Revelations that Hillary Clinton exclusively used a personal email account to conduct government business as Secretary of State should scare the hell out of CIOs.
The government spends $14 billion a year on cybersecurity, but no amount of spending or regulations will make a difference if top leaders flout the rules and set up a parallel shadow IT system on unprotected public networks.
This is what should be keeping CIOs and other IT leaders up at night. Nearly 54 percent worry about security for cloud installations, but at least with FedRAMP-approved technologies they can rest assured that the security risks have been mitigated. But that should be the least of their worries if employees are going off the reservation.
“What’s the biggest threat to corporate security?” asked Gregory Millman in a Wall Street Journal piece in 2013. “In many companies, it could be the CEO.”
In government, it could be cabinet secretaries, congressmen, agency chiefs, directors, generals, admirals … the list goes on. All have needs to access vast quantities of critical data and staffs eager to make things easier for them. If rules are made to be broken, leaders are the likeliest to break them.
Of course, once the staff sees the boss going rogue, it’s not long before they’ll do the same. ‘Do as I say, not as I do’ only goes so far.
John Banghart, director of Federal Cybersecurity with the Cybersecurity Directorate of the White House National Security Council, told a MeriTalk gathering of Federal cyber pros last summer: “We [have] often failed… to do a good job with what you might call the cyber hygiene element, configuration management, vulnerability management, asset management.”
Shadow IT networks are among the worst vulnerabilities, because they exist outside the view of IT managers. You can’t catch that with CDM, no matter how much you spend, if everyone in the agency is in on the deception, as may have been the case with Hillary Clinton.
A 2013 MeriTalk study found half of all Federal cyber officials believed their agencies security policies were violated once a week. The Secretary of State and her staff must have been violating them dozens of times a day.
IT companies are investing millions to help ensure Cloud solutions meet maximum security standards, and they should. But all the money they’re investing in FedRAMP is for naught when leaders or rank-and-file employees decide to do their own thing.
“Despite increases in cybersecurity technology investment, a failure to address human factors and engage employees as part of an integrated security strategy leaves today’s businesses and governments critically vulnerable to cyberattack,” Christian Anschuetz wrote last week in a Wall Street Journal blog.
FISMA Be Damned
The White House put out its annual report on Federal Information Security Management Act compliance last week. It noted Federal agencies reported nearly 70,000 information security incidents in fiscal 2014, up 15 percent from FY 2013.
They didn’t know about Clinton. Her staff said they reviewed “tens of thousands” of pages emails and delivered some 55,000 pages of emails to the State Department. Each email amounts to a potential violation.
Don’t think it stops there. Right now hundreds, if not thousands, of government executives and political appointees are wondering what to do about their gmail, Yahoo, Apple and Outlook accounts. Hillary was not unique.
Clinton’s decision to shun State’s internal email may ultimately offer a silver lining: By bringing the issue to light, it is bound to raise awareness about the cybersecurity risks involved – much like Edward Snowden raised awareness about insider threats. And with Clinton likely to make a presidential run, it’s likely to bring the whole issue into the public debate.
Thank you, Madam Secretary.
What do you think? Did Mrs. Clinton make a major error and put data at risk? Or is this just Beltway bluster?
Feel like sharing something Noteworthy? Post a comment below or email me at firstname.lastname@example.org.
Bill Glanz is the content director for MeriTalk and its Exchange communities. In the past 14 years, he has worked as a business reporter, press secretary, and media relations director in Washington, D.C.