The private e-mail server used by Hillary Rodham Clinton all but certainly lacked the level of security employed by the government and could have been breached fairly easily by determined foreign intelligence services, national security and cyber experts said.
In the wake of last week’s revelation that Clinton used a private e-mail account as secretary of state, critics have questioned whether that decision left sensitive government communications vulnerable to hackers. At a news conference Tuesday, Clinton said the server was set up for her husband, former president Bill Clinton, at their house in Chappaqua, N.Y., which she said was guarded by the Secret Service.
“I think . . . the use of the server . . . certainly proved to be effective and secure,” she said.
But such assurances have not persuaded technical experts.
“The layers of security that would have to be employed to make a privately run exchange server as secure as something that is secured by the federal government would be pretty significant,” said Timothy Ryan, a former FBI supervisory special agent who now manages cyber investigations for Kroll. “It’s not that it can’t be done. I just find it improbable.”
In a question-and-answer sheet released Tuesday, Clinton’s office stated that “robust protections” were put in place and “upgrades and techniques employed over time as they became available, including consulting and employing third party experts.”
The office said “there is no evidence there was ever a breach” of the server.
Some experts said it’s impossible to know for certain whether that’s the case. Clinton, according to at least one forensic account, was using a standard commercial server running on Microsoft software that, like any widely available software, has been found to have vulnerabilities.
“If all that she had was standard technology . . . it would be merely a speed bump for a sophisticated adversary to gain access to everything there,” said Richard C. Schaeffer Jr., a former director of information assurance at the National Security Agency.
Federal e-mail systems are hardly impervious to hackers. In November, the State Department shut down its unclassified e-mail system after finding evidence that hackers had burrowed in. Clinton herself recognized the government’s vulnerability to hackers, noting in her 2014 memoir, “Hard Choices,” that the department “was frequently the target of cyber attacks” and officials “had to fend off intrusions in their email and increasingly sophisticated phishing attempts.”
Some experts said that the contention that government e-mail servers are more secure is a fallacy. And one former NSA official said a private e-mail server could have provided Clinton with at least one advantage: obscurity.
“By having a separate [private] e-mail system, you essentially filter out 90 percent of the attackers,” said the former NSA official, who spoke on the condition of anonymity because his current employer has not authorized him to speak for the record. The State Department system by contrast, he said, “is a big, fat, honking bull’s-eye to aim at.”
Even so, Clinton’s e-mail account would not have remained completely off the radar of potential hackers. She was communicating with other department officials, who would be targets.
“On a [target] scale of 1 to 10, she’s a 10,” said Schaeffer, who is now in the cybersecurity industry. “When you think of treaties, trade negotiations, any thing that the secretary of state would be involved in, she would be an incredibly lucrative target — maybe even more so than the president.”
Because Clinton traded e-mails with other top officials, as well as with President Obama, foreign spy services could have also attempted to spoof her account and send recipients malicious software in an effort to compromise their accounts, said Christopher Soghoian, principal technologist at the American Civil Liberties Union.
Clinton said Tuesday that she did not e-mail classified material with her personal account.
P.J. Crowley, a former State Department spokesman who worked with Clinton, said classified discussions with her took place largely in person and over the phone rather than by e-mail. When he e-mailed with her, he said, “for the most part I was giving her perspective on things that were in the public domain.”
Still, even unclassified e-mails would be of interest to a spy service — the NSA tapped the personal cellphone of German Chancellor Angela Merkel — because of the information it could glean about Clinton, her activities and her associates’ activities. Often disparate pieces of unclassified data, when assembled, can yield useful insights, intelligence analysts say.
Some experts say it takes great discipline for a public official to keep sensitive information out of e-mails entirely. “I believe it’s very likely that — even inadvertently — there’s classified information in those e-mails,” said J. William Leonard, former director of the Information Security Oversight Office at the National Archives.
He added that the government term for that is “spillage” — when someone introduces, often inadvertently, classified information into an unclassified system.
Julie Tate contributed to this report.