The State Department's Office of Inspector General has released its report about Hillary Clinton's use of a private email server while she was secretary of state. Though the report uncovers no smoking guns -- no records of Clinton saying "Heh, heh, heh, they'll never FOIA my emails NOW!!!!" -- what it does lay out is deeply troubling, even though her supporters have already begun the proclamations of "nothing to see here, move along."
It lays to rest the longtime Clinton defense that this use of a private server was somehow normal and allowed by government rules: It was not normal, and was not allowed by the government rules in place at the time. "The Department's current policy, implemented in 2005, is that normal day-to-day operations should be conducted on an authorized Automated Information System (AIS), which "has the proper level of security control to … ensure confidentiality, integrity, and availability of the resident information."
It also shreds the defense that "Well, Colin Powell did it too" into very fine dust, and then neatly disposes of the dust. As the report makes very clear, there are substantial differences between what the two secretaries of State did:
- Powell says he set up a private email account, in addition to his internal account, because at the time the State Department "email system in place only only permitted communication among Department staff. He therefore requested that information technology staff install the private line so that he could use his personal account to communicate with people outside the Department." This is a quite plausible reason that, around the turn of the millennium, a secretary of state would have wanted to use his own account. Powell seems not to have done enough to ensure that those records were maintained, which is a problem (though it's not clear that he was aware that he should have turned those emails over). But as far as I can tell, the most plausible explanation of Clinton's behavior is that she set up her email server expressly to keep those emails from being archived as records (and subject to Freedom of Information Act requests), which is a great deal more problematic than setting up an inadequately archived email system because there's no other way to use an increasingly vital communications technology.
- Powell had an outside line set up in his office, into which he plugged a laptop, which he used alongside his State Department computer. The IT department was, in other words, aware that this was going on, and it seems to have come up in discussions of his drive to get everyone at State access to the Internet at their desk. While the quality of information about Powell's Internet usage is not as high as it is about Clinton's (after 10 years, memories fade, people become hard to contact, and records degrade), there's no indication that he was less than transparent with staff. But folks at State clearly had no idea what was going on with Clinton's email server and, troublingly, at least two people who asked about it were apparently told to shut up and never raise the subject again.
- Three things have changed pretty dramatically since Powell's day: the magnitude (and appreciation) of cybersecurity threats, the quality of the State Department systems and government rules surrounding both recordkeeping and cybersecurity. One can argue that Powell should not have used a private computer during his tenure, but he seems to have done so in consultation with the IT folks, at a time when the policy surrounding these things was "very fluid" and the State Department "was not aware of the magnitude of the security risks associated with information technology." By 2009, the magnitude of the risks was clear, and the policy was also much clearer. As far as the OIG could determine, Clinton took no action to ensure that she was in compliance with that policy, which, in fact, she emphatically was not. Officials at State told the OIG in no uncertain terms that they would not have approved her reliance on a personal email server.
- The OIG found only three instances in which State employees had relied exclusively on personal email: Powell, Clinton and Ambassador J. Scott Gration, U.S. emissary to Kenya from 2011 to 2012. Gration, who served under Clinton, was in the middle of a disciplinary process initiated against him for this email use (among other things) when he resigned. So it is impossible to argue not only that this was somehow in compliance with State's guidelines but also that Clinton might have thought it was in compliance, unless she somehow failed to notice when or why her ambassador to Kenya went missing.
- The OIG found evidence that the server was attacked and that Clinton's staff members (and presumably Clinton herself) were aware of it. (Clinton at one point seems to have expressed concern that people might be trying to hack her email.) These incidents should have been reported to computer security personnel, but OIG found no evidence that they were. Clinton's supporters have offered the wan defense that "attacked" doesn't mean "actually hacked," but of course, since they didn't report it, there was no timely investigation, so we don't really know what happened, or even whether her server setup and/or server administrator were sophisticated enough to detect a penetration had one taken place.
- This is the most profoundly amazing part of the whole story: Clinton's server administrator was hired by State as a political appointee, from which position he continued to provide support to Clinton's private email server during working hours, without telling anyone this was happening:
"The DCIO and CIO, who prepared and approved the Senior Advisor's annual evaluations, believed that the Senior Advisor's job functions were limited to supporting mobile computing issues across the entire Department. They told OIG that while they were aware that the Senior Advisor had provided IT support to the Clinton Presidential campaign, they did not know he was providing ongoing support to the Secretary's email system during working hours. They also told OIG that they questioned whether he could support a private client during work hours, given his capacity as a full-time government employee."
Clinton apparently paid him for the work, but it is impossible to believe that she didn't know this was happening (if her email malfunctioned during the workday, did she expect to wait until 8 or 9 that night for it to come back up?) or that she thought it was OK to hire your private server administrator as a political appointee (a diplomatic political appointee in the IT department?) and then have him keep an eye on your private server from his government office. This has an unpleasant whiff of Tammany Hall about it.
It's really hard to come away from reading this report thinking "Yup, just an honest mistake." Or indeed, "just a mistake, no big deal." Or even "no worse than others have done." I worked in bank IT for several years before I went to business school, and when this story first broke, I enjoyed an amusing hour or so envisioning what regulators would have said if we'd tried any of these sorts of excuses on them. Since then, I've had several such conversations with folks who are still laboring in the trenches of the securities industry, and their bitter laughter still rings in my ears. Why is Clinton being held to a lower standard?
Well, because she's a Clinton, and the Clintons have always acted as if the rules applied only to others. And given that Democrats boxed themselves into her name on the ticket so early on, Team Blue had little choice but to rally around and pretend that this is just a minor peccadillo, like forgetting to date the signature on your FEC filings. Lord knows, this election cycle, there's good reason to view this sort of behavior as the lesser of two evils.
But it isn't minor. Setting up an email server in a home several states away from the security and IT folks, in disregard of the rules designed to protect state secrets and ensure good government records, and then hiring your server administrator to a political slot while he keeps managing your system on government time is unacceptable behavior in a government official. If Clinton weren't the nominee, or if she had an R after her name rather than a D, her defenders would have no difficulty recognizing just how troubling it is.
That doesn't mean you necessarily have to prefer Trump to her. Back when I was surveying #NeverTrump voters, I heard from more than one conservative intelligence type who basically said "I think Clinton should be in jail for what she did, and I still think she's a better choice than Trump for the presidency."
Politics is not simply a team sport, and good government is possible only if we're willing to call out misbehavior no matter who does it. Even if we still hold our nose and pull the lever for the misbehaver come November.
About the Author