“The State Department’s inspector general report on Wednesday offered little absolution for Hillary Clinton or several of her top aides who refused to cooperate with the investigation into the former secretary of state’s exclusive use of a private email server.
The 83-page document, which was given to lawmakers and leaked to the press, noted systemic problems with records at the State Department but zeroed in on Clinton, concluding that she had violated federal rules with her private email server.
1. Clinton’s email setup was never approved by State security agencies
Even though department policy mandated throughout Clinton’s tenure at Foggy Bottom that day-to-day operations should be conducted via authorized means, the IG report found no evidence that the secretary of state “requested or obtained guidance or approval to conduct official business via a personal email account on her private server.”
According to interviews with officials in the Bureau of Diplomatic Security and the Bureau of Information Resource Management, Clinton would have had to “discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs.”
But those officials said they approved no such setup because of department rules and the inherent security risks.
The report said those departments “did not — and would not — approve her exclusive reliance on a personal email account to conduct Department business.”
2. Clinton never sought assistance to set up her email system to transmit certain sensitive information
The department’s policy also mandated that employees use approved and secure devices to transmit information known as SBU — “sensitive but unclassified” — outside State’s OpenNet network, and that if they did so on a regular basis to non-department addresses, they should reach out to the Bureau of Information Resource Management.
“However, OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU,” the report states.
3. The arrangement made staffers nervous — and management told them to keep quiet
The IG report noted that two Information Resources Management staffers had communicated their concerns with their departmental boss in late 2010.
“In one meeting, one staff member raised concerns that information sent and received on Secretary Clinton’s account could contain Federal records that needed to be preserved in order to satisfy Federal recordkeeping requirements,” the report noted.
The staff member recalled that the director said Clinton’s personal system had already been reviewed and approved by legal staff “and that the matter was not to be discussed any further,” according to the report’s language.
“As previously noted, OIG found no evidence that staff in the Office of the Legal Adviser reviewed or approved Secretary Clinton’s personal system,” the next line of the report reads.
The other staff member who raised concerns said the director stated that the department’s mission is to “support the Secretary and instructed the staff never to speak of the Secretary’s personal email system again.”
4. Clinton’s chief of staff suggested setting up a separate computer
Speaking with senior officials in the Office of the Secretary and its Executive Secretariat, as well as with Patrick F. Kennedy, the department’s undersecretary for management, Clinton chief of staff Cheryl Mills in January 2009 suggested that a separate stand-alone computer might be set up for the secretary of state “to enable her to check her emails from her desk.”
That discussion came as Clinton expressed her desire to take her BlackBerry into secure areas. Kennedy called it a “great idea” and “the best solution,” although the IG report found that no such arrangement was ever made.
5. Clinton worried about ‘the personal being accessible’
The report’s next bullet point recalls a November 2010 conversation between Clinton and top aide Huma Abedin, her deputy chief of staff for operations. According to the report, the email discussion centered around emails from Clinton’s account not being able to be received by State employees. Abedin suggested, “we should talk about putting you on state email or releasing your email address to the department so you are not going to spam.”
Clinton responded: “Let’s get separate address or device but I don’t want any risk of the personal being accessible.”
The former secretary of state declined the OIG’s request for an interview, while Abedin did not respond, according to the report.
6. Abedin rejected the idea for Clinton to use two devices
State Department officials in August 2011 discussed providing Clinton with an agency-issued BlackBerry to replace her “malfunctioning” personal BlackBerry because “her personal email server is down.” Then-Executive Secretary Stephen D. Mull suggested that he would provide Clinton two devices — “one with an operating State Department email account (which would mask her identity, but which would also be subject to FOIA requests), and another which would just have phone and internet capability.”
Abedin shot down the proposal because it “doesn’t make a whole lot of sense.” The IG did not find any evidence that Clinton received a new device or address after the discussion.
7. Clinton’s email system needed troubleshooting
According to emails the OIG said it reviewed from between “2010 through at least October 2012,” messages between State Department staff and two individuals who provided technical support for Clinton’s email server showed operational issues. “For example, in December 2010, the Senior Advisor worked with S/ES-IRM and IRM staff to resolve issues affecting the ability of emails transmitted through the clintonemail.com domain used by Secretary Clinton to reach Department email addresses using the state.gov domain,” the report states.
Staffers with the office handling information technology for the Office of the Secretary met with a Clinton top technology staffer to resolve the situation. “The issue was ultimately resolved and, on December 21, 2010, S/ES-IRM staff sent senior S/ES staffers an email describing the issue and summarizing the activities undertaken to resolve it,” the report stated.
The unnamed Clinton technology staffer also met with staffers in Cyber Threat Analysis Division on another occasion, the report said. The third interaction occurred in late October 2012 when Hurricane Sandy wreaked havoc on the New York City area. An email exchange between Abedin and another member of Clinton’s staff “revealed that the server located in Secretary Clinton’s New York residence was down.”
The Clinton technology staffer then met with Office of Information Resources Management staffers to see whether State could provide support. According to the report, S/ES-IRM staff said they told the Clinton aide they could not because the server was private.
8. The server was briefly shut down over hacking concerns
The report noted that on Jan. 9, 2011, a non-State technical adviser retained by former President Bill Clinton informed Abedin that he had shut down the server because he thought “someone was trying to hack us and while they did not get in i didnt [sic] want to let them have the chance to.”
The same person wrote Abedin later the same day, stating, “We were attacked again so I shut [the server] down for a few min.”
“On January 10, the Deputy Chief of Staff for Operations emailed the Chief of Staff and the Deputy Chief of Staff for Planning and instructed them not to email the Secretary ‘anything sensitive’ and stated that she could ‘explain more in person,'” the report stated, with Abedin being the person who sent the email.
9. Clinton and her staffers worried about being hacked but didn’t report to security personnel
On May 13, 2011, the IG report states that “two of Secretary Clinton’s immediate staff discussed via email the Secretary’s concern that someone was ‘hacking into her email’ after she received an email with a suspicious link.”
Hours after that discussion, an email from William Burns, then-undersecretary of state for political affairs, appeared in Clinton’s inbox carrying a link to a suspect URL and nothing else in the message.
“Is this really from you? I was worried about opening it!” Clinton responded hours later.
The IG report referenced pre-existing department policy requiring employees to report suspicious incidents to Information Resources Management officials when it comes to their attention, including that it is also “required when a user suspects compromise of, among other things, a personally owned device containing personally identifiable information.”
“However, OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department,” the report states. (Politico, 5/26/2016) (Archive) (DoS OIG Report: Evaluation of Email Records Management and Cybersecurity Requirements, May 2016)