Why the State Department is so bad at security

FBI Director James Comey makes a statement at FBI headquarters in Washington, Tuesday, July 5, 2016.
Cliff Owen | AP

In the process of essentially exonerating Secretary Hillary Clinton's use of a personal email system, FBI Director James Comey nevertheless slammed the State Department's email security and handling of classified documents.

People who spoke to CNBC said that State has, for a long time, shown a disturbing lack of seriousness about information security. While some of this can be attributed to the nature of the agency's mission — "We're required to be outward-facing, we're required to communicate, we're required to foster dialogue," said agency spokesman John Kirby — other patterns of behavior are less explicable, they said.

One former government employee told CNBC the problem is endemic.

"I completely agree that the State Department has a lax approach to security," said a former U.S. federal employee who worked with the State Department on classified things and spoke to on condition of anonymity. "I experienced it several times myself in terms of their handling of classified information both in print and in speech."

At a meeting at a major State Department facility, he asked what level of classification the group could speak to — different rooms are approved to handle different levels of classification — and nobody knew.

"It was not something that anyone at the State Department even thought about," he said. "It is just how the place runs — not how it runs under Clinton or under [Condoleezza] Rice, it is just how the place was run since forever."

The State Department on Tuesday vehemently denied that a lackadaisical approach to security was endemic. Despite Clinton's email practices at the State Department, many people followed the rules, said Kirby. "We don't share the broad assessment that there is a lax culture here at the State Department when it comes to dealing with classified information. In fact, quite the contrary; we take it very seriously," he said.

We're required to be outward-facing, we're required to communicate, we're required to foster dialogue.
John Kirby
State Department spokesman

Government employees are approved to discuss matters at different levels of classification — from "confidential" to "secret" and "top secret." It was not uncommon for State Department employees not to check into the classification of information before speaking about it, the former employee said.

The perception is pervasive enough that the intelligence community is skeptical about working with State Department employees, he said. There were some parts of the agency that were known to be trustworthy, such as its internal intelligence analysis team, and others they preferred not to work with.

"The average foreign service officer, the average State Department employee, is viewed cautiously," he said. "I would not say that it is a huge monkey wrench in the whole operation, you just have to be circumspect."

Other security experts, who have worked within government and as government contractors, reinforced the FBI's finding that the State Department's practices were not up to snuff. Ben Johnson — a former NSA employee — ranked the NSA, CIA and FBI above the State Department in terms of cybersecurity.

"The ones that are really into more of the espionage lines of business are typically more secure, because that is what their main focus is, the gathering of intelligence or the protecting of intelligence," said Johnson, now chief security strategist of cybersecurity firm Carbon Black.

Johnson cited a lack of confidence in the security of the systems they are using as one reason employees might decide to "blaze their own path."

"There are two sides to this — employees trying to circumvent the system there because they do not think there is enough security, or because there is too much security and it is hurting their productivity," he said.

Vinny Troia spent eight years working for the Department of Defense as a security architect and now runs his own security firm, Night Lion Security. Troia said he understands why Clinton and her team opted for convenience over security. The DoD's security policies are among the most stringent and, at times, hampered productivity, he said.

"Having to deal with all the security procedures is incredibly inconvenient, but that is the whole point," he said. "It is not supposed to be this free and open system."

In general, government agencies have been moving in the right direction when it comes to improving security, said James Scott, a senior fellow with the Institute for Critical Infrastructure Technology, a technology and cybersecurity think tank. That makes the FBI's findings in this case particularly shocking, he said.

"When you are not using the layered security required for mitigating the elevated risks that come with a high-profile job, you are compounding the likelihood that those adversarial forces trying to hack you will be successful," said Scott.

Having to deal with all the security procedures is incredibly inconvenient, but that is the whole point.
Vinny Troia
Night Lion Security CEO

The State Department's Kirby highlighted the agency's dual email system — two separate networks for email traffic set up to handle various degrees of sensitive information. He also outlined the training employees are subjected to regarding security and the handling of sensitive information.

"I don't think it's useful to compare each and every federal agency with the way they do this, because each of them have different responsibilities in terms of the information environment," he said.

Is Comey's call on Clinton emails right?

When it comes to the particular challenges the State Department faces, many experts agreed that its top officials had a greater challenge than most. They are constantly bombarded with information — both classified and unclassified — while traveling around the world, operating in a fast-paced environment, often using mobile devices.

"It becomes very difficult to keep everything straight," said Forrester government customer experience analyst Rick Parrish. "Federal agencies need to create a better customer experience for senior policymakers."