The State Department under Hillary Clinton was among the worst agencies in the federal government at protecting its computer networks, a situation that is partly responsible for the successful breach by Russian hackers into the department’s email system, according to independent audits and interviews.
The State Department’s compliance with federal cybersecurity standards grew worse every year of Clinton’s tenure, according to an annual report card compiled by the White House based on audits by agency watchdogs. Network security continued to slip after Kerry replaced Clinton in February 2013, and remains substandard, according to the State Department inspector general.
In each year from 2011 to 2014, the State Department’s poor cybersecurity was identified by the inspector general as a “significant deficiency” that put the department’s information at risk. The latest assessment is due to be published in a few weeks.
Clinton, the front-runner for the Democratic presidential nomination, has been criticized for her use of a private email server for official business while she was secretary of state. The FBI is investigating whether her home server was breached by hackers.
State Department officials don’t dispute the compliance shortcomings identified in years of internal audits. Senior department officials in charge of cybersecurity would speak only on condition of anonymity.
In December 2013, IG Steve Linick issued a “management alert” warning top State Department officials that their repeated failure to correct cybersecurity holes was putting the department’s data at risk.
Based on audits by Linick and his predecessor, Harold Geisel, State scored a 42 out of 100 on the federal government’s latest cybersecurity report card, earning far lower marks than the Office of Personnel Management, which suffered a devastating breach last year.
In late 2014, cyberintruders linked to Russia were able to break into the State Department’s email system, infecting it so thoroughly that it had to be cut off from the Internet in March while experts worked to eliminate the infestation.
Clinton approved significant increases in the State Department’ information technology budgets while she was secretary, but senior State Department officials say she did not spend much time on the department’s cyber vulnerabilities. Her emails show she was aware of State’s technological shortcomings, but was focused more on diplomacy.
Clinton’s campaign staff did not respond to repeated and detailed requests for comment.
Emails released by the State Department from her private server show Clinton and her top aides viewed the department’s information technology systems as substandard and worked to avoid them.
Under Clinton and Kerry, the State Department’s networks were a ripe target for foreign intelligence services, current and former government officials say, echoing the situation at OPM, which last year saw sensitive personnel data on 21 million people stolen by hackers linked to China.
The Russian hackers who broke into State’s email system also infiltrated networks at the Defense Department and the White House, officials say, and no clear line can be drawn between their success and State’s dismal security record.
But as with OPM, State’s inspector general identified many of the same basic cybersecurity shortcomings year after year, and the department failed to correct them, records show.
Those officials, and many others interviewed for this story, declined to be quoted because they were not authorized to address the matter publicly.
Although the hacked email system was unclassified, State Department personnel regularly use it communicate very sensitive information. It would be valuable intelligence for a foreign adversary, officials say.
The Associated Press contributed to this story