[ryanczak]

violating the terms of your security clearance agreement is not generally a criminal offense. You will almost certainly lose your clearance and your job but you have to have committed an actual crime to be prosecuted. If their is not evidence of classified material being leaked then there is no crime. My guess is that there is no evidence of a crime in this case. If she were still Sec. of State she would have bigger problems I imagine because she would lose her clearance at the very least and likely her job. Where things get interesting to me is that by being elected to office she is put in a position to require a clearance. A typical person (one that has had a clearance revoked) would not be granted a new clearance. I suspect the rules are different when you get elected president.

[snuxoll]

> Where things get interesting to me is that by being elected to office she is put in a position to require a clearance. A typical person (one that has had a clearance revoked) would not be granted a new clearance. I suspect the rules are different when you get elected president.

Being elected POTUS automatically gives you the highest ranking clearance, end of discussion. You could have been a convicted felon with your security clearance stripped and no chance of getting it back, the moment you become POTUS all of that becomes irrelevant for your term.

[beat]

Indeed. If she were still SoS, she'd probably have to resign over this. But the idea that she could be denied a security clearance as president is kind of ludicrous - especially when you consider that the point of security clearance rules is not to protect the data, but rather to protect the nation. A president who couldn't see the data required to make sound decisions would be actively dangerous. It'd be like driving with a blindfold on.

Of course, this won't make much of a difference to her partisan detractors. Haters gonna hate, and the email scandal is not so much reason as excuse for most of the people who already oppose her. But if she is elected, of course she'll get full presidential security clearance. To do otherwise is stupid.

What matters most to me is that we make changes in both policy and process so this doesn't happen again - policy in that it becomes crystal clear that private email for public business is unacceptable, and process so that the "If you can do your job, we're not doing ours" vibe of the info security world doesn't make the Secretary of State (or anyone else) feel like they can't do their job properly using the official channels.

[throwanem]

> the idea that she could be denied a security clearance as president is kind of ludicrous

Certainly so. I'm not sure the same is true of the idea that someone with a proven record of such a careless attitude toward security should be denied the presidency on that basis. That seems like a discussion worth having, although, given the modern political climate in the United States, not one likely to actually occur in any way that's even marginally useful to anyone.

[beat]

I wouldn't call it a "careless attitude toward security". She's thinking in a different way than we do, because she's a diplomat, not an engineer.

There is no technical reason that a privately administrated email server would be inherently less secure than a government-administrated server (there are good arguments that it's likely to be more secure). However, a private email server is likely to be far more user-friendly and free of "security theater" constraints. Speaking from experience, the usual approach of government and other large organizations to "security" is to throw user experience out the window, forcing ugly/retro "proven" tech on users, requiring complicated and difficult administrative steps to use the system, slow approval and ticketing processes, etc.

The primary job of the Secretary of State is to communicate. Any time wasted on arbitrary tech hoop-jumping, any restrictions on how that communication happens, is keeping the SoS from doing their job. Can you imagine if we were in the middle of a political crisis and suddenly the Secretary of State is on hold with tech support while dealing with a forced password reset or something equally stupid? American lives at risk, and Lotus Notes is the only way to communicate? Etc. See the issue here?

To really resolve the problem, they would need a relentlessly service-oriented approach for whomever is responsible for email at the State Department. It would have to be as friction-free an experience for the user as possible, within the boundaries of security.

Until then, every Secretary of State is going to put their ability to communicate quickly and easily with the most important and powerful people in the world ahead of the kinds of technical wank that the average HN user thinks is important.

[throwanem]

I absolutely do see the issue. But I'm not quite ready to concede that

> the kinds of technical wank that the average HN user thinks is important

includes whether or not the details of diplomatic communications at the highest level of our government are trivially available even to middle-tier private actors, to say nothing of potentially hostile states. Call it "technical wank" if you like, but information security exists for a reason, too. Can you imagine if we were in the middle of a political crisis and suddenly most of the Secretary of State's electronic communication is freely accessible to the same people with whom he's trying to negotiate an outcome favorable to the United States? See the issue here?

I totally get what you're saying with regard to user friendliness being a primary concern at this level, and I agree with it. I don't agree that the proper response to UX concerns, however difficult, is simply to throw security to the winds in the cause of easing communication - because security is a primary concern at this level, too.

[beat]

I don't think of a well-secured email server as "trivially available". I'm presuming that the private server in question could be and was well-secured. Again, I'm asserting that there is no technical reason that a well-administrated private server cannot be every bit as secure as a government-managed server that provides the same access to the outside world. The suggestions of air gaps and other measures suggested here simply won't meet requirements. Remember, those "potentially hostile states" are exactly the kind of actors the SoS needs to be able to reach via email.

Moreover, the security of individual emails depends on the security of the recipient as well as that of the sender. Sensitive/classified emails sent to officials of non-US governments are subject to whatever security they might have. The only solution to this leak vector is to completely ban email as a means of communication - which gets right back to the core requirement that the Secretary of State must be able to communicate quickly and efficiently.

I'm not arguing to "throw security to the winds", and I don't think that's what was done here. Again, I'm asserting there's no reason to believe an email server administrated by the State Department would be any more secure than an email server administrated by skilled private admins.

[throwanem]

You're conflating a well-secured email server administered in conjunction with State's infosec team - which I agree would be perfectly reasonable from a security perspective - and what actually obtained in the case at hand.

You're also conflating the responsibilities of State Department personnel with regard to information classified by the government they've sworn to serve, and the responsibilities of other nations' diplomatic personnel with regard to information originating in the government of a state foreign to them.

Neither seems especially conducive to a useful discussion of the matter at hand.

[_wp3r]

Couple of considerations.

There are technical reasons that SIPR and JWICS communications are more secure than a private server. Mostly related to air-gaps and physical key infrastructures.

Secondly, the correspondence in review is internal and not so much related to the external communication role of the SoS. In this specific circumstance, the SoS chose to forgo the security apparatus for internal classified communication for something more user friendly.

[Retric]

An air gap would mean her private email could not reach computers on SIPR and JWICS which implies the SOC's email is not on those networks.*

*baring some sort of store and forward.

[_wp3r]

You are exactly right. Those systems are closed loop for a reason. The store/forward in this specific case was most likely a human, with a scanner or just retyping documents from those networks on to a unclass network and then sending to the private address. How that is not deliberate we will never know.

[_wp3r]

Interesting article about the CNI, having a suspended clearance.

https://www.washingtonpost.com/news/checkpoint/wp/2016/01/27...

[andy_ppp]

Wow, that's incredible! Hard to believe he hasn't just been sacked... clearly cannot do his job fully?

[jonwachob91]

Losing her clearance may not mean losing her job - https://www.washingtonpost.com/news/checkpoint/wp/2016/01/27...

I found that one, but I was looking for a case with an Army General had lost his clearance but kept his job...

I'm not sure what clearance the Sec. State gets, but as President she wouldn't need any clearance as the power to classify material stems from her office.

[chris11]

Yeah, I think that being president requires access to classified material. And I believe that the voters electing someone president should be enough to get them access to that material.