The FBI investigation into Hillary Clinton’s private email server found no evidence that her communications were hacked while she was secretary of state, but it made clear that “hostile actors” here and abroad could have done so.
Clinton “used her personal email extensively while outside of the United States,” FBI Director James B. Comey said, including “in the territory of sophisticated adversaries.”
It was “possible” that they accessed her account, he said. But “given the nature of the system and the actors potentially involved, we assess we would be unlikely to see such direct evidence.”
The finding, like others reached by the FBI, leaves the door open for ongoing accusations that Clinton may have allowed sensitive information to fall into the hands of Russia and China — both of which she visited on a number of occasions — or even Iran and North Korea.
If malign outsiders didn’t get into Clinton’s account, however, it was not for lack of trying.
“Don’t email HRC anything sensitive,” aide Huma Abedin messaged Clinton chief of staff Cheryl D. Mills and deputy chief Jake Sullivan at 1:31 a.m. on Jan. 10, 2011. The day before, Abedin was twice told via emails from Justin Cooper, a Bill Clinton aide who set up the original private server in 2009, that he had shut the system down because of hacking attempts.
According to a May report by the State Department inspector general, another email exchange between two members of Clinton’s “immediate staff” later in 2011 discussed a message she received “with a suspicious link.”
Hours later, the report said, Clinton “received an email from the personal account of then-Under Secretary of State for Political Affairs that also had a link to a suspect website. The next morning, Secretary Clinton replied to the email . . . ‘Is this really from you? I was worried about opening it!’ ”
None of these “cybersecurity incidents” were reported to internal authorities, as required by department guidelines, the report said.
Hackers believed to be linked to Russia have repeatedly tried to enter unclassified State Department and White House email systems with “phishing” attempts, which try to gain access by luring the recipient into opening an attachment or a link containing malware within a seemingly innocuous communication. In a recent radio interview, former defense secretary Robert M. Gates said that the Pentagon “acknowledges they get attacked about 100,000 times a day.”
Russian government hackers succeeded in penetrating the Democratic National Committee, and Director of National Intelligence James R. Clapper Jr. said officials had seen attempted hacks of presidential campaigns. He did not specify who was targeted or whether the attempts were successful.
Comey said that “any reasonable person” should have known better than to use an unclassified system to communicate what the FBI determined included some top-secret information.
While investigators found no evidence that Clinton’s account had been accessed, “we do assess that hostile actors gained access to the private commercial email accounts with whom Secretary Clinton was in regular contact from her personal account,” Comey said. Her use of “a personal domain was both known by a large number of people and readily apparent.”
But, he said, the investigation found no indication of intentional mishandling, or “vast quantities of information exposed in such a way to support an inference of intentional misconduct or indications of disloyalty to the United States or an obstruction of justice” — as was the case in some other investigations, which led to prosecutions.
“Although there is evidence of potential violation of the statutes regarding the handling of classified information,” Comey said, “our judgment is that no reasonable prosecutor would bring such a case” against Clinton.
Among government agencies, he indicated, the investigation found that the State Department was especially vulnerable to hacking.
“While not the focus of our investigation,” he said, “we also developed evidence that the security culture of the State Department in general, and with respect to use of unclassified email systems in particular, was generally lacking in the kind of care for classified information found elsewhere in the government.”
That provoked a sharp response from State Department spokesman John Kirby, who said that while “we’re always looking for ways to improve,” the department did not “share that assessment that there is a lax culture here when it comes to protecting classified information. We take it very, very seriously.”
But Susan Hennessey, a Brookings Institution fellow in national security law and formerly a lawyer in the National Security Agency’s office of general counsel, cited “the State Department’s reputation for not being an information security team player.” Writing on the Lawfare blog, Hennessey said that reputation “predates Secretary Clinton’s tenure and endures beyond it, and deserves far more attention than it has received amidst the sordid political posturing of this whole investigation.”
Charges that security breaches must have taken place have been regular fare during the presidential race. In a speech last month, presumptive Republican nominee Donald Trump said that Clinton’s server “was easily hacked by foreign governments — perhaps even by her financial backers in Communist China — putting all of America in danger.”
Asked in an interview for the basis of that charge, Trump told NBC News that “I think I read that, and I heard it, and somebody also gave me that information.”
Sen. Ron Johnson (R-Wis.), who chairs the Homeland Security and Governmental Affairs Committee, called Clinton’s email practices “reckless and dangerous.”
“You have to assume that our enemies and our adversaries had access to every email that ever went over her private server,” Johnson said in a May appearance on CBS’s “Face the Nation.” “Did it affect their actions as . . . it related to, for example, Vladimir Putin’s invasion of Crimea or eastern Ukraine? What about the negotiations with Iran? What about [Syrian President Bashar al-]Assad?”
In a letter last fall to a company that he said provided a “threat monitoring” device for Clinton’s server, Johnson said a committee investigation had indicated hacking attempts originating from China, South Korea and Germany, among others.
Asked last fall about possible security risks with the private server, President Obama told CBS’s “60 Minutes,” “I don’t think it posed a national security problem.”
When Clinton was confronted on a rope line during a campaign stop in January with a question about whether her email was hacked, she replied, “Yeah, it’s totally untrue,” and moved on.
Carol Morello contributed to this report.