May 26, 2016 (WASHINGTON) The State Department released the Inspector General report on email and document preservation practices during Secretary Hillary Clinton’s tenure as Secretary of States. While most observers did not expect anything new, there is actually damning information in the Inspector General report.
First it is important to understand how we got here. We have compiled a movie with a timeline that tells the story. It does start with the setting up of a private server, clintomemail.com, a week before Secretary Clinton was sworn in as Secretary of State. It ends, with the release of this report, and we intend it maintain it. So as more information comes in, we will update it.
We think a time line is important to put this in context.
The main reason why Clinton had to release her emails, was not just federal law, and preservation of federal documents, and two Freedom of Information Act lawsuits from Judicial Watch, a right wing organization, that actually takes no prisoners. The early review of this actually started with Freedom of Information requests from the Citizens for Responsibility and Ethics in Washington, a left wing site, that dropped this pursuit after David Brock bought it and fired a lot of people.
So what did the Inspector General Report find? And you can find the report hosted on this site bellow, so you can read it if you want to.
The critical findings were two fold. The first is that Secretary Clinton did not fully comply with the requirements for the preservation of federal documents. The report partially reads as follows:
With regard to her tenure as Secretary of State, former Secretary Clinton has provided the Department on December 5, 2014, with all federal e-mail records in her custody, regardless of their format or the domain on which they were stored or created, that may not otherwise be preserved, to our knowledge, in the Department’s record keeping system. She does not have custody of e-mails sent or received during the first few weeks of her tenure as she was transitioning to a new address, and we have been unable to obtain these. In the event we do, we will immediately provide the Department with federal record e-mails in this collection
There were other violations, and while she did turn in 55,000 pages of emails, which mitigated her failure to preserve these documents, these did not include the first few months of her tenure, spanning from January 21, 2009 to March 17, 2009.
There is an obligation to maintain those records, not just because of FOIA requests, but for archival and historic reasons. To be fair, the report did point out that while the law about document preservation, which included email, preceded her tenure, secretaries of state going back to Madeline Albright has not fully complied either. That said, she is the only secretary of state to have had a private server and never activated her government email address.
This brings us to the next point, cyber security. One of the reasons given by Secretary Clinton for this arrangement was convenience. She has also argued that no laws were broken, or that anything was at risk.
Cybersecurity is a major issue at the State Department. The report States:
In addition to complying with records management and preservation requirements, Department employees, including those in the Office of the Secretary, must comply with cybersecurity policies. Department information must be secure and protected from threats.
It also says that employees, and that includes the secretary, just use agency authorized information systems. her server was never authorized, or secured, by the State Department. Regulations also provide for emergency communications outside of department systems, during very limited emergency situations. Employees are instructed to be aware that using outside means might placing information where it can be accessed by both friendly and unfriendly countries. or other parties.
This is not a new set of rules, though after her tenure they have been further tightened. And for example, according to the report, in 2011, Secretary Clinton was warned.
Threat analysis by the DS cyber security team and related incident reports indicate a dramatic increase since January 2011 in attempts by [redacted] cyber actors to compromise the private home e-mail accounts of senior Department officials. … Although the targets are unclassified, personal e-mail accounts, the likely objective is to compromise user accounts and thereby gain access to policy documents and personal information that could enable technical surveillance and possible blackmail. The personal e-mail of family members also is at risk.
The report also notes that there were only three officials in the State Department that used non secured emails. The fist was Secretary Colin Powell, the second was Secretary Clinton, and concurrently to her, the former United States Ambassador to Kenya Scott Gration. The last one resigned before he was disciplined.
The former, Secretary Powell, served at a time when many of these polices were taking place. He also used a non secured private commuter for non critical or classified, communications. This is what the report states:
However, they reported to OIG that the Department’s technology and information security policies were very fluid during Secretary Powell’s tenure and that the Department was not aware at the time of the magnitude of the security risks associated with information technology.
So what did they find with Secretary Clinton?
(The) OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server. According to the current CIO and Assistant Secretary for Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. However, according to these officials, DS and IRM did not—and would not—approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so.
Not only that, but much of her traffic contained sensitive but unclassified information, that should be handled with care. Nor did she ever produce evidence that her server was secured to government standards. Secretary Clinton has also argued over the past year that her server was authorized and was above board, The report contradicts her, and states:
These officials all stated that they were not asked to approve or otherwise review the use of Secretary Clinton’s server and that they had no knowledge of approval or review by other Department staff. These officials also stated that they were unaware of the scope or extent of Secretary Clinton’s use of a personal email account, though many of them sent emails to the Secretary on this account.
There is also evidence that this was a matter of concern within the department. Here is but one example of this:
In November 2010, Secretary Clinton and her Deputy Chief of Staff for Operations discussed the fact that Secretary Clinton’s emails to Department employees were not being received. The Deputy Chief of Staff emailed the Secretary that “we should talk about putting you on state email or releasing your email address to the department so you are not going to spam.” In response, the Secretary wrote, “Let’s get separate address or device but I don’t want any risk of the personal being accessible.”
SPAM can be used to penetrate computer networks, as well as put in malware and viruses. Those can also create gateways to exploit a system. There was also a concern with the server that times when down. State wanted to provide with a State issued Blackberry. This partially reads:
The then-Executive Secretary informed staff of his intent to provide two devices for the Secretary to use: “one with an operating State Department email account (which would mask her identity, but which would also be subject to FOIA requests), and another which would just have phone and internet capability.” In another email exchange, the Director of S/ES-IRM noted that an email account and address had already been set up for the Secretary153 and also stated that “you should be aware that any email would go through the Department’s infrastructure and subject to FOIA searches.”154 However, the Secretary’s Deputy Chief of Staff rejected the proposal to use two devices, stating that it “doesn’t make a whole lot of sense.” OIG found no evidence that the Secretary obtained a Department address or device after this discussion.
Nor were people at the National Archives, the White House or the State Department General Counsel were aware of the server. There is another problem. Secretary Clinton has argued that there were no hacks that ever succeeded into her server. Yet they were aware of both sensitive material and attempted hacks.
On January 10, (2011) the Deputy Chief of Staff for Operations emailed the Chief of Staff and the Deputy Chief of Staff for Planning and instructed them not to email the Secretary “anything sensitive” and stated that she could “explain more in person.
There is another incident in this sequence:
In another incident occurring on May 13, 2011, two of Secretary Clinton’s immediate staff discussed via email the Secretary’s concern that someone was “hacking into her email”
Department policy is very clear on these incidents, She, or her staff, were supposed to inform security officials when there is even an attempt of a hack. This was not done, or at least the Office of the Inspector General did not find evidence of any reports to this effect.
This report, which is the result of now over a year of probes, points to both systemic problems, but also with issues with the stories told by the campaign. It is a daming report that will not help Clinton at this stage of the campaign and it might add to her negatives.
We at Reporting San Diego believe this is an important story that just now is starting to grow in intensity