Cyber security experts are sceptical of the companies Hillary Clinton chose to oversee her private email server, which allegedly contained classified and top secret national security information from when she served as Secretary of State.
After she left the State Department in 2013, Clinton — now under fire for using a personal email account for work-related correspondences while serving as America’s top diplomat — hired at least three different private firms to manage different aspects of her server.
The firms included Platte River Networks, a Denver-based firm that hosted her server; SECNAP, which sold her a firewall program known as CloudJacket SMB to detect hackers; and Datto, Inc., a cloud storage company that backed up Clinton’s emails in case her server crashed.
The companies, which are relatively unknown, have been described by some cyber security experts as odd choices for such a high-level public figure.
“I’ve never heard of SECNAP or CloudJacket SMB, which says a lot right there,” Michael Borohovski, CEO and founder of TinFoil Security, told Business Insider. “But the ‘SMB’ in ‘CloudJacket SMB’ means Small Medium Business, which Hillary Clinton is not.”
“She was evidently using the cheapest plan of this tool, which is a run-of-the-mill firewall to begin with,” Borohovski added. “If you’re Secretary of State, or running for President, I wouldn’t recommend it.”
Joe Loomis, CEO of CyberSponse, hadn’t heard of SECNAP or its threat monitoring tool, either.
“It’s pretty shocking,” Loomis told BI. “Why entrust this small, unknown company with protecting the data of a former Secretary of State?”
Clinton’s unusual email system was originally set up by a staffer during Clinton’s 2008 presidential campaign, replacing a server used by her husband, former President Bill Clinton.
Facing criticism earlier this year for her use of the server, Clinton handed over about 30,000 work-related emails for the State Department to make public and deleted about 31,000 emails she says were personal.
Facing mounting criticism over her use of the server while she served as Secretary of State, Clinton handed over the server to the FBI in August and
defended herself earlier this month on Meet The Press by saying she was unfamiliar with the server’s “technical aspects.”
She added that she “was not that focused” on the server, which she left in the hands of experts when it came to security.
“There’s only so much I can control,” she said. “I can’t control the technical aspects of it. I’m not by any means a technical expert. I relied on people who were.”
But because Clinton made a conscious decision to bypass the State Department’s server — and the millions the government has spent to protect it — in favour of her own risky setup, her ignorance of the technological particulars a poor excuse, Loomis said.
“The fact that Clinton chose to use her personal email instead of a .gov account shows that she obviously doesn’t understand security,” Loomis added. “What she did is like inviting spies over to dinner — every device connected to the internet is an opportunity for them to collect intelligence.”
“This world is full of cyber warfare, and your computer is a part of that warzone.”
Another company, Datto, Inc. — founded eight years ago by Austin McChord out of his parents’ basement — was hired by Clinton in June 2013 to store and back up her emails on a cloud in case her server crashed.
But Platte River, which has housed Clinton’s server since 2013, told Politico last week that Datto “was never supposed to have a cloud.”
In response to the controversy, McChord posted a statement on Datto’s website ensuring clients that “the privacy and security of our customers’ data is paramount … Datto, by virtue of our channel model, does not generally know who our end users are or have the ability to access their data stored in our cloud.”
And while cloud storage itself is not inherently dangerous, extra steps should be taken to secure the data of any high profile client, which makes it important for the company to know who it is serving.
“Anytime you hear the words ‘cloud storage,’ that means it’s a single monolithic technology that tens of thousands of people have access to, so you’re at the behest of all those different access points,” Chris Drake, founder and CEO of the cloud storage firm Armour, said in an interview.
“That’s why we focus on adding security around each and every environment individually. If it’s highly sensitive data, you don’t use shared services.
“If the company did not have a level of security that matched or exceeded the type of information it was storing, this could be potential negligence.”
Borohovski echoed this sentiment.
“I don’t know if Datto encrypted Clinton’s data, but I can almost guarantee it’s not done by default,” he said. “If we had the Secretary of State as a customer, we’d be siphoning the data off to a separate cloud that’s not comingled with other customers.
“Is it inherently insecure to have emails in a cloud? No, they’re already on the internet,” Borohovski added. “Is it insecure for her to have stored them with a company no one has ever heard of? Probably.”
‘Total amateur hour’
Clinton’s use of the server was allowed under State Department regulations, but there are rules governing how the server should be configured and protected so it is not vulnerable to cyberattacks.
Reports that hackers in China, South Korea, Germany, and Russia tried to break into Clinton’s server have raised questions about the kind of security precautions the 2016 presidential candidate and her team took to safeguard the sensitive information that sometimes passed through her inbox.
It is unlikely that the attacks on Clinton’s server were targeted at her directly: The attempts discovered were basic phishing scams disguised as speeding tickets, the AP reported, and rather unsophisticated.
But the malicious emails highlight the fact that Clinton’s server was at least vulnerable.
And according to a new AP investigation, the way Clinton’s server was connected to the internet — via a Microsoft remote desktop service that permitted remote access connections without additional protective measures — made it particularly vulnerable to hackers, which is something her security experts should have known.
“That’s total amateur hour,” Marc Maiffret, Chief Technology Officer at BeyondTrust, told AP. “Real enterprise-class security, with teams dedicated to these things, would not do this.”
And if malicious state actors did know that Clinton was running a private email server and they tried to hack it, “then it’s almost a sure thing that they were successful,” Borohovski said.
“It’s possible Clinton’s server was breached before she even sent her first email,” Borohovski said.
“She probably didn’t mean to put government at risk, but she ended up doing it by running an external mail server that was secured with questionable resources.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.