Hillary Clinton violated numerous State Department rules by using privately owned thumb drives to copy 30,000 of her official emails for her lawyer, according to a Daily Caller News Foundation investigation.
In December 2014, the former Secretary of State downloaded 30,000 government emails created during her tenure in the position from her private server onto three commercial thumb drives which her lawyer, David Kendall, transported to Washington, D.C.
The State Department released 7,000 new Clinton emails Monday, at least 125 were treated by the department as classified. The FBI is now conducting a criminal investigation into the handling of her emails, more than 400 of which have now been shown to include classified material.
In transferring her emails to private thumb drives, Clinton violated a slew of federal regulations, including those of her own State Department.
The State Department’s Foreign Affairs manual prohibits the storage of classified material on any external drive, stating, “the flash drive may only be used for the transfer of unclassified files.” Flash and thumb drives are treated inter-changeably by the rules.
Further, unclassified material must be on a “department owned” drive, not a personal or private sector drive.
If the information on the drive is unclassified, but still sensitive, it “must be encrypted to current standards” for transportation, according to the manual.
State Department rules also required that Clinton’s email transfer had to be approved and closely supervised by a department computer security official.
Finally, the National Institute for Standards and Technology, which sets minimum government-wide standards for IT security, ordered that thumb drive restrictions be imposed if the contents were “high value,” a lower standard than classified information.
Neither Clinton nor Kendall, have ever said they acquired the thumb drives from the State Department. They have also refused to clarify how they were obtained and if they were encrypted.
Sen. Ron Johnson, R-WI, chairman of the Senate Homeland and Governmental Affairs Committee, expressed alarm over the private Clinton email system and her decision to use thumb drives, telling the DCNF in a statement that he has “unanswered questions about whether the State Department approved Secretary Clinton’s use of a non-official email system,” including “how the thumb drive containing classified information was protected.”
Kendall learned on May 22 that Clinton’s emails contained classified material, but it was not until six weeks later that any steps were taken to secure the emails.
Six weeks later, on July 8, the State Department insisted that Kendall secure the drives in a government-issued safe, which it sent to his law firm.
“The thing that’s always bothered me is the timeline,” said a congressional investigator familiar with security matters. “You have a six-week gap there where they know it’s classified but they have no protection in place to secure the thumb drives.”
Kendall then surrendered the thumb drives to the FBI in August.
The State Department, citing the ongoing investigations into Clinton’s emails, declined to say anything related to the thumb drive issue.
“There are reviews and investigations underway. It would not be appropriate to comment on these matters at this time,” said State Department Spokesman Alec Gerlach.
The military and intelligence services banned commercial thumb drives outright as early as 2008, relaxing policies in 2010 for only “mission critical” assignment use. The State Department mirrored that policy.
The congressional investigator said he was concerned about hackers if Clinton obtained the thumb drives from commercial sources, not from the federal government.
“It raises a number of questions about the security of the content her flash drives and whether or not it was compromised by malicious actors,” the congressional investigator said.
He said if she obtained the thumb drive from the State Department as required by the rules, “You have more confidence in the security of the device if you have trust in who has provided this device to you.”
“Portable storage devices can be the source of malicious code insertions into organizational information systems,” NIST stated in its 2014 rules, publication 800-53, titled, “Security Controls and Assessment Procedures for Federal Information Systems and Organizations.”
Thumb drives “may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals,” warned NIST.
“Our concern is the nature of the device,” said the congressional investigator. “You hear stories about how other nation’s intelligence agencies have conducted this sort of operation where they have infiltrated networks by putting software onto a flash drive and that’s inserted into a computer and are able to access the system.”
A former expert in U.S. Embassy security and of high-threat posts in Europe and the Middle East told the DCNF that “at the user level at the State Department, they were pretty scared to do anything with flash drives. They were pretty fearful of any repercussions they would feel for doing anything with external drives.”
IT security experts Jakob Lell and Karsten Nohl warned at an international “Black Hat” conference in August 2014 that “we consider USB to be otherwise perfectly safe — until now.”
Thumb drives “can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user,” Lell and Nohl said.
Alex McGeorge, head of threat intelligence for the IT security company Immunity, Inc., said he doubted if Clinton followed any of the rules governing thumb drives.
“When you’re dealing with a security investigation, people will be very quick to say, ‘I did this by the book.’ The fact we haven’t heard that to me is generally pretty suspicious or a reasonably good indicator that she didn’t.”