How Hillary Clinton's Sensitive Email Problem Might Have Been Avoided

NEWS ANALYSIS: Securing the former secretary of state's ad hoc email system was possible, and might have prevented much of the questioning that's going on now.

avoiding security threats

By now, you probably know that most of the claims surrounding Hillary Clinton's email problems are bogus, with the exception of a few that are total hogwash. I won't go into exhaustive detail here, since I've already done that. But now, as the drip-drip of revelations grows, it's worth noting that it doesn't have to be this way.

In fact, as I was reminded by a friend of mine shortly after my previous column came out (shortly, meaning about 15 minutes afterward), there's at least one product available that, had the State Department used it, would have ensured that all emails were classified appropriately. But, of course, the State Department didn't use email security software, especially not on the renegade server at the secretary of state's house in New York.

Unfortunately, all the would-have or could-have statements out there assume that there's some desire or even an inclination to protect data from even the most basic threats. In the case of the Hillary Clinton, the apparent concern wasn't so much security as it was being free from probing from Congress or the media. Also, unfortunately for the former secretary of state, that part of the plan didn't work out very well.

My friend Elizabeth Safran reminded me of a company, Secure Islands, which makes a series of products that handle email securely, and even include a means of requiring that the appropriate classification for each message be entered into the application before it's sent. She also pointed out that the product encrypts email, reducing the risk of a breach even if the email is somehow collected. The product, IQProtector, is available for mobile and enterprise email systems. (In the interest of full disclosure, Elizabeth handles PR for the company).

Had the former secretary of state used a product such as IQProtector, most of the fuss about her private server would have vanished. While there may still have been questions about motives, at least there would have been far less concern about any breach of classified information.

The problem, unfortunately, is that such steps weren't taken. Here the former secretary of state is much like a broad swath of organizations caught with their pants down when faced with security challenges. There are plenty of other examples.

Recent revelations about Target's breach of nearly two years ago show that the company failed to take even the most basic steps to ensure security of the information they were required to protect. Recent revelations about the U.S. Office of Personnel Management breach show that the OPM failed in ways far worse than were expected at the time, and in the process, endangered the lives of government employees serving in some very difficult positions.

This list of organizations and executives caught off-guard is much longer, but you've heard it before. The actions not taken, the steps not made, the opportunities lost all build up in ways that would make a good novel, except that they would strain the suspension of disbelief.

The fact that Target had actually implemented a FireEye security system, which had detected the breach in plenty of time to stop it, was only the first dropped ball for Target. In addition, Target had installed Symantec Endpoint Security on computers throughout the company, and that security software had also detected the malware that was siphoning credit card numbers out of Target's point-of-sale computers.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...