Industry Reactions to Hillary Clinton’s Use of Personal Email
Greg Hoffer, Senior Director of Engineering, Globalscape:
“As with most situations like this, it’s helpful to first acknowledge what we don’t know. Politics aside, it’s best to break this down empirically and ask questions without prejudgment or assumptions – because based on the number of compromises across industry and government, no one is above reproach. When it comes to email --- or any technology for that matter – we need to examine people, process and technology factors. Here are my questions:
First, regardless of where the technologies were deployed, were they deployed correctly? For example, we have heard a lot of SSL based vulnerabilities in the past 12 months (Heartbleed, Poodle, Shellshock, Superfish, FREAK) that are scary, violate the trust that we had in core security technologies, and are squarely in the arena of defects in the technological controls of security. Yes, these are bad. But even the most secure technologies imaginable are vulnerable to compromise when those technologies are not applied properly. Additionally, was the email system protected by multiple layers of security – encryption, multifactor authentication, scanning, etc? Security can be a strength in numbers approach and, when done correctly, an all boats rise proposition.
Second, apart from what technologies were deployed, who deployed and managed them? Who provided primary IT support for the Clintons? From reports it would seem that they used some hosted security solutions to augment direct management, but what level of rigor and expertise was applied to the ongoing management and oversight of the system – particularly based on the sensitivity and criticality of the communications involved.
Third, did the systems and the management adhere to regulations and best practices in terms of security policies, standards, and procedures. Regulations and regulatory oversight play important roles here. While there is broad disagreement around the full efficacy of individual standards, there should be no debate that completely ignoring recommendations and requirements leave everyone exposed and increases the risk technological security controls can be circumvented.”