Thursday, January 26, 2017
Saturday, January 7, 2017
Simulated Trial of Hillary Clinton regarding the Email Server
This is a mock trial of Hillary Clinton regarding her private email server during her tenure at the State Department.
To keep the text flowing, the following abbreviations are used:
P = prosecution, the attorney making the case against Hillary.
D = defense, Hillary's attorney.
SD = State Department
HC = Secretary Hillary Clinton
CM = classified materials (national secrets)
PES = Personal email server
ROES = Regular office email system. The non-classified email system of the SD.
CMS = Classified messaging system: the system at the SD designed for classified materials. (Not normally called "email".)
IT = Information Technology department or team. The team or group in SD who handle computer-related issues for the SD.
(Note that this is based on publicly available information. A real trial may have access to witnesses and details not made public so far. If you find public details from a reliable source, please let me know.)
Judge: Prosecution, please begin.
Prosecution (P): Ladies and gentleman of the jury, I will make the case that HC was grossly negligent in her handling of classified material (CM). Being grossly negligent with CM is a Federal crime. She made at least three huge errors in judgement related to CM:
First, she used a personal email server (PES) to send and receive CM rather than the State Department (SD) email system, creating a security risk. A PES is not going be as secure as a government email system.
Second, she sent and received CM on a non-secure email system, and should have known it was CM because it had classification markings. At his July 5, 2016 press conference, FBI Director James Comey said a "very small number" of emails sent and received by Hillary Clinton over her private server "bore markings indicating the presence of classified information". A classification marker, "(c)" was present on materials she received, and HC should have known what that marker meant.
Third, some of the material sent to her personal email server (PES) involved planned or suggested drone strikes to enemies, which clearly should NOT have been received or sent to a PES.
There is a pattern of incompetent decisions, one after another, that taken as a whole add up to "gross negligence". She kept being careless with CM in multiple ways at multiple times.
Defense (D): If the court doesn't mind, I'd like to take up these 3 accusations one at a time.
First, let's look at the personal email server (PES). SD did not outright forbid use of the PES at the time. Technically, HC should have received written approval from the IT team of SD, which she did not, but external systems were NOT summarily forbidden, as the prosecution implies.
HC has apologized for using a PES and admits it was poor judgment. But that's not the same as being illegal, and may not even be a security risk.
Further, the IT team knew about her PES and should have pointed out or reminded her to get written approval.
Anyone who has worked in a medium or large organization knows it's unrealistic and uncommon to expect CEO's and top managers to memorize the entire official policy manual of the organization. They have assistants and experts review such information for them so that they can spend their time focusing on the big picture and pressing matters.
A specialist manager may be expected to memorize the parts of the manual related to their section. For example, the IT manager should know the details of the IT section of the organization's policy manual. But HC was not a specialist in her role, so expectations of specialist managers shouldn't apply.
Now you can argue that technically HC should have memorized and abided by everything in the SD policy manual, but that's not realistic such that it doesn't qualify as "grossly negligent". It's merely technically negligent. I'm probably violating some sections of my company's policy manual right now and I bet many of you in the jury box who have jobs are also. Think about about organizations you've worked for and how much of their policy manual you knew by heart.
Organizations make written policies to cover their caboose: they can always claim "it's in the manual" when things go sour so that the organization as a while doesn't get the blame. But that doesn't make it realistic for a CEO or top manager to spend dozens or hundreds of hours memorizing them all. Policy manuals are often several hundreds of pages, sometimes thousands. Thus, it's not "gross negligence" to not know it. It's a mere formality. [Unknown here is the actual size of the SD policy manual. It could end up being an evidence exhibit.]
P: For one, it's not a mere formality. Had she sought formal permission for a PES, she may have received sufficient training handling of classified material as part of the approval process. Second, "too big to memorize" is not a sufficient excuse. It's her job to find a way to comply with the entire policy manual. If she needed help understanding or applying it, she should have consulted with SD's experts rather than walk around with blinders on.
