you don't know that yet. Back to the game.)
Here's an info security reality you definitely know from your experience of keeping secret info secure and because you have basic common sense: You know a national security risk is virtually inevitable if she only uses one private server. Some highly classified information that was intended to be kept within our government will inevitably end up in the secretary's private email server no matter how vigilant she is about never sending anything stamped "secret" or "top secret." Because someday some senior official will see something the secretary needs to know.
Example: Let's say an assistant secretary sees a classified report saying a CIA surveillance mission just photographed something that indicates a problem the secretary needs to know about before her next meeting begins. So the official emails the secretary, explaining what the CIA photo showed. That's how classified knowledge can wind up on the secretary's private email server, even though no document stamped secret was ever sent.
(Peek ahead again: This summer, an intelligence inspector general reportedly sampled 40 emails Clinton belatedly sent department probers, concluding at least two contained info that originated with the CIA and should have been classified. Now back to your role-playing)
You also know why all this really matters: If an enemy hacked in and got this information, that enemy could discover the nature of a security operative or the CIA's surveillance capability. An agent could be killed, a valuable mission could be doomed, all of which might unintentionally endanger America's national security. So what do you do?
You make the call.
Here's the answer: If you are a conscientious chief information officer, you must immediately communicate your concern to Clinton, either directly or to a top adviser to the secretary, with instructions to give it to the boss.
If you did that, congratulations--you did your job. If you didn't do that, you failed at your job. (We have no evidence that any such thing was ever done.)
And especially: If you did your job and the secretary got your warning, what did she do about it at the time?
All this happened years ago, and we still don't know the answer. But this much is already clear: Washington, we have a problem.
And if it turns out that Clinton was indeed informed of this potential security risk by the info security chief directly or via a trusted Clinton adviser, and that she rejected the advice and directly refused to also use a state department email for major security emails, then that Washington problem will have just expanded to a new level.
Call it: Democrats, you have a problem.
Editorial on 08/30/2015
Print Headline: Security on a private email server