eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
The potential misuse of classified information in the office of the Secretary of State has been at the top of the news daily for quite a while, but while there have been claims and counter-claims, almost nobody seems to understand what this all means.
In fact, there are specific rules about how sensitive government information handled in electronic communications and those practices could have an impact on how your company handles its own sensitive communications.
First, about the rules. The issue of electronic messaging security and specifically the use of email for classified information is the subject of U.S. regulation. It’s specifically addressed in an Executive Order issued by President Obama in 2009, and that order covered the Secretary of State during the time Hillary Clinton held that office.
However, it’s worth noting that those aren’t the only laws that cover the email activities of public figures who are government employees.
As explained by my friend David Gewirtz, journalist and director of the U.S. Strategic Perspective Institute, an independent public policy think tank, when those government employees are participating in any political activity, no matter how minor, they are prohibited from doing so using any government resource by a law called the Hatch Act.
What this means is that conducting any political activity requires that employee use an email account that doesn’t belong to the government.
Because Hillary Clinton has been running for President since sometime in the last millennium she was required by law to use a private email account for those activities.
It also means that she can only conduct official business using email on a system that meets the security requirements that covers the most sensitive information that may pass through that system. So if she’s handling any Top Secret email, ever, then the email system has to meet the requirements for top secret.
However, that does not mean that every official email that emanates from the Secretary of State’s email account is top secret, only that the email system in its entirety be able to meet the qualifications for that level of classification.
Those qualifications, incidentally, do not include using a server or an email service belonging to the government, which means that a privately owned email server can also meet those qualifications, if the server, the network to which it communicates and the physical surroundings of the server and network equipment meet federal standards for secure processing.
So what about sending and receiving classified email, which is at the center of the whole email controversy? In terms of creating and sending classified documents, the Secretary of State is authorized to originate classified information.
In addition, several of her senior employees were also authorized to originate classified documents, including messages. The Secretary of State is empowered to delegate the ability to classify messages and documents to others and may specify the classification level for the communications they create.
The Real Security Rules That Applied to Hillary Clinton’s Email Server
The rules for what constitute classified information are laid out in a variety of places, but they include communications on the foreign relations of the United States. Some seemingly innocuous messages, such as making a lunch date with a senior official may in fact be classified because they specify the movement of a senior official who may be under threat.
Receiving classified information, on the other hand, is slightly different, if only because the receiving party has little control over what is being sent by someone else. So even if the Secretary of State were to have received those secret satellite images as claimed, she didn’t break the law in receiving them.
However, because of her position in government, she should have requested the guidance of the Information Security Oversight Office. Before she was allowed to handle classified information, the Secretary of State is required to have received training in how to handle that.
Note that I haven’t mentioned the classified markings on messages, which is another topic of discussion lately. Those markings are important, and before any message containing classified information leaves any office, it must be marked accordingly. Those markings are Confidential, Secret and Top Secret. There may be additional restrictive modifiers, such as NOFORN which means that the information may not be given to any person who isn’t a U.S. citizen.
It’s the content that determines the classification of a message, not the label. Longer documents or messages may have sections classified differently, so one paragraph may be Confidential, for example, while another may be Top Secret. The overall classification of the message or document is determined by the highest level of any part of the content in a message.
If a document containing information is found without an appropriate label, then it’s required that the appropriate level of classification be applied to the document or message. This means that if the Secretary of State received information that was not marked classified, but which contained information that should have been, then a classification should have been added.
Note that nobody expected Secretary Clinton to have read and managed all of this email, nor its many permutations. This is why the secretary has a staff, after all, and it’s normally their responsibility to handle this. One former State Department official, Carroll McKibbin, explained how all of this works in his fascinating column in the Des Moines Register.
The bottom line of all of this is that the secretary’s email certainly contained material at some level of classification, but most of it was unlikely to have been Top Secret. But even confidential material requires some level of protection, and the real question now is whether it got that.
Now that you’ve learned all of this, think about the email in your own company. Is your personal email account really secure enough for your company’s most sensitive information? Probably not. Maybe it’s time to straighten that out.