D: You are speculating about what would happen different if she got written approval for a PES from IT. You have not demonstrated it's certain, or even close to certain. I remind you that criminal trials require "beyond reasonable doubt". You are speculating, which is reasonable doubt.
And I'll leave it to the jury to decide if it's realistic to hold one to every rule in a thick policy manual. Republicans have repeatedly complained it's too hard to know what was in the Affordable Care Act because because it was "too big". Thus, size does matter, and most law-makers are lawyers by trade.
P: Objection, the Affordable Care Act is off-topic.
Judge: Sustained. Please disregard the statement about the Affordable Care Act. Please continue.
D: It was merely to highlight my point that many members of Congress have stated that large books or manuals overwhelm them also.
Judge: The utility or expectations of a large policy manuals is up to the jury. Please move on.
D: I'd like to now address the claim that a personal email server (PES) is not going be as secure as a government email system. The prosecution is actually making 4 claims, not 3.
First we have to make a distinction between kinds of systems here. The State Department (SD) has two kinds of message systems that are of interest to this case. I'm going to establish some working labels here to simplify things.
They have a regular office email system for non-secure material. This is for normal every-day office messages. We'll label this "ROES" (regular office email system). It's not intended for CM.
SD's second messaging system is for classified messages, unlike ROES. It's not usually technically referred to as "email", and thus we'll call it a CMS, a classified messaging system.
The CMS is what is supposed to be used for classified materials (CM). CM's should only be sent on the CMS, not ROES, nor personal systems (PES). It's a mistake to send CM through regular email systems regardless of whether that system is the office system or a home system.
Accusations often confuse these two such that I wish to ask the prosecution be clear about which kind of system we are talking about.
P: Agreed. I will make that distinction clear.
D: Thank you. So we return to the issue of whether a personal email server (PES) is less secure than the regular office email system (ROES), which also was not designed for CM.
This is mostly a technical argument. If you check with experts, you will get a wide range of opinions; it's not clear cut such that selecting a PES over ROES for non-CM is not gross negligence by any stretch. Further, HC is not a technology expert. It shouldn't be expected that she would be well-versed in the nuances of the security of one technology over another.
Also, the SD's ROES was eventually hacked [Link]. You know the saying, "proof is in the pudding". Well, the technical argument over whether the ROES is reliable has been settled by actual events: it's not. We don't have to guess which horse will win the race; the race already took place and we can see the actual rankings now.
P: It's also possible HC's PES was hacked. Just because we haven't discovered such yet doesn't mean it didn't happen.
I have testimony from Dr. Rimon* here that ROES are more likely to be secure in general.
D: "Possibly hacked" is highly speculative, which again doesn't approach "beyond a reasonable doubt". Guilty verdicts shouldn't depend on speculation.
As far as Dr. Rimon's testimony, I have a statement from Dr. Fryson* that there is no clear scientific evidence that one type of server is automatically more secure than another; it depends on the care given to it by the technicians. Home systems can be really good if the experts do a good job, and office systems can be lousy if poorly set up or managed.
It's like arguing over whether residential houses are less secure than warehouses. A residential house with a good security system can be more secure than a warehouse with a poor security system. The size or type of building is a smaller difference maker than the quality and care given to the security systems that protect them.
If the vast majority of experts had said that a PES is clearly always or usually less secure than a ROES, you may have a case. But you have not presented such a survey; only one researcher's view, which is different than another researcher's view. It's a wash.
Further, Secretary Colin Powell had suggested to HC that the government computer systems were not reliable in a general sense, and his own book makes similar suggestions. He actually worked there, so had direct first-hand experience with SD's systems. That arguably makes him an expert witness on the reliability of SD's systems.
P: Secretary Colin Powell never suggested HC use a PES. He used AOL, a commercial entity that provides email services, while he was at SD. And he even made it clear to the public he never suggested a personal server in one's home as alternative to the ROES. Thus, he did not recommend a personal or home solution.
D: There is no evidence he made a distinction to HC at the time of her tenure between a private service, like AOL, and a personal system in one's home.
And, are you saying a commercial service like AOL is clearly more secure than a PES? Why are emphasizing a distinction here? An "outside" service is an outside service.
