June 2, 2011: Chinese hackers are targeting Gmail accounts of senior US officials, but top Clinton aides keep using Gmail account for work.

The Google Gmail logo (Credit: Google)

The Google Gmail logo (Credit: Google)

Google Inc. publicly announces that hackers based in China are targeting the email accounts of senior US officials and hundreds of other prominent people. The attacks are on users of Google’s Gmail email service. If successful, the hackers are able to read the emails of their targets. (The Wall Street Journal, 6/2/2011) 

Clinton’s chief of staff Cheryl Mills conducts government work through her Gmail account. Philippe Reines, Clinton’s senior advisor and press secretary, has a government account and a Gmail account, and uses both for work. However, there’s no evidence Mills or Reines stops using Gmail for work after this news report. (Judicial Watch, 9/14/2015) (Politico, 10/5/2015) 

Furthermore, two days later, Mills indicates in an email that there was an attempt to hack her email: “As someone who attempted to be hacked (yes I was one)…” (CBS News, 9/30/2015

Later in the month, the State Department will issue a warning to all employees not to use private emails for work, but apparently Mills and Reines still won’t stop using their Gmail accounts for work. (The Washington Post, 3/27/2016)

December 16, 2011: Clinton criticizes Manning, who will be sentenced to 35 years for leaking classified information

Chelsea Manning (Credit: Patrick Semansky / The Associated Press)

Chelsea Manning (Credit: Patrick Semansky / The Associated Press)

Clinton comments on the imminent court martial case of Army Private Bradley Manning (later Chelsea Manning), after Manning gave a large cache of classified documents to WikiLeaks. Clinton says, “I think that in an age where so much information is flying through cyberspace, we all have to be aware of the fact that some information which is sensitive, which does affect the security of individuals and relationships, deserves to be protected and we will continue to take necessary steps to do so.” (CBS News, 12/16/2011

Manning is later convicted and sentenced to 35 years in prison, although none of the documents in question are rated “top secret.”

The Intercept will later note that Clinton’s comments occur “during the time that she had covertly installed a non-government server and was using it and a personal email account to receive classified and, apparently, even top-secret information.” (The Intercept, 8/12/2015)

2012: Clinton’s private server is vulnerable to a hacker attack described in a government warning.

Marc Maiffret (Credit: Fox News Business)

Marc Maiffret (Credit: Fox News Business)

The Homeland Security Department’s Computer Emergency Readiness Team issues a warning about remote access attacks, that would allow hackers to take control of computers. The warning notes that “An attacker with a low skill-level would be able to exploit this vulnerability.”

In 2015, the Associated Press will report that Clinton’s private email server could have been vulnerable to a hostile takeover by this very type of attack. Clinton’s server appears to have lacked encrypted protections, and could accept commands from the computers over the Internet.

Marc Maiffret, who founded two cybersecurity companies, will later comment, “That’s total amateur hour. […] Real enterprise-class security, with teams dedicated to these things, would not do this.”

Another cybersecurity expert, Justin Harvey, will comment that Clinton’s server “violates the most basic network-perimeter security tenets: Don’t expose insecure services to the Internet.” (The Associated Press, 10/13/2015)

January 5, 2013: Someone accesses the email account of one of Bill Clinton’s staffers on the private server used to host Hillary Clinton’s emails.

130101TorLogopublic

The Tor Logo (Credit: public domain)

This is according to a FBI report that will be released in September 2016. It is known the staffer whose account gets breached is female, but her name will be redacted. The unnamed hacker uses the anonymity software Tor to browse through this staffer’s messages and attachments on the server.

The FBI will call this the only confirmed “successful compromise of an email account on the server.” But the FBI will not be able to determine who the hacker is or how the hacker obtained the staffer’s username and password to access her account. (Federal Bureau of Investigation, 9/2/2016)

Wired will later comment, “The compromise of a Bill Clinton staffer—who almost certainly had no access to any of then-Secretary Clinton’s classified material—doesn’t make the security of those classified documents any clearer. But it will no doubt be seized on by the Clintons’ political opponents to raise more questions about their server’s security.”

Dave Aitel (Credit: Immunity)

Dave Aitel (Credit: Immunity)

Clinton’s computer technician Bryan Pagliano is in charge of monitoring the server’s access logs at the time.

