Audits and Clinton’s Email

Rob Enderle

I’ve shared that I’ve been in law enforcement and I ran a field audit organization for IBM. Most parts of performing an audit aren’t a great deal of fun but doing security audits, email audits and expense report audits were the great dessert after an otherwise largely unpalatable meal. This is because, with a security audit, I got to play bad guy and attempt a breach; in expense audits, I saw a lot of crazy stuff and exposed a lot of outright theft; and in email audits, I generally found out what was really going on in the company, including who was sleeping with whom. However, I also found that some people were beyond punishment.

Actions that would have lower-level managers and employees fired and perhaps sued would result in a reprimand or less to a CEO or critical VP. I can speak from experience in saying that kind of thing really tended to piss the auditors off because it made it look like we were going easy on those in power but were relishing in the pain of folks who were closer to being our peers. But these decisions were never ours to make. Generally, it was an override by the CFO or Audit Director. There were several instances when they made it clear that while they wouldn’t stop my team from making a recommendation that we thought more appropriate, it would cost us all our careers.

The way we slept at night is that we laid out the evidence unaltered, but then gave the recommendation we were told to give. So it was with great interest that I watched the FBI director share his findings today in his organization’s probe of Hillary Clinton’s email practices.

Here are my thoughts.

Auditors and Evidence

As I wrote earlier, Clinton’s statement that nothing she put on her server was classified because it wasn’t marked classified was false. Information is classified by its nature, not by words placed on the bottom of the document. If this was not so, someone inside a company who wanted to share classified information or who just didn’t want to go through the trouble of properly protecting it could simply leave the classification statement off the document. In a security audit, a user would not only be penalized for not protecting the information, but for not properly classifying it in the first place.

During FBI Director James Comey’s report, he pointed out an impressive number of violations. He left no doubt that laws surrounding the treatment of confidential information were violated repeatedly and that Secretary Clinton should have known, at the time, that she was in violation.

Intent is often hard to prove; in this case, one part that was addressed only in passing in today’s report was that it was Clinton’s decision that created the private email servers and that should be foundational to the concept of “intent.”

One other word in the report stood out to me. During the presentation, when pointing out that the email server and devices weren’t properly secured and traveled into areas where breach skills are pronounced and very capable, Comey said a breach was “possible.” Generally, you use the word possible if you have a potential exploit but no evidence of anyone who would use it. In this case, the word used should have been “likely.” Without a tool like Varonis, which monitors unauthorized access actively in a relatively unsecure server, the chance of finding evidence of a breach would have to come from a disclosure by the breaching entity. There was no mechanism in that server to track access activity granularly enough to catch a well-executed breach.


In my opinion, the same goes for the discussions on deleted email. Comey’s team found no evidence that the emails had been purposely deleted. But unless someone confessed to doing so, which apparently no one did, there is no way to know for sure. However, Comey went to some trouble pointing out that a lot of the deletions were done by attorneys who not only understand discovery but would have understood the need to preserve legal records. To me, this implies wrongdoing even while stating none was found.

Auditor Recommendations

This is where it gets interesting. I’d argue that Clinton should have been indicted, but I’m coming at this as an ex-auditor, not a political appointee or politician. Clearly I was overridden a number of times in my own career. In theory, this decision should speak to the good of the country, and punishment in cases like this is designed to be a deterrent and reminder that certain rules are immutable regardless of rank. I believe very firmly that when an executive is given a pass for something that a subordinate would be fired for, it sends a message to the executive team that rules don’t apply to them, and that leads to additional abuses of power.

If an offending executive had already departed and no actual monetary damages were confirmed to support a civil suit (which would only be likely in extreme cases), it is likely nothing would have resulted. However, if he or she were being considered for CEO, they would most certainly be dropped from that list. The board would be unwilling to take a risk that this behavior would recur because it would imply that they were negligent and thus potentially personally liable.

Comey, at the end, basically said his recommendation was based on what a prosecutor was likely to do. This is highly unusual; typically an auditor recommends based on the evidence, not based on what he or she thinks someone will do with it. The clear implication is that the recommendation here is the one the Justice Department wanted. Overall, the announcement was masterfully worded, conveying far more between the lines than you would have expected.

Wrapping Up: Applying Rules

In my opinion, this report from the FBI sends the message that rules are mutable and that they simply don’t apply to those high enough in government to have the secret privilege of treating them as options. To go farther and seemingly bless a run for President would seem to encourage decisions like this, leading to more abuses.

But this isn’t a company, it is a government, and I’m no expert on how that game is played. In the end, all I can say is that Director Comey did lay out the facts briefly and well, leaving it to us to determine our own opinions on whether the outcome is fair and best for the nation.

Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm.  With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+



Add Comment      Leave a comment on this blog post

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.