P: Yes, a commercial service like AOL is more reliable because AOL has a bigger security staff and a bigger variety of experts. That should be obvious.
D: According to Dr. Fryson, it's also true that with bigger systems, such as AOL, a hacker only needs to find one hole in order to break into the whole thing. Its size makes it a bigger pay-off to hackers; they get access to many user accounts, not just one. It's somewhat comparable to a big warehouse: you only have to break into one door, window, or vent to get inside and have access to everything in side. A single breach can have a much bigger payoff. If you spend the same amount of time breaking into a residential home, you only have access to what's in the house, which likely has fewer valuables than a warehouse.
P: That's merely conjecture. You have no solid scientific evidence of that.
D: I'm pointing out there are arguments both ways. You have to prove "beyond a reasonable doubt", not merely offer one expert's viewpoint. Another expert has a different opinion, which I gave to counter your expert. It's your burden as the criminal prosecution to show your expert's viewpoint is true beyond a reasonable doubt. Fair or not, I don't have the same burden. I didn't create these lopsided burden levels in the law, I'm just the messenger.
Judge: Unless either side can offer strong scientific evidence either way, let's move on to the next issue: the classification markings. Since the prosecution made the claim, I'll let the defense start.
D: HC stated that she did not know the markers meant the information was classified, and thought they may have been paragraph labels left over from the staff's copying and pasting of text. The FBI said it was a "handful of messages" such that it's not as if she kept ignoring the markings in bunches of messages. It's only a few.
"(c)" also means "Copyright", and it could have indeed been left over paragraph labels. Numbering paragraphs with "(a)", "(b)", "(c)", etc. is common in the work world. For example, you can see similar notation on the State of California's penal codes [Example, Link].
That mark is thus used for multiple purposes and is not unique to classification labeling.
Further, the SD stated that the markers were left in by accident and that at least in two cases the material was not classified at the time sent, merely that the markers were inadvertently left in from the editing process. Whether all the instances of such markers were in error by SD staff has not been made public yet. [If you have a reliable source of such info, please let me know.]
P: HC signed a document early in her tenure as Secretary of State that confirmed she had been briefed on security procedures. Thus, she should have known what "(c)" meant. And the SD stated that all employees handling CM are to take a class.
D: A briefing is not a class. You don't normally call a class a "briefing". There's no [public] evidence she actually took the class. As far as whose fault that is, we don't know why the ball was dropped at SD. Somebody failed to register HC or failed to notify her that she had to be register. We don't have enough information to know who to blame for that.
P: Had she got IT approval for her home server, as discussed earlier, she may have been guided to the proper class.
D: Again, that's speculation on your part. The IT team is not necessarily the message security team. We don't know who runs the security class; you are speculating on the SD organization structure.
That's moot anyhow, for the issue is what HC should have done or not done, not how SD is organized. I will agree that perhaps she should have been more curious and known all the rules in the policy manual, or asked around more, but as I already argued, that's not realistic nor common in bigger organizations. We'd all probably miss some policy details, and therefore it's mild negligence at best, not gross negligence. We are measuring mortals, not super-heroes.
Judge: We already covered the issue of policy manuals. Let's instead move on to the drone strike issue. Defense, please proceed.
D: It's been alleged that any mention of drone strike plans are automatically classified and should be treated as such. However, HC has stated that they were policy questions and not specific tactical details. The targets were already known to be enemies of the USA such that them knowing they are targets would not change anything, if by chance they had intercepted the messages. [The details of the drone-related messages are not public to my knowledge.]
P: Knowing you are a general target versus knowing you are an active and current target are two different things. Giving away that detail gives the enemy more information such that they can prepare, working to avoid a soon-to-come strike.
D: That's a judgement call, one the Secretary of State is tasked with making. Perhaps you want them to take extra effort to hide, it may remove enemy leaders from direct decision making. It's harder to coordinate your troops if you are bunkered up versus on the battle field guiding soldiers. Head games are part of the art of war. It's the kind of strategy one finds in Sun Tzu's classic and respected written work, "The Art of War".