But Dave Aitel, a former NSA security analyst and founder of the cypersecurity company Immunity, will later comment that the breach shows a lack of attention to the logs. “They weren’t auditing and restricting IP addresses accessing the server. That’s annoying and difficult when your user is the secretary of state and traveling all around the world… But if she’s in Russia and I see a login from Afghanistan, I’d say that’s not right, and I’d take some intrusion detection action. That’s not the level this team was at.” (Wired, 9/2/2016)

When Pagliano is interviewed by the FBI in December 2015, he will claim that he knew of no instance when the server was successfully breached, suggesting he didn’t know about this incident. (Federal Bureau of Investigation, 9/2/2016)

And when Justin Cooper, a Bill Clinton aide who helped Pagliano manage the server, will be asked about the incident in September 2016, he will say he knew nothing about it until he read about it in the FBI report released earlier that month. (US Congress, 9/13/2016)

March 20, 2013: Gawker publishes an article that reveals Clinton’s use of a private email address and notes it “could be a major security breach.”

The article notes that the hacker nicknamed Guccifer broke into the email account of Clinton confidant Sid Blumenthal. “[W]hy was Clinton apparently receiving emails at a non-governmental email account? The address Blumenthal was writing to was hosted at the domain ‘clintonemail.com’, which is privately registered via Network Solutions. It is most certainly not a governmental account. […] And there seems to be little reason to use a different account other than an attempt to shield her communications with Blumenthal from the prying eyes of FOIA [Freedom of Information Act] requesters.

Neither the State Department nor the White House would immediately comment on whether the White House knew that Blumenthal was digitally whispering in Clinton’s ear, or if the emails were preserved as the law requires. And if, as it appears, Blumenthal’s emails contained information that was classified, or ought to have been treated as such, it could be a major security breach for Clinton to have allowed it to be sent to her on an open account, rather than through networks the government has specifically established for the transmission of classified material.” (Gawker, 3/20/2013)

October 2013—February 2014: Clinton’s private email server is the subject of repeated attempted cyber attacks, originating from China, South Korea, and Germany.

The attempts are foiled due to threat monitoring software installed in October 2013. However, from June to October 2013, her server is not protected by this software, and there is no way of knowing if there are successful attacks during that time.

A 2014 email from an employee of SECNAP, the company that makes the threat monitoring software, describes four attacks. But investigators will later find evidence of a fifth attack from around this time. Three are linked to China, one to South Korea, and one to Germany. It is not known if foreign governments are involved or how sophisticated the attacks are.

Clinton had ended her term as secretary of state in February 2013, but more than 60,000 of her emails remained on her server. (The Associated Press, 10/7/2015) 

In March 2013, a Romanian hacker nicknamed Guccifer discovered Clinton’s private email address and the exact address was published in the media.

October 2, 2013: Three years after WikiLeaks leaked 250,000 State Department cables, the department’s communication system “is operating without basic technical security measures in place, despite warnings about its vulnerabilities…”

The SAIG Logo (Credit: public domain)

The SAIG Logo (Credit: public domain)

This is according to a BuzzFeed article. The system is known as SMART (the State Messaging and Archive Retrieval Toolset), and is used to share internal department documents, including the diplomatic cables made public by WikiLeaks. SMART is a two-tiered system, for both classified and unclassified information. SMART was launched in 2009, and the department has paid hundreds of millions of dollars to contractors for it, mostly to the company SAIC.

Unnamed sources “say the failures have left thousands of cables and messages, including highly sensitive and classified ones, vulnerable to espionage or leaks…” 

A former deputy program manager from one such contractor complains, “There is this attitude that security didn’t even come into the picture…I’m talking IT [information technology] security basics, standard fundamental things that a first-year admin would find.”

In 2012 and 2013, internal investigations revealed grave, unresolved security issues. “According to documents reviewed by BuzzFeed, several employees raised concerns starting from the beginning of the SMART rollout. They were told to not pursue the issue. Some were told, with stern overtones, that it wasn’t within their job descriptions to do so.” (Buzzfeed, 10/2/2013)

October 29, 2013: In a private speech, Clinton says she had to leave her phone and computer in a special box when traveling to China and Russia, but there is evidence she sent at least one email from Russia.

Clinton is greeted by Vice-Governor of St. Petersburg Oleg Markov as US Ambassador to Russia Michael McFaul looks on in St. Petersburg, Russia, on June 28, 2012.

Clinton is greeted by Vice-Governor of St. Petersburg Oleg Markov, as US Ambassador to Russia Michael McFaul looks on in St. Petersburg, Russia, on June 28, 2012. (Credit: public domain)

Clinton gives a private paid speech for Goldman Sachs, a financial services company. In it, she says, “[A]nybody who has ever traveled in other countries, some of which shall remain nameless, except for Russia and China, you know that you can’t bring your phones and your computers. And if you do, good luck. I mean, we would not only take the batteries out, we would leave the batteries and the devices on the plane in special boxes. Now, we didn’t do that because we thought it would be fun to tell somebody about. We did it because we knew that we were all targets and that we would be totally vulnerable.”

