By using private email, Hillary Clinton put her data at risk every time she clicked on a link or downloaded an attachment as secretary of state. But the American public, and even Clinton herself, will probably never know if hackers were able to monitor her communication from 2009 to 2013, the four years she served as the most powerful U.S. diplomat.
Even top-level technology companies like Twitter know enough to outsource their email for security reasons, sources said, so it shouldn't be a surprise that there's a national outcry over Clinton's decision to ditch the protected State Department email system in favor of her own server, clintonemail.com. Clinton, who many expect will seek the Democratic nomination for president in 2016, exclusively used the address HDR22@clintonemail.com to communicate both personal and top-level Cabinet business, the New York Times first reported Monday. Her judgment has shocked Internet security experts and transparency advocates, who have suggested the decision was motivated by a desire to avoid public disclosure requests.
“It's exceedingly unlikely that her server was even remotely secure,” said Nate Cardozo, a staff attorney and cryptography expert at the Electronic Frontier Foundation. “Without enterprise-grade security and intrusion detection, there's not even any way to know if she's been hacked or not. We'll never know who had access to her email while she was secretary of state.”
Clinton has remained largely silent on the matter, hinting at possible disclosures in a tweet Wednesday:
I want the public to see my email. I asked State to release them. They said they will review them for release as soon as possible.
â€” Hillary Clinton (@HillaryClinton) March 5, 2015
Her decision underscores a hard truth about the growing reliance on online communication: Email is really easy to hack. Cardozo said the most likely route of infiltration would have been through an unpatched security flaw in Clinton's server, which would be nearly impossible to identify without a top-level systems administrator. Major companies like Apple and Microsoft regularly need to patch their holes -- even though their networks are far more sophisticated than the individual private network that Clinton used.
First there's phishing. Say a nation-state or criminal organization was able to impersonate Justin Cooper, the Clinton aide who registered the clintonemail.com server, and sent the secretary of state an email asking for her username and password for a routine check. Clinton, who would have no reason to suspect anything, might provide her credentials, inadvertently surrendering access to her entire account.
Or there's the Trojan horse method. What if Huma Abedin, another aide, or Chelsea Clinton (both of whom used the clintonemail server, per another Times report) sent Clinton the draft of a speech she needed to download to view. Only this Chelsea was actually a member of the Chinese People's Liberation Army unit that orchestrates many of the cyberattacks against the U.S., and that speech was actually a strain of malicious software that logs every key Clinton presses on her computer.
Each person Clinton and those she shared the server with made them all that much more vulnerable. Clinton failed to protect her server with an encrypted connection, security experts told Bloomberg News.
And it's already happened. The State Department's unclassified email network was forced offline when a hack was reported in November last year. But the hackers' sophistication was evident when it was revealed that even the U.S. National Security Agency and other contractors were unable to rid the hackers from the State Department networks after three months.
The State Department is just one of many government departments to have been hacked during the past year. Those, combined with the criticism surrounding Clinton and privacy concerns over Republican Jeb Bush's recent email dump, highlight a growing concern with how government leaders view Internet security.
“The government is still sitting around and debating about it, meanwhile the State Department and several others have been hacked,” said Bill Solms, CEO of encryption provider Wave Systems Corp. “I'm doing most of my business in my private sector because corporations, even belatedly, understand the threat and are doing something about it.”