P: You are getting silly; somebody should police your fortune cookie intake. (Chuckles from jury box.) That's pure speculation. There's no direct evidence she was actually playing such "head games" as you call them, with the enemy at the time. That could be after-the-fact justification made up out of the blue.
D: The mind-game plan is a valid possibility. You may disagree with that strategy, but you are second-guessing HC's job decisions, not pointing out criminal activity. By the way, if you are so great at it, YOU should lobby to be Secretary of State.
Judge: Order in the court! Stick to the topic, not personal insults.
D: The prosecution needs to show beyond a reasonable doubt that all drone targeting information should automatically be classified or assumed to be classified. Instead, they are inventing rules and micro-managing their imaginary version of the SD. Again, head-games with the enemy are common tactics, and educated military planners use them all the time.
P: I believe it's pretty obvious that drone targeting information should be sent through systems intended for CM, such as CMS's. If the SD wanted to scare their targets, there are better ways to put out such information rather than wait around for a hacker to find it. Why would they wait for a hacker to deliver it?
D: The delivery methods are not mutually exclusive, the SD may have put out such information in other ways such that if a hacker found it, it would merely be redundant. Or HC may have weighed the trade-offs and felt that if such info leaked out, it wouldn't hurt, or even helped our side.
P: Again, that's all speculation.
D: So is yours. It's speculation versus speculation. You are not going to win your case on your speculation about how SD or the Secretary of State should do business. We are not debating war strategy here, but whether HC clearly violated secrecy laws. The law doesn't say that all drone targeting information is automatically subject to classification. It's a rule you made up out of the blue.
P: Common-sense makes that rule.
D: As you define it.
Judge: The jury will define common sense. We covered all three subjects. It's now time for each side to make their summary case, with brief rebuttals from each side. Defense, you start.
D: The prosecution's job is to show beyond a reasonable doubt that HC was "grossly negligent" with CM, which they failed to do. They guess or invent motivations and work rules to make their case, not facts.
There's no scientific evidence that a PES is summarily less secure than a commercial email service, such as AOL, or ROES for ordinary work emails. Different experts give different opinions, which means the evidence is not strong enough to qualify as "beyond a reasonable doubt". Secretary Powell has stated he observed that government systems are unreliable in general, and SD's ROES was actually breached, proving that HC's judgement matched actual events. Reality showed her right, what more do you want?
She has admitted her PES decision was a poor choice, but it's clearly not a "grossly negligent" choice. It was an informed judgement call that looks more clear-cut in hindsight.
As far as the classification markings, there's no evidence she was properly informed of what the markings meant, and according to the FBI there were only a "handful" of messages containing such markings. A handful among roughly thirty thousand messages. Waldo is easier to find.
As far as the drone targeting issue, that's a judgement call and arguments can be made either way as to whether it was good judgement.
We are not here to grade HC's work as secretary of state as far as professional judgement calls; that's what voting and the political process is for. We are here to determine if it's beyond a reasonable doubt that HC was "grossly negligent" with CM. Judgement calls are judgements. Her decisions are not anywhere near "grossly negligent", neither by themselves nor as a group.
Prosecution (P): If one looks at each point by itself, perhaps it could be argued it's a relatively minor slip in judgement. We all make mistakes. But taken as a whole, it adds up to gross negligence. She kept making similar mistakes along the path by ignoring suspicious clues and not asking more questions.
Say you are taking a walk around the perimeter of your work place. If you encounter a suspicious package, it would be good judgement to notify building security, rather than just walk on by it without a word. But if you did walk by ONE such package without saying or doing anything, you could be accused of poor judgement. It's not something to be proud of, but not a crime.
However, if you ignored FOUR of such packages and just kept walking, it would be gross negligence, especially if you are in top management: you are paid to solve and prevent problems. We expect a degree of competence in our higher public officials, and such an official ignoring four suspicious packages during a walk around the office building is GROSS negligence.
To review, the four skippings are using a home system (PES), not getting formal approval for the PES, not recognizing the marker in messages, and not using a secure system (CMS) for drone targeting information.