She will make similar comments in a private paid speech on August 28, 2014: “[E]very time I went to countries like China or Russia, I mean, we couldn’t take our computers, we couldn’t take our personal devices, we couldn’t take anything off the plane because they’re so good, they would penetrate them in a minute, less, a nanosecond. So we would take the batteries out, we’d leave them on the plane.”

The comments from both speeches will be flagged as potentially politically embarrassing by Tony Carrk, Clinton’s research director. Although the comments are made in private, Carrk’s January 2016 email mentioning the quotes will be made public by WikiLeaks in October 2016. (WikiLeaks, 10/7/2016)

Based on information from 2016 FBI interviews of Clinton and her aide Huma Abedin, it appears Clinton used her BlackBerry while still secretary of state to send an email to President Obama from St. Petersburg, Russia on June 28, 2012.

October 29, 2013: In a private speech, Clinton asks why the computers of a fugitive whistleblower were not exploited by foreign countries “when my cell phone was going to be exploited.”

Clinton was keynote speaker at Goldman Sachs annual dinner that was hosted at the Clinton Global Initiative on September 23, 2013. (Credit: public domain)

Clinton was keynote speaker at Goldman Sachs annual dinner that was hosted at the Clinton Global Initiative on September 23, 2014. (Credit: public domain)

Clinton gives a private paid speech for Goldman Sachs, a financial services company. In it, she says, “[W]hat I think is true, despite [NSA fugitive whistleblower Edward] Snowden’s denials, is that if he actually showed up in Hong Kong [China] with computers and then showed up in Mexico with computers. Why are those computers not exploited when my cell phone was going to be exploited?” (Snowden was on the run from the US government and eventually settled in Russia earlier in 2013.)

The comments will be flagged as potentially politically embarrassing by Tony Carrk, Clinton’s research director, due to later revelations of Clinton’s poor security of her BlackBerry while Secretary of State. FBI Director James Comey will later call her “extremely careless.” Although the comment is made in private, Carrk’s January 2016 email mentioning the quote will be made public by WikiLeaks in October 2016. (WikiLeaks, 10/7/2016)

November 2013 and December 2014: Clinton’s personal lawyer David Kendall and his law partner get security clearances, but they probably aren’t valid for the Clinton emails he possesses.

Katherine Turner (Credit: Williams & Connolly)

Katherine Turner (Credit: Williams & Connolly)

Kendall gets a “Top Secret/Sensitive Compartmented Information” (TS/SCI) security clearance from the Justice Department in November 2013. He and his Williams & Connolly law partner Katherine Turner also get a “top secret” clearance from the State Department in December 2014. This is so Kendall can review information related to the House Benghazi Committee’s on-going investigation.

At some point in late 2014, Kendall, Cheryl Mills (Clinton’s chief of staff), and Heather Samuelson (another lawyer) read and sort through all of Clinton’s over 60,000 emails from Clinton’s time as secretary of state. At least 22 of these will later be determined to have contained “top secret” information. Kendall then keeps a copy of over 30,000 of Clinton’s emails, including the 22 top secret ones, in a safe in the office he shares with Turner.

Only in July 2015 will government security officials give him first one safe and then a second more secure safe to hold the thumb drive containing Clinton’s emails, before Kendall gives up the thumb drive in August 2015.

Senate Judiciary Committee Chuck Grassley (R) will later suggest, “Neither Mr. Kendall nor Ms. Turner have a security clearance at a sufficient level to be a custodian of TS/SCI material. Thus, it appears Secretary Clinton sent TS/SCI material to unauthorized persons.” Politico will later point out, “Clearances, especially Top Secret ones, are normally granted in connection with specific matters and do not entitle recipients to all information classified at that level…” (Politico, 8/25/2015) 

Furthermore, Clinton’s emails are handed over to the State Department on December 5, 2014, making it likely that at least some of the time-consuming reading and sorting of 60,000 emails took place prior to the security clearances that were given in November 2014. (The Washington Post, 3/10/2015) 

John Schindler, a former NSA counterintelligence official, will later comment, “TS/SCI information must always be placed in a Secure Compartmented Information Facility (SCIF), a special, purpose-built room designed to protect against physical and electronic intrusion. A full-blown SCIF surely Kendall did not possess. […] Anything less is a clear violation of Federal law. Hillary has placed herself and her attorney in a precarious position here.” (John Schindler, 8/26/2015)

Additionally, it is unknown if Mills and Samuelson, who read and sorted all of Clinton’s emails with Kendall, had the security clearances to do so.

