1. News

Just how secure are private email servers? Hint: not very

Published Aug. 14, 2015

WASHINGTON — In the Wild West world of cyberspace, could a semi-secret private email server be more secure than a government system? Not likely.

Federal agencies are under intense scrutiny for failing to fend off hackers in several major cyberattacks, including an intrusion at the Office of Personnel Management that produced one of the largest online data thefts in U.S. government history. But in spite of these lapses, experts said that private email servers like the one used by Hillary Rodham Clinton when she served as secretary of state are typically much worse off when it comes to cybersecurity.

The FBI is now looking into Clinton's set-up — her homebrew server was turned over to authorities Wednesday afternoon — after intelligence officials expressed concern that classified information might have been compromised in connection with the system.

The referral from the intelligence community's inspector general stated that some of Clinton's emails should have been "transmitted via a secure network" because of their content, a reminder that the server in Clinton's Chappaqua, N.Y., home was not specifically equipped to handle classified information.

The memo seems to add credibility to fears that the system was inferior to the State Department networks when it came to cybersecurity. While there is no evidence that hackers had access to Clinton's server, experts agreed that the system likely came under attack and that some intruders might have indeed broken in.

"As the secretary of state, she was a high-profile target and would have gotten the attention of elite hacking teams," said Richard Bejtlich, chief security strategist at FireEye, a computer security firm.

"My view is: If you can't demonstrate the security of your system through aggressive monitoring of what is going on with it, you should just assume that it has been compromised," Bejtlich said.

The world of hackers — amateur, criminal and nation-state — moves at a pace and level of sophistication that was unthinkable a decade ago. Almost every system on the Internet gets probed for vulnerabilities at one point or another, posing risks to personal, corporate and government networks alike, experts said.

"At the end of the day, neither government nor private-sector servers are very secure," emailed Fred Cate, a law professor and cybersecurity expert at Indiana University. "That is the unfortunate but unmistakable bottom line."

Recent intrusions into federal systems show just how persistent and far-reaching cyberattacks can be, particularly when they come from nation-state adversaries.

News broke earlier this year that not only had Russian hackers infiltrated State Department networks, but they used that perch to penetrate parts of the White House system. China, meanwhile, is considered responsible for hacking databases at OPM and compromising information for 22 million people.

In an acknowledgment of the systems' vulnerability, Secretary of State John Kerry said Tuesday that it's "very likely" the Russian and Chinese governments are reading his emails.

"It is very possible," Kerry said in an interview with CBS Evening News. "I certainly write things with that awareness."

This is the environment in which Clinton was running her own email system, which lacked sufficient cybersecurity protections, according to several analyses by experts.

Configuring security on a server, keeping the software updated, ensuring encrypted access and educating users about proper use are big tasks, and they don't begin to approach the defensive measures used by government agencies and large companies, experts said.

Though they might be constantly under attack, government networks generally have a leg up on private systems when it comes to cybersecurity sophistication and resources, said Richard Stiennon, chief research analyst at IT-Harvest, an IT research firm.

"Any IT department has many more resources available to protect email servers," Stiennon wrote in an email.

"They can make sure patches to the operating system and the server software are applied," he wrote. "They have gateway firewalls to restrict access. They have logging and alerting if an attacker is poking around."

Government networks typically have quicker access to security fixes for their software, said Daniel Gerstein, former acting under secretary for science and technology at the Department of Homeland Security.

"The updates can take place in some cases in minutes and hours rather than hours and days," said Gerstein, now with the RAND Corp.