Hillary Clinton’s Emails case - expert opinion

When the F.B.I. director, James B. Comey, said on Tuesday that his investigators had no “direct evidence” that Hillary Clinton’s email account had been “successfully hacked,” both private experts and federal investigators immediately understood his meaning: It very likely had been breached, but the intruders were far too skilled to leave evidence of their work.

Mr. Comey described, in fairly blistering terms, a set of email practices that left Mrs. Clinton’s systems wide open to Russian and Chinese hackers, and an array of others. She had no full-time cybersecurity professional monitoring her system. She took her BlackBerry everywhere she went, “sending and receiving work-related emails in the territory of sophisticated adversaries.” Her use of “a personal email domain was both known by a large number of people and readily apparent.”

In the end, the risks created by Mrs. Clinton’s insistence on keeping her communications on a private server may prove to be a larger issue than the relatively small amount of classified data investigators said they found on her system. But the central mystery — who got into the system, if anyone — may never be resolved.

“Reading between the lines and following Comey’s logic, it does sound as if the F.B.I. believes a compromise of Clinton’s email is more likely than not,” said Adam Segal, the author of “Hacked World Order,” who studies cyberissues at the Council on Foreign Relations. “Sophisticated attackers would have known of the existence of the account, would have targeted it and would not have been seen.”

Mr. Comey couched his concern on Tuesday by repeating the intelligence community’s favorite phrase — “we assess” — four times, but ultimately reached no hard-and-fast conclusion. “We assess it is possible that hostile actors gained access to Secretary Clinton’s personal email account,” he said.

But that was notable: Until Mr. Comey spoke, Mrs. Clinton and her campaign have said that her server — there were actually several, in succession — was never hacked. A State Department inspector general’s report issued this year reported what looked like several attempts at “spear phishing” — fake emails intended to get a user to click on a link that would install malware on a computer — but there is no evidence that those links were activated.

Mrs. Clinton, and her campaign, have always maintained that the server was secure. President Obama backed her up in an interview last October on CBS’s “60 Minutes.” “I don’t think it posed a national security problem,” he said.

But Mr. Comey painted a different picture.

“Hostile actors gained access to the private commercial email accounts of people with whom Secretary Clinton was in regular contact,” he said.

And that would have meant that tracking the trail of electronic breadcrumbs back to her server would have been a pretty simple task. After that, their ability to break in would have been a mix of skill and luck, but they had plenty of time to get it right.

Mrs. Clinton’s best defense, and one she cannot utter in public, is that whatever the risks of keeping her own email server, that server was certainly no more vulnerable than the State Department’s. Had she held an unclassified account in the State Department’s official system, as the rules required, she certainly would have been hacked.

Graphic

What We Know About Hillary Clinton’s Private Email Server

A private email server used by Hillary Clinton while she was secretary of state has been the focus of a half-dozen inquiries and legal proceedings.

OPEN Graphic

Russian intruders were thoroughly inside that system for years — since at least 2007 — before the State Department shut its system down several times to perform a digital exorcism in late 2014, nearly two years after Mrs. Clinton left office.

Either out of embarrassment or to protect its sources of intelligence, the Obama administration has never publicly blamed Russia for stealing data from the unclassified systems at the State Department and the White House, just as it has never publicly identified China as the culprit in the theft of security-clearance information on nearly 22 million Americans stored by the Office of Personnel Management.

Mrs. Clinton’s campaign has insisted that the server did have some cyber protection software, but they have not said what kind.

But security software is useless unless it is updated constantly to reflect threats that change every day. Even then, there are ways for a determined, state-sponsored hacker to get in. The best hackers use a gap in the software that has never been discovered before called a “zero day,” suggesting there are zero days of warning about its dangers, or they wait for a user error, including clicking on a spear-phishing link.

Perhaps Mr. Comey’s most surprising suggestion was that Mrs. Clinton had used her private email while in the territory of what he called “sophisticated adversaries.” That usually means China and Russia, but could include visits elsewhere, including Eastern Europe.

James A. Lewis, a former government cyber security expert who now studies the cyber activities of nations at the Center for Strategic and International Studies in Washington, said, “If she used it in Russia or China, they almost certainly picked it up.”

Once the hardware is in a foreign country, and on its phone networks, it is particularly vulnerable. Malware can be placed on it that could turn the phone into a listening device. One lurking question is whether Mrs. Clinton’s own practice of taking the phone around the world made it susceptible to tinkering by a foreign government.

The State Department worries so much about corrupted cellphones that visitors to the secretary’s suite on the seventh floor must place their devices in lockers near the guard’s desk. Mrs. Clinton, her campaign said on Wednesday, took her smartphone to the State Department but kept it in a room outside the secure area around her office suite.

Moreover, for truly sensitive data, the State Department does not use its own networks at all. It quietly uses a network run by one of the major intelligence agencies, according to officials familiar with the system. That suggests a lack of confidence that State’s classified systems can be fully trusted.

Since the disclosure that Mrs. Clinton used private email, officials in the government and many outside it have been monitoring the internet, looking to see if any of her messages, or those directed to her, made their way into the public domain. Documents from the Democratic National Committee began circulating after it announced a breach that also appears to have been conducted by Russian intelligence.

Nothing from Mrs. Clinton has surfaced. But that does not mean they were not stolen, only that they have not been made public.