January 6, 2014: In a private speech, Clinton says when she got to State Department, employees “were not mostly permitted to have handheld devices.”

Clinton attends a meeting with General Electric CEO Jeffrey Immelt and various business leaders on September 21, 2009. (Credit: public domain)

Clinton gives a private paid speech for General Electric. In it, she says that when she arrived at the State Department as secretary of state, employees “were not mostly permitted to have handheld devices. I mean, so you’re thinking how do we operate in this new environment dominated by technology, globalizing forces? We have to change, and I can’t expect people to change if I don’t try to model it and lead it.”

The comments will be flagged as potentially politically embarrassing by Tony Carrk, Clinton’s research director, due to Clinton’s daily use of a BlackBerry mobile device during the same time period. Although the comment is made in private, Carrk’s January 2016 email mentioning the quote will be made public by WikiLeaks in October 2016. (WikiLeaks, 10/7/2016)

February 7, 2014: The State Department says classified information on devices like BlackBerrys are prohibited.

Jen Psaki (Credit: ABC News)

Jen Psaki (Credit: ABC News)

A reporter asks department spokesperson Jen Psaki if “State Department officials routinely use encrypted phones, mobile phones, for their conversations…” Psaki says in her reply, “Classified processing and classified conversation on a personal digital assisted device is prohibited.” (US Department of State, 2/7/2014) 

These comments are made before the controversy about Clinton’s use of a private BlackBerry for government emails begins.

Mid-November 2014: The State Department apparently successfully thwarts an attempt by Russian hackers to penetrate its email system.

The State Department apparently successfully thwarts an attempt by Russian hackers to penetrate its email system.”’ The entire computer network is quickly shut down for several days after evidence is found that a hacker entered the system. (The Washington Post, 11/16/2014) 

It is alleged that the US government believes the Russian government is responsible. The attack begins when a department employee falls for “spear phishing,” a trick in which a computer user is is led to click on a bogus link that loads malicious software onto the network. It is believed that only the department’s unclassified network is infected, since the classified and unclassified networks are never allowed to reside on the same computer. But the damage is widespread, and thousands of computers in embassies and offices around the world are affected.

In February 2015, the Wall Street Journal will report that the department is still struggling to make sure all traces of the attack are gone from its network. (The Wall Street Journal, 2/18/2015)

In March 2015, Wired Magazine will later comment, “[A]t least, in that case, there was a response. If the same sort of highly resourced hackers had gone after the server in Clinton’s basement, there’s no guarantee that the same alarms would have gone off.” (Wired, 3/4/2015)

March 3, 2015: An unnamed State Department technology expert complains that he and others tried to warn that Clinton’s use of a private email account was a security risk.

He says, “We tried. We told people in her office that it wasn’t a good idea. They were so uninterested that I doubt the secretary was ever informed.” He was a member of the department’s cybersecurity team. He says it was well known amongst the team that Clinton’s private account was at greater risk of being hacked or monitored, but their warnings were ignored. (Al Jazeera America, 3/3/2015)

March 4, 2015: It is reported for the first time that Clinton’s private email address was hosted on a private server.

On March 2, 2015, the New York Times revealed that Clinton exclusively used a private email acccount while she was secretary of state. However, that article made no mention of private servers. On this day, the Associated Press reveals that account was registered to a private server located at Clinton’s house in Chappaqua, New York. This was discovered by searching Internet records. For instance, someone named Eric Hoteham used Clinton’s Chappaqua physical address to register an Internet address for her email server since August 2010. (This may be a misspelling of Clinton aide Eric Hothem.)

The Associated Press reports, “Operating her own server would have afforded Clinton additional legal opportunities to block government or private subpoenas in criminal, administrative or civil cases because her lawyers could object in court before being forced to turn over any emails. And since the Secret Service was guarding Clinton’s home, an email server there would have been well protected from theft or a physical hacking.”

The article continues, “But homemade email servers are generally not as reliable, secure from hackers or protected from fires or floods as those in commercial data centers. Those professional facilities provide monitoring for viruses or hacking attempts, regulated temperatures, off-site backups, generators in case of power outages, fire-suppression systems, and redundant communications lines.”

The article mentions that it is unclear Clinton’s server is still physically located in Chappaqua.  (The Associated Press, 3/4/2015) It will later be revealed that it was moved to a data center in New Jersey in June 2013.

