I believe that I have spent as much time and expended as much effort trying to protect sensitive data, including email, as any human being on the planet. I have obsessed on the topic for three decades, and believe that I thoroughly understand state-of-the-art cyber security for email. To this end, I feel compelled to list two facts about the Clinton email server risk that – if honestly separated from any political bias – would not be disputed by the vast majority of cyber security professionals. But sadly, these two facts have not been part of the public discourse, which has tended to warp the public’s perspective on the true consequences associated with the separate Clinton email server.
Fact 1: Russia is best in the world at advanced persistent threats (APTs), and as such, almost certainly already has 100% of the State Department’s official government-managed email over the past decades. Go ask any cyber security expert what they think. Ask them whether they believe that Federal agencies such as the US State Department are better at protecting sensitive data than JP Morgan Chase, Target, Sony, Wendy’s, Home Depot, Verizon, Experian, and many others. The Office of Personnel Management (OPM), as an illustration, was unable to protect perhaps the most sensitive information in our country from foreign attack. So if you think that a separate email server may have exposed sensitive data, then you are worried about a tiny burning match amidst a glowing bonfire.
Fact 2: If properly secured and managed, a distributed email infrastructure – which implies setting up separate servers away from the corporate network – is a more secure protection method than trying to hide email inside centralized, perimeter-protected networks such as would be found in the State Department. In cyber security, we call this technique micro-segmentation, and it reduces risk considerably. Go ahead and ask any cyber security expert whether they would – if their life depended on it – trust their data inside a civilian agency perimeter, or if they would prefer to set it up elsewhere in the cloud. Even with weaker controls, they would probably opt away from the standard Federal agency networks, which are essentially nothing more than police-tape protected, sitting ducks.
Look, the likelihood that someone in the Clinton camp set up a separate server because they were intrigued by micro-segmented cyber security is less than negative infinity. And the password decisions made by John Podesta for his Gmail account are deplorable at best. But all this nonsense about email being put at risk because it was managed outside the corporate network is just that – nonsense. And I’d add that when the Republican candidate begged Russia to turn over the lost Clinton emails, the irony is that if those emails had been processed on official State Department servers, my bet is that Russia could have easily complied with his request.