This week, shortly after former U.S. Secretary of State Hillary Clinton became the poster child for enterprise BYOD issues, she held a news conference to explain and justify her convenience-oriented defense. During that briefing, she said that her private email server "was set up for President Clinton's office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches."
That's a frighteningly outdated view of email security. Either Clinton has a woefully inadequate understanding of information security (and to be fair, she would hardly be the only high government official of whom that could be said), or she was deliberately obfuscating the situation. It's hard not to lean toward the second explanation when you consider that she had days to brief and prep before making this statement on email security.
It's worthwhile to take a closer look at that brief extract from her statement. Consider these utterances:
The server "was set up for President Clinton's office."
There is a high probability that she was referring to her husband and not being presumptive about her next job. But, oh dear, her husband left office in January 2001 — more than 14 years ago. Did the email server setup date to that time? Fourteen years is a lifetime in tech security advances. Well, we do know that the clintonemail.com domain was first registered on Jan. 13, 2009, just around the time that the former first lady and New York senator was nominated as secretary of State, which would make it much more up to date. But as to what measures had been taken to secure the server, Clinton only said that "it had numerous safeguards." Like what?
"It was on property guarded by the Secret Service."
A server's physical security is a consideration, but it's not the only consideration, or even the main consideration. Think of it. We live in a time when data breaches happen all the time. But how many of them have involved physical break-ins? Zero. Is there anyone who believes that a data breach involves some guy dressed like a robber in an old New Yorker cartoon, who breaks in and physically attacks servers with a screwdriver and a wrench? The idea that server protection can be delivered in the form of armed guards — even really good armed guards — is ludicrous. A secret Service agent could be standing right next to the server and not know that it's being breached. And any server that's handling the email of the U.S. secretary of State and a former U.S. president is going to attract the talents of the world's best — and best-funded — spy agencies.
Sign up for CIO Asia eNewsletters.