When the news broke that Hillary Clinton, when she was Secretary of State, had set up a private e-mail server, outside the bounds of what government IT people controlled, for her own use, I said to myself, “This is bad.” People on both right and left now seem to think this is very, very true.
And at the time, I expected to see a lot of coverage to this effect in the press. Instead, what I saw was sincere incomprehension that this was even an issue, and eventually I realized that I’d been wrong to expect otherwise. We have a press, remember, that can’t see even the slightest problem with keeping the most sensitive information in the cloud . . . with the idea that every company and organization in the world, and even the federal government, should get rid of their own e-mail servers outright and use free servers instead. They had convinced themselves that we ordinary people shouldn’t worry about the security of our data, and that nobody should, because there was nothing to worry about.
They were wrong, and arguably what Clinton did was not likely to be secure. But my first take was that if they didn’t understand this, Clinton and her people, and maybe even lots of people in the government, didn’t understand this either.
On the other hand, . . . my second take was different.
I started to ask myself, what sequence of events could have led to this taking place? Did no one step up and say, “this is insecure; this is not proper; this may not even be legal”? And I realized that almost certainly someone did. The popular conception of what happened seems to be that Clinton and some computer-illiterate people said they had to do this, for weird private reasons of their own, probably having to do with power. But the most likely thing that happened is quite different. Most likely, a bunch of IT people and a bunch of security people got together in a room. Some of them said they had certain requirements, either because the Secretary had to use certain devices, or because she had a certain setup in her house, or simply because they had investigated the standard IT setup and they found it wanting. Some regular IT people at State, it seems plausible to assume, made objections, raising regulatory issues, the fact that they didn’t do things that way, that they didn’t have or couldn’t spare personnel and resources to handle it, technical issues around opening things up for the Secretary in a way that they didn’t want to make available for other employees, or allowing her to be on the network without becoming vulnerable to them. At some point, I think it’s safe to guess, one of two things happened: either the high-level security people said to the regular State Department IT people, “I don’t care about your objections, this is the way it has to be,” or the high-level security people convinced the regular IT people that they couldn’t meet the requirements in the usual way, and the requirements did have to be met, and all things considered this was the best possible way to do it.
It comes down to whether you think it’s likely that Hillary Clinton made those requirements up, that she overrode the opinions of qualified IT and security people and made up her own server system according to her own whim. And that seems unlikely. On the other hand, a small number of high-powered security people with access to classified information, overriding the rules-following of less highly placed IT people, does seem very likely to me. And it’s not obvious to me that they would have been a hundred percent wrong.