The IG Report: Clinton is a Symptom, Not the Disease
Proof that the government basically sucks at technology
The Department of State’s Office of Inspector General (IG, herein) recently released its report on personal email use within the Department (also known as Hillary’s “email scandal”). If for some reason you already want to skip the analysis and go straight to the source, you can read the entire report here. Or, you can just keep reading this overview, and then decide if you’re interested. [You can also skip to the bottom to TL:DR where we summarize the summary. We won’t tell.]
So…if you’re still reading…why do we want to cover this here, at a homeland security blog? Interestingly, the report says an awful lot about the federal government, cybersecurity, and the fight that federal employees have when it comes to technology. Most interestingly, it says a lot about American government.
Intrigued enough? No? Well, let’s be more blunt: The IG report essentially describes in gory detail exactly how government royally screws technology up. It’s a blueprint for exactly what not to do with new tech. And, honestly, it should be a pretty big concern for the future of the United States of America.
First, a little context
This is a story of how a lack of clear guidelines can harm cybersecurity, yet overly-zealous cybersecurity can stymie ingenuity (i.e., the story of every governmental IT department). Our story starts with Secretary Albright not using email at all; Secretary Powell finding a weird workaround that violates policy; Secretary Rice again not using the technology at all; and Secretary Clinton not having clear guidelines, using a work around, and violating policy all at the same time. (We don’t know what to say about Kerry yet.)
If the highest level member of the Department must deal with this, imagine what the normal staff member goes through. (You actually don’t have to — Department employees are regularly denied access to cutting-edge technology and the Ambassador to Kenya was dismissed for violating email policy …more on that later.)
So here’s a different look at the IG Report, less focused on what Hillary did wrong, and more focused on lessons learned for cybersecurity and technology concerns for other governmental entities.
1. The Department of State has had a problem with data management and record keeping for the last 20 years.
Let’s start with the fact that the State Department (and other governmental entities) have for decades required their employees to print their emails in order to save them. Yep. In order to archive emails, federal employees, until recently, had to print them. Mind blowing, right? (Some of the first emails I ever sent from my gmail account were in 2004, and if my hotmail or AOL accounts were still active, I bet I would have a few emails dating from the 1990s.) Aside from being wasteful, it’s certainly inefficient, and it’s still happening. Just recently, in fact, the government announced it was going to try — again — to move its paper-based retirement to the modern age. That’s right…the big announcement is that they haven’t actually done it yet.
Not surprisingly, very few employees religiously kept up with the whole print-and-store-hardcopies-of-email policy (you can practically hear the trees’ cautious sigh of relief). Despite that, from the Office of the Secretary alone, the State Department managed to collect over 3,000 boxes of paper since 1997. Each of those boxes are filled with hundreds of pages of documents. But wait, there’s more: the boxes are not indexed or organized, so the IG didn’t even go through them to find the emails that may or may not be saved in those boxes. (Of the emails that were kept electronically, many were corrupted and inaccessible.)
As for the policy, no Secretary fully complied with all of the requirements. This was due to a number of reasons: Sometimes the policy lacked clarity, sometimes the Secretary was told the wrong policy, and sometimes following the policy would have been so onerous that work would not have gotten done. The State Department did not ask Secretaries Albright, Powell, Rice, or Clinton to follow any of the required exit processes. This means that they did not sign the DS-109 (we love exciting government form names, too), which states that the employee has surrendered all of his or her documentation related to official business. Bottom line: There’s actually no way to know if all documents were handed over, because the Secretaries were never told to hand them over.
2. The OIG was “unable to systematically assess the extent to which Secretaries Albright, Powell, Rice, Clinton, and Kerry and their immediate staff managed and preserved email records.”
Thus, the OIG was only able to “discover anecdotal examples suggesting that Department staff have used personal email accounts to conduct official business, with wide variations among Secretaries and their immediate staff members.” Between 2001–2008, the IG determined more than 90 Department employees within Secretary Powell’s and Secretary Rice’s immediate staff used personal emails to conduct official business. Wow. But why?
3. This gem of a quote from June 3, 2011: “State’s technology is so antiquated that NO ONE uses a State-issued laptop and even high officials routinely end up using their home email accounts to be able to get their work done quickly and effectively.”
That was said in 2011 — only five years ago.
So for the next few items on our list, let’s take a deeper dive into how the individual Secretaries used email during their terms.
4. Secretary Albright, January 1997 — January 2001
Secretary Albright did not use email, and her staff rarely did. The technology was available, but it was not utilized. It is unclear if this is a result of an old dog refusing to learn a new trick, or if the new trick was so bad, it just wasn’t worth learning.
