WASHINGTON — Hillary Clinton’s use of a private email server while secretary of State raised questions among security experts Wednesday about whether she might have compromised sensitive government information. ADVERTISING WASHINGTON — Hillary Clinton’s use of a private email server
WASHINGTON — Hillary Clinton’s use of a private email server while secretary of State raised questions among security experts Wednesday about whether she might have compromised sensitive government information.
Analysts said they don’t yet know entirely how it worked. But at least one expert who looked at the scant public records available on the account — hdr22clintonemail.com — said the arrangement would have permitted private spam and virus filter company McAfee to access her emails if it wanted to.
“The email traces all end at McAfee,” said Brian Reid, a cybersecurity expert with Internet Systems Consortium. “If nothing else, they have and had the technical ability to read her email. This does not mean they did, only that they could have.”
Experts said they still need to know whether and how her email was encrypted, who administered and had access to the account, and whether there was an authentication process.
And they cautioned against assuming the private system was automatically more risky than government email. The State Department system in November was forced to briefly shut down its entire unclassified email system after an apparent hacker attack.
“We can’t assume that her email account was any less secure than a State Department account,” said Reid. “At the same time, it’s possible it was less secure. We need to know more to know for sure.”
For a second day, Obama administration officials refused to provide much detail on Clinton’s email arrangement, deferring security and technical questions to her office, which would not comment.
The separate legal and ethical aspects of the matter, however, came under fresh scrutiny. The congressional committee investigating the 2012 Benghazi attacks announced a subpoena for all correspondence from the server to investigate conduct it said “raises significant issues for transparency.”
The domain name “clintonemail.com” was created on Jan. 13, 2009, according to Reid, who checked the public records on the account. Those records showed that Clinton’s emails were routed to McAfee for spam and virus filtering.
A hacker could not have cracked her email based on the public information available, Reid said.
“Whoever set this up was an expert. It was set up in such a way that the email cannot be followed,” he said. “It is not possible to draw any conclusions at all about the disposition of the email once it reached McAfee. The only way it can be traced further is to get the information from McAfee.”
McAfee did not respond to questions.
Reid, one of the creators of the first firewalls, and others who study the intersection of government and online security came up with three three key questions that experts would need to know in order to make an assessment of the Clinton server’s security:
— Whether or how the email was encrypted. “There are different types of encryption,” Reid said. “It depends on what you use and how you use it.”
— What type of authentication did she have? Authentication ensures that the user is in fact the account holder. A password is the first level of authentication. However, the federal government is now moving toward fingerprint verification as well.
— Who had access to the server to read her emails? If it were a private server that she ran, that might have better shielded her account. But the administrator of the server would still have to stay on top of the latest security breaches to protect her account.
Without these measures, cybersecurity analysts said, a private company would be in a position to mine Clinton’s emails. Although she did not use the account for classified matters, there’s still concern that hackers could have accessed correspondence on sensitive policy discussions.
“A Chinese hacker could be interested in finding out what her stance is on diplomacy in China,” said Paul Rosenzweig, a cybersecurity consultant and a former Homeland Security deputy assistant secretary with the Bush administration.
Rosenzweig said he would be surprised if Clinton didn’t set up some kind of security measures. But the question is whether they were sufficient.
“This is not something you can do on the fly for $50,000,” he said.
