Comey Indicts the State Department Information Security Culture

FBI Director Jim Comey announced that the FBI has concluded its investigation into Hillary Clinton’s use of a private email server and is recommending that the Department of Justice not pursue any charges. Ben has already shared some thoughts on the statement and decision to not pursue charges. However, there is one additional element worth noting. Within the more politically consequential parts of his statement, Comey takes a notable swipe at the information security culture of the State Department:

While not the focus of our investigation, we also developed evidence that the security culture of the State Department in general, and with respect to use of unclassified e-mail systems in particular, was generally lacking in the kind of care for classified information found elsewhere in the government.

That statement—which Comey was careful to note was not coordinated with any other part of the government—is no doubt prompting murmurs of agreement in a number of federal office buildings. The State Department’s reputation for not being an information security team player predates Secretary Clinton’s tenure and endures beyond it, and deserves far more attention than it has received amidst the sordid political posturing of this whole investigation.

In October 2011, President Obama signed Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. The stated aim of EO 13587 was to

ensure coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and systems security; address both internal and external security threats and vulnerabilities; and provide policies and minimum standards for sharing classified information both within and outside the Federal Government.

EO 13587 appoints the Director of the NSA as the Executive Agent for Safeguarding Classified Information and charges the Agency with “conducting independent assessments of agency compliance with established safeguarding policies and standards,” in addition to those information assurance duties assigned in National Security Directive 42. However, EO 13587 does not include an enforcement mechanism to require either system access or compliance, should an agency be disinclined to cooperate. The Cybersecurity Information Sharing Act does give the Secretary of Homeland Security some additional teeth in bringing federal agencies in line on cybersecurity standards—though classified information and national security systems are exempt.

But there is evidence that State’s own overseers in Congress view the agency as a problem child in this regard. In June of last year, the Senate Committee on Foreign Relations included a rather pointed directive in the draft Department of State Operations Authorization and Embassy Security Act for FY16. The provision directs the Secretary of State to regularly consult with the Director of NSA and make relevant networks "available" for tests and procedures. No other federal agency is subject to a similar directive, presumably because no one has seen the need for one before. The provision was not included in the final bill, but the legislative annoyance is preserved in the congressional record:

Section 206. Information technology system security

1. In general

The Secretary shall regularly consult with the Director of the National Security Agency and any other departments or agencies the Secretary determines to be appropriate regarding the security of United States Government and nongovernment information technology systems and networks owned, operated, managed, or utilized by the Department, including any such systems or networks facilitating the use of sensitive or classified information.

2. Consultation

In performing the consultations required under subsection (a), the Secretary shall make all such systems and networks available to the Director of the National Security Agency and any other such departments or agencies to carry out such tests and procedures as are necessary to ensure adequate policies and protections are in place to prevent penetrations or compromises of such systems and networks, including by malicious intrusions by any unauthorized individual or state actor or other entity.

3. Security breach reporting

Not later than 180 days after the date of the enactment of this Act, and every 180 days thereafter, the Secretary, in consultation with the Director of the National Security Agency and any other departments or agencies the Secretary determines to be appropriate, shall submit a report to the appropriate congressional committees that describes in detail—

(1) all known or suspected penetrations or compromises of the systems or networks described in subsection (a) facilitating the use of classified information; and

(2) all known or suspected significant penetrations or compromises of any other such systems and networks that occurred since the submission of the prior report.​

Members of Congress weighing in on the FBI’s recommendation will undoubtedly fall along partisan lines, and those criticizing the decision are apt to emphasize the importance of protecting classified information. But if these protestations are anything more than political posturing, they must move beyond the individual judgment of Secretary Clinton and be accompanied by serious efforts to support structural safeguards for classified information across the federal government. The State Department is hardly alone in needing significant improvement. But, while we're all talking about it, it’s a pretty good place to start.

***

Update: The State Department, unsurprisingly, disagrees with Comey's assessment. According to State spokesman John Kirby, "[W]e don't share the broad assessment that there's a lax culture here at the State Department when it comes to dealing with classified information. In fact, quite the contrary. We take it very seriously."