 

March 4, 2015: A cybersecurity expert says that Clinton’s privately managed email communications “obviously would have been targeted when she stepped outside of the secure State Department networks.”

Tom Kellerman (Credit: Cyber Risk Summit 2015)

Tom Kellerman (Credit: Cyber Risk Summit 2015)

This comment is made by Tom Kellermann. He adds that leaving the State Department’s security protocols and systems would have been similar to leaving her bodyguards while in a dangerous place. The result is that she may have “undermined State Department security.” (The New York Times, 3/4/2015)

March 5, 2015: Clinton’s private server is active and shows obvious security vulnerabilities.

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

Gawker reports that Clinton’s private email server is still active and shows signs of poor security. If one goes to the web address clintonemail.com, one gets a blank page. But if one goes to the subdomain sslvpn.clintonemail.com, a log-in page appears. That means anyone in the world who puts in the correct user name and password could log in.

Furthermore, the server has an invalid SSL certificate. That means the encryption is not confirmed by a trusted third party. Gawker notes, “The government typically uses military-grade certificates and encryption schemes for its internal communications that designed with spying from foreign intelligence agencies in mind,” and Clinton’s server clearly is not up to that standard.

It also opens the server to what is called a “man in the middle” hacker attack, which means someone could copy the security certificate being used and thus scoop up all the data without leaving a trace. The invalid certificate also leaves the server vulnerable to widespread Internet bugs that can let hackers copy the entire contents of a servers’ memory.

As a result, independent security expert Nic Cubrilovic concludes, “It is almost certain that at least some of the emails hosted at clintonemails.com were intercepted.” (Gawker, 3/5/2015)

Clinton still doesn’t shut the server down. However, about two days later, the security settings are changed.

March 5, 2015: Clinton’s private server shows more obvious security vulnerabilities.

A screenshot of the mail.clintonemail.com Outlook log-in on March 4, 2015. (Credit: Gawker)

A screenshot of the mail.clintonemail.com Outlook log-in on March 4, 2015. (Credit: Gawker)

Gawker reports that in addition to the security problems shown by the subdomain to Clinton’s private email server sslvpn.clintonemail.com, there is another subdomain that reveals even more security issues. If one goes to various web addresses of the server’s mail host mail.clintonemail.com, one is presented with a log-in for Microsoft Outlook webmail.

Gawker notes that the “mere existence” of this log-in “is troubling enough: there have been five separate security vulnerabilities identified with Outlook Web Access since clintonemail.com was registered in 2009.”

Furthermore, security expert Robert Hansen says having a public log-in page for a private server is “pretty much the worst thing you can do. […] Even if [Clinton] had a particularly strong password,” simply trying a huge number of passwords will “either work eventually – foreign militaries are very good at trying a lot – or it’ll fail and block her from accessing her own email.” He says that the server shows so many vulnerabilities that “any joe hacker” could break in with enough time and effort.

Independent security expert Nic Cubrilovic says, “With your own email hosting you’re almost certainly going to be vulnerable to Chinese government style spearphishing attacks – which government departments have enough trouble stopping – but the task would be near impossible for an IT [information technology] naive self-hosted setup.” (Gawker, 3/5/2015)

March 10, 2015: Clinton falsely claims that her private server had “no security breaches.”

Clinton answers questions at a United Nations press conference on March 10, 2015. (Credit: The Associated Press)

Clinton answers questions at a United Nations press conference on March 10, 2015. (Credit: The Associated Press)

During her United Nations press conference, Clinton says about her private email server at her Chappaqua, New York, house: “The system we used was set up for President Clinton’s office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.”

However, in May 2016, a State Department inspector general’s report will detail hacking attempts on Clinton’s emails housed in the server. In January 2011, Justin Cooper, who helped manage the server, wrote in an email that he shut down the server because he suspected “someone was trying to hack us…” Later that day, he wrote, “We were attacked again so I shut (the server) down for a few min [minutes].” And in May 2011, Clinton told her aides that someone was “hacking into her email.”

Additionally, the Associated Press will later comment that “it’s unclear what protection her email system might have achieved from having the Secret Service guard the property. Digital security breaches tend to come from computer networks, not over a fence.” (The Associated Press, 5/27/2016)

March 11, 2015: Senator Rand Paul criticizes comments Clinton made about her email scandal.

