External Threat Management

Lessons from Hillary Clinton’s Email Security Oversight

Hillary Clinton is in hot water for her decision to use a private email domain instead of her government-issued one when she was Secretary of State. In her defense, she claimed that since she owned the server and it wasn't a Gmail or Hotmail account, she was acting responsibly.

As it turns out, there was likely a three-month period during which her private domain was unencrypted. In this time she also traveled to China, Israel, Japan, Korea and Turkey on official state business and was presumably communicating job-related information via email.

While she firmly believes that no breach occurred, the reality is neither she nor the State Department can confirm that. It is a fact that some of the countries she traveled to, like China, are actively engaged in cyber espionage against the U.S.

"In locations where the countries are known to operate and monitor network communications, like China and other countries, that certainly would be a real threat," [Kevin] Bocek [VP of Security Strategy and Threat Intel at Venafi] said, mentioning that some parts of the world are "known to have active eavesdropping campaigns."

Does this mean her emails were intercepted? There no evidence of that. However, this security oversight perfectly illustrates how an elected official can unwittingly compromise state security. It turns out Clinton isn't the only VIP who uses private email addresses.

Tom Kellerman, Chief Cyber Security Officer for Trend Micro, is quoted in a Forbes article saying, "[M]ost wealthy Americans will use some kind of private cloud-based service to protect their anonymity and insulate themselves from the media." The only problem: privacy seekers are "not insulating themselves from hackers."

If the private email account of, for instance, the CEO of a major corporation fell into the hands of the wrong people, it could have devastating consequences. This type of email account could have login credentials, potentially enabling hackers to spoof the CEO's email address and request wire transfers to hacker-owned bank accounts or extract other sensitive data.

Hillary Clinton's actions help illuminate the magnitude of the challenges faced by CISOs. That being said, how much authority does the average CISO have to govern the Internet activities of board members or CEOs? Probably about as much as they have to govern the web and mobile development projects of sales and marketing.

Realistically, CISOs--particularly in enterprises that are new to security--will need to find technology that will help them gain visibility into shadowy areas where sensitive data exists or is being transmitted online.

They need a way to stay ahead of any sticky wickets such as rogue email domains or other digital assets. If they can stay on top of these potential points of vulnerability, they can stay ahead of internal and external security threats.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor