Hillary Clinton is spreading a dangerous belief in her defense of a private email server. Her defense upon the discovery of classified material that was shared with people who didn’t have the appropriate credentials was that the information wasn’t classified at the time. This creates the belief that it is OK to share information before it is officially classified. I can, as an ex-security auditor, tell you that if you do this and get caught, there is a high probability that you’ll be fired on the spot and you may even face criminal charges. Recent revelations suggest that staffers may have illegally stripped confidential classifications off of email and if that proves true, we will likely see criminal charges filed against those individuals.
Classifications are a way to help people understand how to protect critical pieces of information, but the rules that surround this information supersede the classifications. This is a very important point to understand, otherwise, you are likely to do something that could not only get you legitimately fired you -- might actually end up in jail.
This goes to one of the important reasons why companies use a solution like Varonis: to make sure that folks won’t share information they don’t realize is classified and thus put themselves and the firm in danger. But the tools only help enforce policy. If the policy itself is corrupted, all the tool does is create evidence of a crime.
Let me explain.
One of the ways people get fired in a security audit is by sharing classified information with folks who are not approved to see it. This can happen at all levels. You may recall that HP actually fired a board member for leaking classified information in a sequence of events at the heart of a massive board change (check out the book on this called The Big Lie). If you share this information with a competitor, you can be charged with IP theft, which is generally a felony. And if you share it with an investor, it is insider trading, which has both jail time and substantial fines as punitive remedies.
One of the ways people try to get around this is by under-classifying information, assuming that if the classification allows sharing, they can’t be prosecuted. What they don’t realize is that, much like you don’t have to put the word blue on the color blue in order for it to be blue, you don’t have to put the words Classified, Secret or Top Secret on something for it to fall into the policy category protected by the title.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
For example, let’s say the CEO sends a memo to the CFO about acquiring a company and doesn’t physically have a classification on it, but policy dictates that discussions on acquisitions are classified Top Secret. The nature of the content classifies the information. Now the executives can get dinged in an audit for not marking the note with the proper classification, but the CFO’s staff is still not allowed to take this memo and share it with all their friends. Because of the nature of the content, the memo is classified; the words are only added to help keep people from doing something stupid. Granted, they also help with litigation against third parties who make use of the information (which is why you punish folks who don’t accurately classify documents).
Clinton maintains that the information she shared that was classified wasn’t classified when she shared it. This is not possible because the classification is automatic by class. Just because the information wasn’t officially marked classified doesn’t mean it wasn’t classified, it just means it hadn’t been labeled yet. In the same way you don’t have to put a sign on a table to identify it as a table, from the standpoint of policy and enforcement, you don’t have to put the classification words on a document or email that should be classified. Arguing otherwise suggests it is OK to share classified information that isn’t labeled classified. Not only is that wrong, it would typically result in termination, particularly if it were found that you rushed to share this information before it had been officially classified.
Granted, without the classification, if you were to fire or file criminal charges against an employee, they could argue that they didn’t know it was classified (removing intent) and whether it should be classified in the first place. Clinton isn’t arguing that the information shouldn’t have been classified but that it simply wasn’t at the time she shared it, and that alone isn’t a valid defense. And while it may work for her, the word “may” is emphasized; it wouldn’t work for you or me. We’d get fired or worse.
Wrapping Up: Protect Your Information and Yourself
Generally in organizations both public and private, assume inside information is at least confidential unless it has been officially declassified, and even then make sure that this wasn’t a mistake if it looks like it should have been classified by checking with the owner/creator of the information. Know the classification levels in your organization because if a piece of information isn’t physically classified or is under-classified and you share it, you could still be fired, sued or criminally charged. (I had a friend who was criminally charged for taking classified material home to work on that wasn’t physically classified. She was eventually cleared, but she spent one night in jail.)
It has never been more important to have some way of assuring proper classifications and that only people who are approved to get information get access to it. We have a lot of information theft, particularly identity theft, going on at the moment (I’ve had my credit cards stolen three times already this year, which suggests a number of firms are leaking badly).
In the end, ignorance of a law is not a good defense, and neither is ignorance of a classification.
By the way, if an executive had their own email server for business use, that alone would be a significant infringement because the executive couldn’t prove it never received confidential information, which would be the only possible defense given that the server could not comply with security classification policy. I have seen people remove classifications both to make jobs easier, and because they wanted to take confidential information with them to a new job. I’ve never seen this end well for the person who did it or the folks who knew and didn’t report what they were doing.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+