The content of this blog is my personal opinion only. Although I am an employee - currently of Nvidia, in the past of other companies such as Iagination Technologies, MIPS, Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Sunday, March 27, 2016

Judicial Watch: State Department Documents Show that NSA Rebuffed Hillary Clinton’s Attempts to Obtain a Secure Blackberry

Conservative website Judicial Watch continues to chase Hillary Clinton's use of a personal email server:
Judicial Watch: State Department Documents Show that NSA Rebuffed Hillary Clinton’s Attempts to Obtain a Secure Blackberry - Judicial Watch: "“These documents show that Hillary Clinton knew her Blackberry wasn’t secure.  Then why did she use it to access classified information on her illicit email server?"
'via Blog this'
But from my point of view, items earlier in their own post explain the real story:
[W]e began examining options for S [Secretary Clinton] with respect to secure “Blackberry-like” communications … the current state of the art is not too user friendly, has no infrastructure at State and is very expensive…each time we asked the question “What was the solution for POTUS?” we were politely told to shut up and color. 
the issue here is one of personal comfort … S [Secretary Clinton] does not use a personal computer so our view of someone wedded to their email (why doesn’t she use her desktop when in SCIF?) doesn’t fit this scenario … during the campaign she was urged to keep in contact with thousands via a BB … once she got the hang of it she was hooked … now everyday [sic], she feels hamstrung because she has to lock her BB up … she does go out several times a day to an office they have crafted for her outside the SCIF and plays email catch up … Cheryl Mills and others who are dedicated BB addicts are frustrated because they too are not near their desktop very often during the working day…
Secretary Clinton, ... does not use standard computer equipment but relies exclusively on her Blackberry for e-mailing and remaining in contact on her schedule, etc.  
Blackberry security waivers were issued during the tenure of former Secretary of State of State Condoleezza Rice, 
use expanded to an unmanageable number of users from a security perspective, so those waivers were phased out  
Some news pundits suggest that Clinton's use of her own private email server was an effort to  avoid public records laws.

Myself, I see this as just the most prominent BYOD (Bring Your Own Device) event.   (Well, actually, Obama's Blackberry is probably even more prominent.)

I see the NSA acting like "Mordac, the Preventer of Information Services" in the Dilbert cartoons: "Security is more important than usability."

Actually...  I am sympathetic to NSA folks who said to Clinton et al "No, we don't have the resources to secure a smart phone".   BYOD is hard. But Clinton wasn't asking for BYOD (Bring Your [Her] Own Device).   She was just asking for a device that she could carry around to do her work.)  There's a moral here:
if IT cannot provide IT services in a form factor the user wants, smart users will often find a way to avoid IT's proscriptions.

Judicial Watch says
“These documents show that Hillary Clinton knew her Blackberry wasn’t secure.  Then why did she use it to access classified information on her illicit email server?”
Myself, I have long been in the same situation.  I usually err on the side on being too compliant with IT rules - but as a result I am hamstrung in my work.  I often find myself unable to read email for days, sometimes weeks, because I just cannot stomach the IT approved email clients, which are much less efficient.

My own experience leads me to suspect that there may be an aspect to this email 'scandal' that is not disclosed in the emails:

The last time I went through this sort of IT discussion, seeking permission to read company email on my iPhone, I was told, by one of the heads of company IT security, no less:

1) The official IT policy does not allow you to read email on your iPhone

2)  But...  You should go ahead and do it anyway.  We don't actively prevent it.   I read my own company email on my personal, non-approved, iPhone [said the company IT guy].

I can't help but wonder if the same conversation occurred in the hallways of the State Department or NSA.  Or outside.   Not on email.   Unrecorded.

Or perhaps there was just plain wishful thinking:
  • No previous US Secretary of State has used a .gov email account.  
  • Not the two most recent SoS's under a Republican administration  Colin Powell, not Condoleezza Rice  
  • Lots of US government employees use their personal email accounts. 
  • Those guys use commercial services like Gmail - at least we [Clinton's team] will try to be a bit more secure, by using a private email server.
I am sure they would not ask permission - after all, when they asked permission earlier they were rebuffed. "It is better to ask forgiveness than to seek permission".   After all, if the US government folks in charge of security were serious, surely they would have monitored and detected a lot of email from .gov addresses going to Clinton's non .gov email address?

I am not condoning this.   But I can understand it.   I don't do this myself.  But I have thought about doing it, when frustrated by corporate IT.   (By the way, I suspect that Gmail is more secure than any email server I would set up, or at least has professionals monitoring, and is probably more secure than my company's IT department.   But I am sure that Google can read all Gmail, unless encrypted, and that using any such commercial email service is an even bigger violation of official secrets acts that using a personal email server.   Using the former, you know that non-approved individuals can read your email; using the latter, you don't know - although they may be able to if they break in.)