Senator Rand Paul (Credit: Lexington Herald Leader)

Senator Rand Paul (Credit: Lexington Herald Leader)

Paul (R) says, “She says she didn’t transfer classified information; her schedule is classified. Like if you want to know when she goes to yoga, that’s really benign, but what if you’re a terrorist? That would be an important item to know… So when her schedule is transferred via email, it should go through a secure device. When she says, ‘Oh, I for convenience sake I didn’t want to use two phones,’ well one, someone should inform her you can put two email apps on one phone. But the other thing is that her convenience shouldn’t trump national security. If she’s having a conversation with the president via email, which she admits that she did, do you think if you wanted to read it, if you did a Freedom of Information Act, do you think they’ll give it to you? They’ll say it’s classified. Yet she’s saying ‘I didn’t do anything classified.’” (The Today Show, 3/11/2015) 

Paul will run for president later in 2015, but will drop out early.

April 23, 2015: Petraeus is given a remarkably lenient plea bargain despite his serious security violations.

CIA Director David Petraeus (Credit: public domain)

CIA Director David Petraeus (Credit: public domain)

A federal judge sentences former CIA director and general David Petraeus to two years of probation and a $100,000 fine for giving his biographer and lover, Paula Broadwell, access to notebooks, classified information about official meetings, war strategy, and intelligence capabilities. Petraeus had been the CIA director from 2011 to 2012, but he was forced to quit due to the scandal. (The New York Times, 4/23/2015) 

The FBI seeks jail time for him, but doesn’t get it due to the plea bargain with the Justice Department. The New York Times will later report that FBI Director James Comey made the case to Attorney General Eric Holder that “Mr. Petraeus deserved to face strenuous charges. But the Justice Department overruled the FBI, and the department allowed Mr. Petraeus to plead guilty to a misdemeanor.” (The New York Times, 10/16/2015) The sentence is considered surprisingly light, given the evidence.

In 2016, the Washington Post will report, “FBI officials were angered by the deal and predicted it would affect the outcome of other cases involving classified information.” One former US law enforcement official will complain the deal “was handled so lightly for his offense there isn’t a whole lot you can do.” (The Washington Post, 3/2/2016)

June 24, 2015—August 6, 2015: Clinton’s emails are not properly secured with her lawyer.

The location of Williams & Connolly LLP offices, in Washington, DC. (Credit: Google Earth)

The location of Williams & Connolly LLP offices, in Washington, DC. (Credit: Google Earth)

On June 24, 2015, Intelligence Community Inspector General Charles McCullough learns in a letter written by Clinton’s personal lawyer David Kendall that copies of Clinton’s emails are being kept on a thumb drive in a safe in Kendall’s Washington, DC, office. This concerns McCullough, since those emails may still contain highly classified information.

The next day, McCullough calls an FBI official and has that person work with the State Department to give Kendall a government-issued safe to store the thumb drive instead. (The Washington Post, 8/14/2015

The safe is installed in the office Kendall shares with his Williams & Connolly law partner Katherine Turner on July 6. Kendall and Turner had both recently gotten security clearances. (Politico, 8/25/2015) 

However, concerns soon arise that some of Clinton’s emails may contain “top secret” classified material, and even the new safe may not be secure enough. Additionally, the security clearances of Kendall and Turner may not be high enough to allow them to read or possess top secret information. Further security arrangements are made, although it’s not clear what those are.

Kendall finally turns the thumb drive over to the FBI on August 6, ending the problem. (Politico, 9/17/2015)

August 2, 2015: Tyler Drumheller, a former CIA officer, dies at 63 years of age of pancreatic cancer.

Tyler Drumheller (Credit: C-Span)

Tyler Drumheller (Credit: C-Span)

Although Drumheller retired from the CIA in 2005 after 25 years of service, he seems to have had access to intelligence information that got passed on to Clinton through emails sent to her by private citizen Sid Blumenthal. Drumheller and Blumenthal were business partners at least in 2011, and there are suspicions that during Clinton’s time as secretary of state, Blumenthal essentially ran a private intelligence service for Clinton using information from Drumheller. (The New York Times, 8/2/2015)

John Schindler, a former NSA counterintelligence officer, will later claim that Drumheller “was never particularly popular at CIA and he left Langley under something of a cloud. His emails to Mr. Blumenthal, which were forwarded to Ms. Clinton, were filled with espionage-flavored information about events in Libya. In many cases, Mr. Drumheller’s reports were formatted to look exactly like actual CIA reports, including attribution to named foreign intelligence agencies. How much of this was factual versus Mr. Drumheller embellishing his connections is unclear.” Schindler adds that answers to questions about Drumheller’s role may never be known due to his death. (The New York Observer, 10/19/2015)

August 14, 2015: The head of the US government’s National Archives says Clinton should have recognized classified information and shouldn’t have used a private server.

