Sometimes you are asked to say something in your job that you disagree with.  The trick is to do it in a way that conveys this without letting the folks who gave you the direction know you aren’t really on board.   The reason this works is something we call confirmation bias, a tendency to hear what you expect or want to hear regardless of what is being said.   It is a masterful skill folks that do investigations have to learn if they want to both be honest with their work and keep their jobs. 

Preventing something like the Clinton email problem requires a special tool like Varonis and, in the end, I don’t think any company or organization wants to go through what the Obama administration is going through at the moment. 

Clinton’s Email Investigation

I was fascinated this morning as I watched FBI Director Comey walk us through the evidence.  It seemed damning.  Recall that this was the third part of a sequence of events.  First there was a covert meeting between Bill Clinton and the US Attorney General, then there was a disclosure that nothing regarding the ongoing email case was discussed, then there was pronouncement that the Attorney General wouldn’t be making a decision in the case (to offset what looked like a quid pro quo for keeping her job), but follow the FBI’s recommendations.  And finally there was a recommendation from the FBI, which seemed solely based on what they thought the Attorney General would have decided.   This last was particularly interesting because, typically, an investigating body simply makes a recommendation based on the evidence, they don’t parse it based on what they think a Prosecutor is likely to do.  And using historical precedence, in an area like cyber security, which changes monthly, seems particularly unusual and unwise. 

But it did appear clear that not only was the email server illegal but that it likely was breached repeatedly and that the documents at risk were, in contrast to Secretary Clinton’s testimony, classified at the highest levels.  Comey appears to be following orders that he didn’t seem to be in agreement with. 

I need to explain the breach comment because it seemed like he said there wasn’t a breach.  But what he actually said was they didn’t find one and there was no mechanism in place to detect one.   He did say the server wasn’t adequately secured and that the Secretary traveled to places (I expect he was referring to Russia, China etc.) known for both expertise in penetrating far more secure servers and with a very high interest in U.S. confidential correspondence.  In short, he detailed both motive and opportunity and implied multiple breaches given far more secure government properties had been breached. 

Classifications

One thing to take away from this is that classifications are made by the nature of the information not by whether a document is marked “classified”.   I was an internal auditor and when we discovered a sensitive document that had been mishandled but wasn’t classified there were two audit notes: one for the lack of protection of the document, and the other for under-classifying it.  So, remember, if you get an internal document that looks like it should be classified but isn’t and you tweet it you will still likely get fired likely along with the idiot that didn’t classify it.  

And in today’s age, the chance that an improperly classified document might make it to an intern or temp employee who might not know the risks of sharing it on social media is extremely high. So, when in doubt, treat the thing as if it were classified. 

Wordsmithing

Wordsmithing is an art. It can be used to improve clarity and content and it can, as in this case, convey two messages: the one you are ordered to convey and the one the speaker prefers.  It allows you to say one thing explicitly but convey a different meaning at the same time.   Obviously, you can use tone to do this but that can be a tad obvious and get you shot.  The real art is to use the structure of what you are saying to imply something very different than the words convey.  

The way Comey conveys the evidence then concludes with a recommendation that appears to channel the Attorney General is some of the best work I’ve ever seen.   The only thing he was light on was intent, but given Clinton was the one to make the decision on the email servers he had that going in. 

So basically he said that, were it up to him, she’d be charged but it isn’t so she isn’t.  It was brilliantly done.  

Prevention

One thing that came across very clearly, that the State Department and other agencies in government weren’t taking security very seriously.  In addition, even those that did seemed unaware that classified email was going to an unprotected server.  In short, once beyond blame, the goal should be to make darned sure this doesn’t happen again.

Wrapping Up: 

There were a number of lessons in from the FBI disclosure today.  It is no surprise that some folks are above the law – that is the nature of politics after all.   It did showcase how someone could say one thing and seemingly mean another.  I seriously doubt either Comey or Obama is pleased with what Clinton did; in addition to the cloud this places over them.   In the end, though, it once again highlights how much business goes through email and how critical it is to keep that business private.   If competitors, or in this case foreign governments, have access to these communications it may not be just be a competitive leak problem you have but an actual crime.   Granted, if you are high enough you might weather it, but I’ll bet Secretary Clinton is unlikely to do this again even though she wasn’t indicted this time.  And Comey, well he should teach a class in wordsmithing.

Though, I get the feeling, this is far from over.