• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Current News   »   What are the cyber security implications of Hillary Clinton’s private email system?

What are the cyber security implications of Hillary Clinton’s private email system?

  • Posted on:March 26, 2015
  • Posted in:Current News, Privacy & Policy
  • Posted by:
    Trend Micro
0

Running a private email server is not for the technically faint of heart. Most individuals around the world rely on the massive infrastructure of Web giants like Google, Yahoo and Microsoft to handle their day-to-day messaging needs. Accordingly, they can send and receive mail without worrying if the supporting infrastructure is protected by proper network security or if they will be personally on the hook for fending off a cyber attack.

Email servers quickly went from a niche, technical topic to the subject of mainstream conversation when it was revealed that Hillary Clinton, former U.S. First Lady, Senator and Secretary of State and prospective presidential candidate for 2016, depended exclusively upon a private email server during her time at the State Department. What are the cyber security ramifications of this approach?

A private email system: A high risk strategy
For starters, opting for the DIY route over a .gov address was risky. The numerous steps required for proper setup and maintenance of an email server mean that there are many opportunities for getting something wrong and leaving all correspondence vulnerable to interception. A secure private email system would need features such as:

  • A valid digital certificate to certify that the server was encrypted.
  • Security mechanisms such as antivirus software, spam filters and firewalls, including a message transfer agent.
  • Specific hardware and software, such as a physical server and a flow manager like Microsoft Exchange.
  • Proper configuration of the email server on mobile devices.
  • Trained IT and cyber security staff to handle upgrades and deal with the fallout of any breach.

As one can see, managing a private email system can require investing in expensive equipment as well as having personnel with extensive cyber security expertise on hand. Otherwise, the risks of surveillance quickly begin to outweigh the perceived control benefits of running one’s own storage. To its credit, there is no evidence that the Clintons’ email server in their home in Chappaqua, New York, was ever hacked, which may say something about its design and daily operation.

On the other hand, absence of evidence is not evidence of absence, as the old Carl Sagan maxim goes. Large firms, much less individuals maintaining critical IT infrastructure, often see no signs of  {a breach? breaches?} and believe that they are in the clear, despite a combination of being under constant pressure from attacks and taking questionable measures to protect their assets. The Sony Pictures breach late last year is a good example, since its presence and impact weren’t immediately apparent, and its execution took advantage of missteps on fronts such as password security.

A possible area for concern with the Clinton email server is whether it was encrypted from the get-go. A team of security researchers speaking to Forbes traced the server’s cyber security history, looking at how certificates in particular had been managed, and discovered that it may have been unencrypted for 3 months early on, when Clinton was Secretary of State for the Obama Administration. As such, it would theoretically have been vulnerable to:

  • Spoofing: The email header could have been forged to make messages seem like they came from the Secretary of State herself, when in fact they originated from a rogue party. Phishing campaigns benefit greatly from such convincing imitations of legitimate accounts.
  • Malware distribution: Without a digital certificate to ensure encrypted access to the server, the system could have been turned into a distribution pipe for malware embedded in messages. Trend Micro’s Tom Kellermann has observed that the account could have become a “carrier of cyber disease.”
  • Surveillance: Unencrypted access would have made spying on conversations relatively straightforward. This surveillance would have spread the risk beyond just Clinton’s correspondence by putting her interlocutors around the world at risk of having their sensitive information lifted and their own networks attacked. Her frequent travel would have amplified this effect.

“Those three months were really risky times especially given the travel of the secretary,” Kevin Bocek of Venafi told Forbes. “Certainly traveling to China raises a lot of concern.”

High risk, questionable reward
Going through all the possibilities of what could go wrong with an unsecured private email server prompts the question: Are there any advantages to doing all the cyber security diligence on one’s own, rather than entrusting it to companies with dedicated teams?

A few arguments have been floated to explain Clinton’s move. For example, one such argument, made by Clinton herself, is that the private email system was “a matter of convenience,” likely referring to her ability to carry just one device for personal and work email rather than two (i.e., a personal phone in addition to a government-issued BlackBerry). Of course, such convenience in device consolidation is only possible through the additional work of configuring the email server for associated devices.

Another explanation holds that Clinton’s move kept her correspondence off of the public cloud. Large email systems keep data on servers over which individual users have no control. This lack of control, of course, is somewhat offset by the around-the-clock security and technical attention that major email providers offer. Still, perhaps Clinton wanted complete control over where and how her messages were being kept. The situation could be compared to managing one’s finances: While most people trust a bank to hold their money, there’s always the option to keep cash in a mattress, as one cyber security expert pointed out to Quartz.

Talking about this issue naturally lends itself to many political and ethical angles that are best discussed elsewhere. In terms of its specific ramifications for cyber security, Clinton’s private email system was a major gamble that courted a lot of risk, despite her claims that it was properly safeguarded, overseen by the U.S. Secret Service and free of any data breaches.

Intrusions, as we noted earlier, are not always apparent at the time. Plus, defaulting to a standard-issue State Department email address is almost always going to provide more security from cyber attacks than running one’s own infrastructure would allow. Government accounts have been hardened over the years with many security regulations and mechanisms, given their prominence as targets for cyber attackers.

However, even these accounts have hardly been free from breaches. Incidents affecting bodies such as the Department of Energy show that government cyber security, despite its relative sophistication, can still struggle against advanced threats. In this context, going it alone with a private email system seems even riskier: If the same amount of attention were channeled toward compromising such setups as is already directed at government email, the prospect of an intrusion would be serious.

Related posts:

  1. Public-private relationship key for enhancing cybersecurity
  2. U.S. government to work with India on cybersecurity
  3. Email Havoc – CIA Director Account Targeted by Hacktivist
  4. US government increases attention on cyber security

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • New Report: Top Three Ways to Drive Boardroom Engagement around Cybersecurity Strategy
  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.