Hillary Clinton's 'matter of convenience'
© Getty Images

"It was a matter of convenience." With those words, former Secretary of State Hillary ClintonHillary Diane Rodham ClintonBlumenthal calls for declassification of materials detailing Russian threat to US elections Hillary Clinton roasts NYT's Maureen Dowd over column Hillary Clinton touts student suspended over crowded hallway photo: 'John Lewis would be proud' MORE removed any shadow of doubt that she belongs to a different era, far removed from the Cyber Age we now find ourselves in. Oh sure, she can certainly tweet and share posts on Facebook like the rest of us, but we haven't and we shouldn't elect presidents based on whether or not they have mastered the mechanics of social media. It's not about the mechanics. It's about much more. The future of the nation depends on its leaders — and those who want to lead — developing a far deeper understanding of the cyber world.

Presidents in the Cyber Age need to be masters and developers of cyber policy, and that means they need to have a basic understanding of cybersecurity. For the third year in a row, the director of national intelligence has said that cyberattacks are the greatest danger facing the U.S., beating other threats like terrorism and the risk of an all-out war for that dubious distinction. In her Tuesday news conference, Clinton attempted to assuage concerns about her use of private email accounts while she was secretary of State, a seemingly trivial and inconsequential matter. The problem is that things cyber are rarely trivial and inconsequential.

ADVERTISEMENT

Allow me to explain. I understand why Clinton would like the convenience of having one device handling all of her emails. I thought the same thing when I was a squadron commander and when I served on the Joint Staff in the Pentagon. In both assignments, I used two phones. One was for official business, issued by the government. The other, my own, I used strictly for private conversations and, later, emails. But, as they say, "rules were rules," and we Department of Defense types were under strict orders never to mix private and public communications. So we did the right and simple thing — we followed the rules.

If Clinton had wanted to enhance her "cool quotient," she could have said that she did BYOD (Bring Your Own Device) before BYOD was cool (and the bane of corporate IT departments everywhere). At least if she had said that, she could have shown that she understood some of the trends shaping the communications and security landscapes of our time. But she did not do that. Instead, we heard tortuous, yet insufficient, explanations of what she had done and why.

One of the most prominent targets of foreign espionage efforts is the secretary of State. Even if Edward Snowden's revelations were only half true, you can surmise that intelligence agencies spend a lot of time and effort trying to figure out what a secretary of State or foreign minister is thinking and doing. Why wouldn't these agencies go to the source and, if they found weaknesses in our communications and cybersecurity, exploit them?

Clinton's assertion that her server had not been penetrated and her emails had not been compromised is not provable. It took Target months to figure out that they'd been hacked. The same is true for Home Depot. JP Morgan spends over $250 million a year on cybersecurity — and they plan to double that amount. In spite of their best efforts, they still get hacked, but they have legions of cybersecurity professionals patching and remediating these attacks. I'm pretty sure that Clinton does not have that kind of a bench protecting her server. And even if she did, the average hack isn't detected for 300 days, no matter how many people you employ or anti-virus systems you deploy to thwart the hackers.

Clinton appeared to conflate the requirements of physical security with those of cybersecurity. She pointed out that, since the server she used was originally set up for President Bill Clinton's use, it was in a facility protected by the Secret Service. That's wonderful for the physical protection of that asset, but it does not explain how the server was protected from cyber threats. Cyber threats happen no matter what physical protections are put in place. In fact, physical protections are often irrelevant.

There are reports that data on the server were encrypted, but, if these reports are true, how was this done and to what standard? Were the data protected while the server was "at rest" or while it was being used or both? Were measures in place to determine if data were being siphoned off for no plausible reason, a hallmark of some cyberattacks? And many cybersecurity professionals would ask: "What do your logs say?"

None of these questions were answered Tuesday. We are simply left with platitudes trying to get us to "move along" when all of the germane questions remain unanswered. The Cyber Age demands something different from its leaders. If Clinton is striving to be our top leader, she needs to show us she understands this by providing us with answers that reflect the reality of the Cyber Age.

Leighton is a retired career Air Force intelligence officer and is currently chairman of Cedric Leighton International Strategies.