Take away? If the top dog does not or refuses to use technology, then often the worker bees follow suit. Why would signing a comprehensive and thoughtful technology policy and directive be important when the most-likely person to sign it (the Secretary and/or her staff) does not use it?
5. Secretary Powell, January 2001 — January 2005
Secretary Powell “did not employ a Department email account” — rather he used his personal email account to conduct official business. Why? Because the Department’s email could only be sent to other State Department email addresses. In order for the Secretary of State to email individuals outside of the Department, he had to use his personal email account, and to request that a separate line be put into his office so he could connect to the internet, and not just the Department’s network.
In fact in those years, Secretary Powell had to push for all State Department employees to even have access to the Internet. (It was actually considered groundbreaking that he implemented a new-fangled technology that had been widely available for at least ten years.)
Of course, any time something new in government is implemented, a policy has to be written. That resulting policy was so unclear that Secretary Powell wasn’t told that he needed to preserve any emails; instead, he was told that his emails would be preserved because he emailed other Department emails. (Huh?) As a result, neither he nor his staff retained their email records from their private email accounts.
6. Secretary Rice, January 2005 — January 2009
Secretary Rice “did not use either personal or Departmental email accounts for official business.” Back to the Cult of Madeline? (To be fair, Secretary Albright and Secretary Rice are not the only high level officials to eschew email — Janet Napolitano famously did, as well).
With the leader not using the basic technological resources for communication, staff wouldn’t be adopting it as the primary medium. This means that despite the increase potential of technology to help government employees, very little was implemented. What incentives were there to update the technology policies that were written under Secretary Powell? Do we still wonder why government technology is poor, along with the cybersecurity surrounding it?
7. Secretary Clinton, January 2009 — February 2013
Hillary Clinton was not the only Secretary of State to use a personal email. She was, however, the only one to use a personal email and a personal server. Consider the massive leap in technological use this represents from Secretary Rice, with virtually no official direction.
Like Powell, Clinton’s staff was also told that the emails would be preserved, because Department employees would receive correspondence via their official emails. Should we be surprised? When the policies are not followed for 20 years, and are not clearly explained, of course the next person to receive the bad information further muddles the issues. It’s like a horrible game of telephone — except we are dealing with major cybersecurity concerns.
The Department advises that they did not approve of the Secretary’s personal email use, but it was, nonetheless, aware of this use. So we have an employee expected to follow unclear policies, on which he or she is not informed, and on discovery of violation are not enforced.
Though Secretary Clinton produced the most emails from the Department, her production of emails was incomplete because the production does not include received email from Jan. 21, 2009, through March 17, 2009, and sent emails from Jan. 21, 2009, though April 12, 2009. Because the Department did not enforce or follow their own policies, countless emails have therefore been lost. (Though I do remain unconvinced that the archival system the State Department had during that time period would have done any better. Just refer to the quote from the third point of this article.)
8. Secretary Kerry, Feb. 2013 — Present
Secretary Kerry uses a Department email and has, on rare occasions, used personal email to conduct official business. His staff also used their personal email occasionally. Even after this fiasco, individuals still feel the need to use their personal email to conduct business. Knowing what we know so far from the IG report, the answer to the question of why seems to be deceptively simple: the technology at the State Department sucks.
So what now?
9. The IG identified three people who exclusively used their personal emails — Secretaries Powell and Clinton, and a former U.S. Ambassador to Kenya, Scott Gration
Secretaries Powell and Clinton are obviously no longer in their former Department offices to institute changes to their personal email use. Ambassador Gration was asked to discontinue his use of personal email but refused to stop. Disciplinary proceedings were initiated for this (and other infractions), but he resigned before any of actions were imposed.
Clearly the State Department appears willing (and we assume capable) to properly explain their policies and enforce them— but this is only coming after intense scrutiny and criticism. What is unclear whether this will result in any fundamental change.
10. The Bureau of Information Resource Management (IRM) regularly denies any attempt by State Department employees to use innovative technology due to cybersecurity risks.
This is a major problem in the Federal government right now. There are incredibly beneficial technologies out there that could help the government to become significantly more efficient, yet these efforts continue to by stymied. Some are obviously due to cybersecurity concerns. Some are due to resourcing. Some are due to our old friend “bureaucracy”. (And some are due to the fact that the best minds in the field are not exactly attracted to public sector service positions. Gee. I wonder why.)
Government employees are stuck between a rock and a hard place. They want — and we need them to — to use new technology in order to better do their jobs, yet for cybersecurity concerns, very rarely are the tools permitted.
- The Department failed to adopt, clarify, or enforce policy; and
- That sucks.
What do you think? Tell us.