The defense is correct in saying that we probably all have violated some formality of our company's policy manuals. At larger organizations, the manuals are indeed big and tedious. But HC kept making obvious slip-ups and ignoring obvious oddities without asking for assistance, putting CM at risk. One or even two slip-ups might be forgive-able, but NOT four. Repeating instances of negligence and sloppiness adds up "gross negligence". She was a machine-gun of negligence, not a hand pistol.
Judge: It's time for the defense's rebuttal.
D: Speaking of the word "gross", the prosecution is making gross exaggerations. Only one of the four actions listed is a clear mistake, and two are judgement calls, not clear mistakes.
Failing to get written permission for a PES is the clear mistake. But it's not a "gross" mistake. Secretary Powell made the same mistake when he chose to use AOL's email service: he didn't get written permission either. What's the chance of two Secretary of State's from two parties making the same gross mistake in a row?
If multiple people inadvertently make the same mistake, it's probably not "gross", but a hole in the system. If cars keep crashing at the same intersection over time, it's time to question the intersection's design rather than just blame the drivers.
People are digging up the proverbial fine print in the policy manual AFTER the fact to embarrass their political enemies using technicalities. If you cannot bust somebody for a real crime, you dig and dig in the fine print until you find technicalities to bust them with instead.
And failing to recognize or sound an alert about classification markings is an open question because we don't know if she had proper training in such markings or not.
And it's a handful of messages out of roughly 30,000 messages that had that issue. Would each of you (jurors) catch all such markings in 30,000? Her job was to make diplomatic ties with countries and help manage international conflicts, not proof-read and correct messages like your 4th grade teacher did to your homework. Despite the name, "Secretary of State", the position is not a "secretary".
As far as the other judgement calls, again, your job as jurors is to apply the law, not fill out HC's performance evaluation. They are not technically "wrong" decisions.
Speculation about why HC made such calls is irrelevant; you here to identify gross negligence beyond reasonable doubt, not play with the prosecution's guesses about HC's internal motivation or internal decision process steps. The members of the prosecution are not certified mind readers. Their "chain" is imaginary: they only have one or two real links. You don't reach the level of "gross" via a two-link chain, and two weak links at that.
They are taking two minor lapses, which are essentially technicalities, and two subjective judgement calls, and trying to convince you that together these four make a large python, when in fact it's a tiny Christmas ornament that would blow away in a light breeze.
Judge: Prosecution, a brief final rebuttal is yours.
P: If HC wasn't capable of verifying secret content or markings herself, she should have assigned the job to somebody who had the time and skills, and make sure it was being done. She failed repeatedly to plug OBVIOUS gaps by not taking control or by not assigning somebody to investigate or plug the gaps. Nobody expected her to do everything at SD, as the defense implies, but it is realistic to expect her to have made sure common-sense things get done one way or another. She was the leader.
There is a pattern of neglect and bad decisions that put national secrets at risk. The defense just makes one silly excuse after another for each and every lapse in common-sense judgement. This chain of incompetence adds up to one big giant chain of negligence. It's a real chain, and the total weight of this chain is gross negligence with national secrets. I rest my case.
Judge: Jurors, the decision is now yours.
* These are hypothetical experts. Their conclusions are based on my personal knowledge of IT and personal reading up on the topic.
To keep the text flowing, the following abbreviations are used:
P = prosecution, the attorney making the case against Hillary.
D = defense, Hillary's attorney.
SD = State Department
HC = Secretary Hillary Clinton
CM = classified materials (national secrets)
PES = Personal email server
ROES = Regular office email system. The non-classified email system of the SD.
CMS = Classified messaging system: the system at the SD designed for classified materials. (Not normally called "email".)
IT = Information Technology department or team. The team or group in SD who handle computer-related issues for the SD.
(Note that this is based on publicly available information. A real trial may have access to witnesses and details not made public so far. If you find public details from a reliable source, please let me know.)
Judge: Prosecution, please begin.