John Fitzpatrick (Credit: Mike Morones / The Federal Times)

John Fitzpatrick (Credit: Mike Morones / The Federal Times)

John Fitzpatrick, who heads the Information Security Oversight Office in the National Archives and Records Administration (NARA), says that government agencies train officials with security clearances to spot sensitive material and then to look up the proper classifications, such as “confidential,” “secret” or “top secret.”

“If you write an email, you are expected to distinguish the classified from the unclassified. If you say ‘the CIA reports’ something—writing that sentence should set off alarm bells.” However, Fitzpatrick says that issue is somewhat academic given that Clinton had all her emails on a private server. “The rules require conducting any official business on an official system. There are many reasons for that—including assuring the security of the information, regardless of its classification. There is no argument to have those conversations in a private email.” (The Washington Post, 8/14/2015)

August 18, 2015: Clinton’s private server has recently been managed by a surprisingly small company with no special security features.

The door to the apartment where Platte River Networks was based until mid-2015. (Credit: Matthew Jonas - The Daily Mail)

The door to the apartment where PRN was based until mid-2015. (Credit: Matthew Jonas – The Daily Mail)

Platte River Networks (PRN) managed Clinton’s server from June 2013 until early August 2015. Former employee Tera Dadiotis calls it a “mom and pop shop.” She adds, “At the time I worked for them they wouldn’t have been equipped to work for Hilary Clinton because I don’t think they had the resources… [It was] not very high security, we didn’t even have an alarm. […] [W]e literally had our server racks in the bathroom. […] We only had the three owners and like eight employees. We didn’t do any work in other states.” PRN’s facility was a 1,900 square foot apartment in an ordinary apartment building until it moved into a larger space in June 2015. (The Daily Mail, 8/18/2015)

However, the security of PRN’s offfice may not have been directly relevant to Clinton’s server, because a 2016 FBI report will give no indication that her server was ever physically located at the office. It was put in an Equinix data center in New Jersey instead, and mostly managed remotely by PRN. (Federal Bureau of Investigation, 9/2/2016)

PRN also has ties to prominent Democrats. For instance, the company’s vice president of sales David DeCamillis is said to be a prominent supporter of Democratic politicians. He once offered to let Senator Joe Biden (D) stay in his house in 2008, not long before Biden became Obama’s vice president. The company also has done work for John Hickenlooper, the Democratic governor of Colorado.

Another former employee says everyone was told to keep quiet about the fact they were doing work for Clinton. (The Daily Mail, 8/18/2015)

August 19, 2015: Nobody in the company that managed Clinton’s private email server had any government security clearances.

A generic photo of a relatively low-cost server rack. (Credit: rackmountsolutions)

A generic photo of a relatively low-cost server rack. (Credit: rackmountsolutions)

Platte River Networks is a small Colorado-based technology company, and they managed Clinton’s server from mid-2013 to early August 2015. They had never had a federal government contract and did not work for political campaigns. Nearly all their clients are local businesses. David DeCamillis, the company’s vice president of sales, says that if they’d had any clue what might have resulted from accepting the contract, “we would never have taken it on.” (The Washington Post, 8/19/2016) 

Furthermore, Cindy McGovern, a Defense Department spokesperson, says that Platte River “is not cleared” to have access to classified material. (Business Insider, 8/17/2015) 

Cybersecurity expert Alex McGeorge believes that if classified information was mishandled, the onus is on Clinton, not on the company. “The fact that Platte River is not a cleared contractor is largely irrelevant, [since] they were handling what should have been unclassified email. That classified email may have been received by a server under their control is troubling, and they may have been less equipped to deal with it, but it is ultimately not their fault.” (Business Insider, 8/19/2016)

August 19, 2015: The State Department tells a judge that Clinton did not use a State Department issued or secure BlackBerry device.

Clinton checks her BlackBerry next to South Korea's foreign minister in Busan, South Korea, on November 30, 2011. (Credit: Saul Loeb / The Associated Press)

Clinton checks her BlackBerry next to South Korea’s foreign minister in Busan, South Korea, on November 30, 2011. (Credit: Saul Loeb / The Associated Press)

Furthermore, when Clinton aides Cheryl Mills and Huma Abedin left the State Department, their BlackBerrys were likely destroyed after they were returned to the government, since they were outdated models by that time. (Judicial Watch, 8/19/2015)

August 23, 2015: One of Clinton’s former security managers cannot believe Clinton didn’t recognize “top secret” information in her emails.

