Debating Hillary's Email Server: The Missing ElementCybersecurity Expert Eugene Spafford on the Fundamental Security Concerns
Missing from the analysis and debate regarding the U.S. government's decision not to prosecute presumptive Democratic Party presidential candidate Hillary Clinton for using a private email server while secretary of state is this simple fact: Secure IT systems aren't tailored to function the way people behave.
Rightly or wrongly, Clinton wanted to combine her work and personal emails into a single system, an unsecured one she controlled and situated in her Chappaqua, N.Y., home. Clinton isn't alone. Many of us combine work and personal emails, especially in an era of mobile computing. But many systems, such as the highly secure one run by the State Department, aren't designed to allow such functionality.
"There's been a huge amount of finger pointing and angst and complaining whether the rules were followed or whether they weren't, about pointing out other individuals in previous administrations who have done the same or worse with less consequence," Purdue University Computer Science Professor Eugene Spafford says in an interview with Information Security Media Group (click player beneath Clinton's image to listen).
"But I haven't heard anyone talk about going back and looking at what are the fundamental reasons these things happen and giving some thought to at least asking if the rules are appropriate, if the procurement and email support for high-level officials is appropriate and how we should be doing all of this better to avoid these kinds of problems in the future," Spafford says. "I think this is more politically driven than it's functionally driven because if it were functionally driven, people would say, 'What are the root causes, and how do we fix them?' rather than trying to assign blame."
In my conversation with Spafford, he explains why:
- Technologists should build secure systems that facilitate the way people function on the job;
- Many military leaders circumvent rules to get the job done in the battlefield;
- He turned down an assignment with the federal government because of an antiquated email system he would have had to use that would have interfered with the way he could do his job.
Recognized as one of the nation's leading authorities on cybersecurity, Spafford was named to the Cybersecurity Hall of Fame in 2013. His current research interests focus on issues of computer and network security, cybercrime and ethics, technology policy and social impact of computing. He is the founder and executive director of the Center for Education and Research in Information Assurance and Security, which draws on expertise and research across many of the academic disciplines at Purdue.
Let us know what you think. Leave a comment below.