Prosecution (P): Ladies and gentleman of the jury, I will make the case that HC was grossly negligent in her handling of classified material (CM). Being grossly negligent with CM is a Federal crime. She made at least three huge errors in judgement related to CM:
First, she used a personal email server (PES) to send and receive CM rather than the State Department (SD) email system, creating a security risk. A PES is not going be as secure as a government email system.
Second, she sent and received CM on a non-secure email system, and should have known it was CM because it had classification markings. At his July 5, 2016 press conference, FBI Director James Comey said a "very small number" of emails sent and received by Hillary Clinton over her private server "bore markings indicating the presence of classified information". A classification marker, "(c)" was present on materials she received, and HC should have known what that marker meant.
Third, some of the material sent to her personal email server (PES) involved planned or suggested drone strikes to enemies, which clearly should NOT have been received or sent to a PES.
There is a pattern of incompetent decisions, one after another, that taken as a whole add up to "gross negligence". She kept being careless with CM in multiple ways at multiple times.
Defense (D): If the court doesn't mind, I'd like to take up these 3 accusations one at a time.
First, let's look at the personal email server (PES). SD did not outright forbid use of the PES at the time. Technically, HC should have received written approval from the IT team of SD, which she did not, but external systems were NOT summarily forbidden, as the prosecution implies.
HC has apologized for using a PES and admits it was poor judgment. But that's not the same as being illegal, and may not even be a security risk.
Further, the IT team knew about her PES and should have pointed out or reminded her to get written approval.
Anyone who has worked in a medium or large organization knows it's unrealistic and uncommon to expect CEO's and top managers to memorize the entire official policy manual of the organization. They have assistants and experts review such information for them so that they can spend their time focusing on the big picture and pressing matters.
A specialist manager may be expected to memorize the parts of the manual related to their section. For example, the IT manager should know the details of the IT section of the organization's policy manual. But HC was not a specialist in her role, so expectations of specialist managers shouldn't apply.
Now you can argue that technically HC should have memorized and abided by everything in the SD policy manual, but that's not realistic such that it doesn't qualify as "grossly negligent". It's merely technically negligent. I'm probably violating some sections of my company's policy manual right now and I bet many of you in the jury box who have jobs are also. Think about about organizations you've worked for and how much of their policy manual you knew by heart.
Organizations make written policies to cover their caboose: they can always claim "it's in the manual" when things go sour so that the organization as a while doesn't get the blame. But that doesn't make it realistic for a CEO or top manager to spend dozens or hundreds of hours memorizing them all. Policy manuals are often several hundreds of pages, sometimes thousands. Thus, it's not "gross negligence" to not know it. It's a mere formality. [Unknown here is the actual size of the SD policy manual. It could end up being an evidence exhibit.]
P: For one, it's not a mere formality. Had she sought formal permission for a PES, she may have received sufficient training handling of classified material as part of the approval process. Second, "too big to memorize" is not a sufficient excuse. It's her job to find a way to comply with the entire policy manual. If she needed help understanding or applying it, she should have consulted with SD's experts rather than walk around with blinders on.
D: You are speculating about what would happen different if she got written approval for a PES from IT. You have not demonstrated it's certain, or even close to certain. I remind you that criminal trials require "beyond reasonable doubt". You are speculating, which is reasonable doubt.
And I'll leave it to the jury to decide if it's realistic to hold one to every rule in a thick policy manual. Republicans have repeatedly complained it's too hard to know what was in the Affordable Care Act because because it was "too big". Thus, size does matter, and most law-makers are lawyers by trade.
P: Objection, the Affordable Care Act is off-topic.
Judge: Sustained. Please disregard the statement about the Affordable Care Act. Please continue.
D: It was merely to highlight my point that many members of Congress have stated that large books or manuals overwhelm them also.
Judge: The utility or expectations of a large policy manuals is up to the jury. Please move on.
D: I'd like to now address the claim that a personal email server (PES) is not going be as secure as a government email system. The prosecution is actually making 4 claims, not 3.
First we have to make a distinction between kinds of systems here. The State Department (SD) has two kinds of message systems that are of interest to this case. I'm going to establish some working labels here to simplify things.