Colonel Larry Mrozinski (Credit: Twitter)

Colonel Larry Mrozinski (Credit: Twitter)

Former Army Colonel Larry Mrozinski disagrees with a recent statement by Clinton in which she claimed, “I did not receive any material marked or designated classified, which is the way you know whether something is [classified].” He says, “That’s total BS.” Mrozinski was a senior military adviser and security manager in the State Department under both Condoleezza Rice and Clinton.

Referring to media reports that at least some of Clinton’s emails were deemed TS/SCI, or “Top Secret/Sensitive Compartmented Information,” he says, “TS/SCI is very serious and specific information that jumps out at you and screams ‘classified.’ […] It’s hard to imagine that in her position she would fail to recognize the obvious,” such as the keywords and phrases commonly used only in those emails, as well as its sourcing. “This is a serious breach of national security, and a clear violation of the law. […] You are strictly forbidden to discuss TS/SCI of any kind outside a SCIF [a highly secure reading room], [yet] she was viewing and handling it in direct violation of the law and possibly exposing it to our enemies. Anybody else would have already lost their security clearance and be subjected to an espionage investigation. But apparently a different standard exists for Mrs. Clinton.” (The New York Post, 8/23/2015)

September 14, 2015: The FBI’s Clinton investigation is being run from FBI headquarters

1123_01A.tifFBI Headquarters, Washington, DC (Credit: Fed Scoop)

FBI Headquarters, Washington, DC (Credit: Fed Scoop)

The New York Times reports, “In an unusual move, the FBI’s inquiry is being led out of its headquarters in Washington, blocks from the White House. Nearly all investigations are assigned to one of the bureau’s 56 field offices. But given this inquiry’s importance, senior FBI officials have opted to keep it closely held in Washington in the agency’s counterintelligence section, which investigates how national security secrets are handled.” (The New York Times, 8/14/2015)

September 22, 2015: Clinton’s emails were improperly secured up until August 2015.

After it became clear by May 2015 that some of Clinton’s emails contained classified information, the security of the email copies possessed by Clinton’s lawyer David Kendall became an issue. In July 2015, State Department officials installed a special safe in Kendall’s office to store them.
However, on this day, Assistant Secretary of State Julia Frifield writes to Senate Judiciary Committee Chair Charles Grassley (R) that “while the safe was suitable for up to (top secret) information, it was not approved for TS/SCI material.” “TS/SCI” stands for “top secret, sensitive compartmented information.” Top secret information and above, such as TS/SCI, must be kept in a specially built secure room known as a SCIF [sensitive compartmented information facility]. Frifield argues that no one in the department knew Clinton’s emails contained such highly classified information.
The issue was resolved in August 2015 when the FBI took away Kendall’s copies of the emails. (The Associated Press, 9/28/2015)

October 13, 2015: Clinton’s private server was especially vulnerable to hacker attacks.

Clinton checks her phone at the United Nations Security Council on March 12, 2012. (Credit: Richard Drew / The Associated Press)

Clinton checks her phone at the United Nations Security Council on March 12, 2012. (Credit: Richard Drew / The Associated Press)

The Associated Press reports that “The private email server running in [Clinton’s] home basement when she was secretary of state was connected to the Internet in ways that made it more vulnerable to hackers, according to data and documents reviewed by the Associated Press. […] Experts said the Microsoft remote desktop service [used on the server] wasn’t intended for such use without additional protective measures, and was the subject of US government and industry warnings at the time over attacks from even low-skilled intruders.” (The Associated Press, 10/13/2015) 

One anonymous senior National Security Agency (NSA) official comments after reading the Associated Press report, “Were they drunk? Anybody could have been inside that server—anybody.” (The New York Observer, 10/19/2015)

October 16, 2015: Clinton’s lawyer gives the FBI two BlackBerrys that prove useless to the FBI’s Clinton investigation.

151016DavidKendallAFPGetty

David Kendall (Credit: Agence France Presse / Getty Images)

On this day, Williams & Connolly, the law firm of Clinton’s personal lawyer David Kendall, gives two BlackBerrys to the FBI and indicates they might contain or have previously contained emails from Clinton’s tenure as secretary of state. But FBI forensic analysis will find no evidence that either BlackBerry were ever connected to one of Clinton’s personal servers or contained any of her emails. The two BlackBerrys don’t even contain SIM cards or Secure Digital (SD) cards.

The FBI determines that Clinton used 11 BlackBerrys while secretary of state, and two more using the same phone number, but these two BlackBerrys are not any of those. (Federal Bureau of Investigation, 9/2/2016)