Tuesday, March 10, 2015

ATR: Thoughts on Email

The media is abuzz with stories about a certain former US Secretary of State using her own email server to send and receive official email related to her office. There is certainly plenty of fodder here for political accusations at each party and I'd rather not get into that here. My focus is on information governance and records management, so let's focus there.

From the time that I was but a wee little records manager, I learned that the basic definition of a "record" included language akin to "...recorded information, regardless of physical form or characteristics...". In slightly later days, the litany of types of records included as examples of records was amended to include "machine readable" or "electronic" records. The foundation for this definition has historically been the United States Code and the Code of Federal Regulations. This is not something new. The laws and regulations have been on the books for decades. They were purposely written to ensure that the advancement of technology did not negate the effect of the law or rule.

Part of the problem over the past 20 years is that the pace of technology has outstripped the ability to manage the information created by technology. Whether in the public sector or in the private sector, email volumes have grown exponentially. The US Federal government, particularly as embodied by the National Archives, has been stymied in efforts to manage electronic records. I can recall efforts from the mid-1990's to get a handle on electronic records in the US government.

The Code of Federal Regulations (36 CFR 1220 et seq.) has been quite clear that a Federal Agency is responsible for managing its records. There's no provision for storing paper records in your basement or electronic records on a server that you built in your garage. While certain agency policies have been cited relative to third parties hosting email, I don't think that was ever intended to allow a government employee to deploy file or email servers. I would expect that the intent of those allowances was for services hosted by Microsoft or Google or some other appropriately contracted and vetted service provider.

A variety of state and Federal officials have been dragged into this frenzy because it became known that they had personal email accounts during their terms of office. From my reading, it appears that some of them have admitted to using personal email accounts for official business. Importantly, though, this usage has not been exclusive and has not been on email servers that they housed in their residence or under their direct control. I can certainly understand that a politician may want to use a third party email system for purely political or personal purposes. They may also take great pains to keep that information apart from their official actions. So from that standpoint, I don't fault the former Secretary's interest in keeping her personal (and political) email separate from her official email. In that regard, she was well within the provisions of US law and regulations. But by mixing her official correspondence with personal correspondence on a server that she (and her apparently personal staffers) controlled, I'd suggest that the law was broken with regard to maintaining official government records in accord with 36 CR 1220.32, "Agencies must create and maintain authentic, reliable, and usable records and ensure that they remain so for the length of their authorized retention period." By removing the email from the server and printing it out -- and not maintaining a full audit trail of what was deleted (although interestingly, there seems to be knowledge of the number of emails deleted), I would suggest that it is very difficult to prove the authenticity or reliability or any of the emails produced in paper form.

Now let's turn to information security. It's safe to say that every Federal agency head and Cabinet-level appointee is a likely target of nation-state-sponsored hackers. Most historians are quite familiar with the Zimmermann Telegram, which is one of the earliest examples of "hacking" electronic communications by a nation-state. The former Secretary stated that the email server was secure because her home was protected by the US Secret Service. Well, that may have protected the server from a physical attack, but it stands to reason that there were plenty of hackers who could have had an interest in that server and "owned" it quite easily. After all, the State Department's own network had been successfully penetrated. We'll take the former Secretary's word that she was cautious about not transmitting Classified information with her email, but suffice to say that her communications with other officials likely contained strategic direction and discussions based upon Classified intelligence. If nothing else, a hacker would have been likely to easily collect foreign policy decisions ahead of their release as well as insider discussions and debates about foreign policy. As we have seen with other emails released by hackers, email exchanges between ranking government officials can be quite direct and revealing when no one appears to be watching. It may be many years before we know what access hackers had and what secrets they had access to.

While the violation of various elements of the US Code and the Code of Federal Regulations is bad enough (as well as the likely sanitizing of the historical record), the bigger issue is the breach of security. I would hope that someone with access to the highest levels of the US government; who likely had access to the most highly classified information; who should have been briefed on the ongoing threats to national security by nation-state-sponsored hackers, would have (or certainly should have) known that she was a high value target and acted accordingly. Even if the minion who set up her email assured her that it was properly protected, it seems reasonable that a thinking person would have had second thoughts about her own cyber security when she learned about successful state-sponsored APT attacks against some of the country's most protected government agencies and private companies.