They have a regular office email system for non-secure material. This is for normal every-day office messages. We'll label this "ROES" (regular office email system). It's not intended for CM.
SD's second messaging system is for classified messages, unlike ROES. It's not usually technically referred to as "email", and thus we'll call it a CMS, a classified messaging system.
The CMS is what is supposed to be used for classified materials (CM). CM's should only be sent on the CMS, not ROES, nor personal systems (PES). It's a mistake to send CM through regular email systems regardless of whether that system is the office system or a home system.
Accusations often confuse these two such that I wish to ask the prosecution be clear about which kind of system we are talking about.
P: Agreed. I will make that distinction clear.
D: Thank you. So we return to the issue of whether a personal email server (PES) is less secure than the regular office email system (ROES), which also was not designed for CM.
This is mostly a technical argument. If you check with experts, you will get a wide range of opinions; it's not clear cut such that selecting a PES over ROES for non-CM is not gross negligence by any stretch. Further, HC is not a technology expert. It shouldn't be expected that she would be well-versed in the nuances of the security of one technology over another.
Also, the SD's ROES was eventually hacked [Link]. You know the saying, "proof is in the pudding". Well, the technical argument over whether the ROES is reliable has been settled by actual events: it's not. We don't have to guess which horse will win the race; the race already took place and we can see the actual rankings now.
P: It's also possible HC's PES was hacked. Just because we haven't discovered such yet doesn't mean it didn't happen.
I have testimony from Dr. Rimon* here that ROES are more likely to be secure in general.
D: "Possibly hacked" is highly speculative, which again doesn't approach "beyond a reasonable doubt". Guilty verdicts shouldn't depend on speculation.
As far as Dr. Rimon's testimony, I have a statement from Dr. Fryson* that there is no clear scientific evidence that one type of server is automatically more secure than another; it depends on the care given to it by the technicians. Home systems can be really good if the experts do a good job, and office systems can be lousy if poorly set up or managed.
It's like arguing over whether residential houses are less secure than warehouses. A residential house with a good security system can be more secure than a warehouse with a poor security system. The size or type of building is a smaller difference maker than the quality and care given to the security systems that protect them.
If the vast majority of experts had said that a PES is clearly always or usually less secure than a ROES, you may have a case. But you have not presented such a survey; only one researcher's view, which is different than another researcher's view. It's a wash.
Further, Secretary Colin Powell had suggested to HC that the government computer systems were not reliable in a general sense, and his own book makes similar suggestions. He actually worked there, so had direct first-hand experience with SD's systems. That arguably makes him an expert witness on the reliability of SD's systems.
P: Secretary Colin Powell never suggested HC use a PES. He used AOL, a commercial entity that provides email services, while he was at SD. And he even made it clear to the public he never suggested a personal server in one's home as alternative to the ROES. Thus, he did not recommend a personal or home solution.
D: There is no evidence he made a distinction to HC at the time of her tenure between a private service, like AOL, and a personal system in one's home.
And, are you saying a commercial service like AOL is clearly more secure than a PES? Why are emphasizing a distinction here? An "outside" service is an outside service.
P: Yes, a commercial service like AOL is more reliable because AOL has a bigger security staff and a bigger variety of experts. That should be obvious.
D: According to Dr. Fryson, it's also true that with bigger systems, such as AOL, a hacker only needs to find one hole in order to break into the whole thing. Its size makes it a bigger pay-off to hackers; they get access to many user accounts, not just one. It's somewhat comparable to a big warehouse: you only have to break into one door, window, or vent to get inside and have access to everything in side. A single breach can have a much bigger payoff. If you spend the same amount of time breaking into a residential home, you only have access to what's in the house, which likely has fewer valuables than a warehouse.
P: That's merely conjecture. You have no solid scientific evidence of that.
D: I'm pointing out there are arguments both ways. You have to prove "beyond a reasonable doubt", not merely offer one expert's viewpoint. Another expert has a different opinion, which I gave to counter your expert. It's your burden as the criminal prosecution to show your expert's viewpoint is true beyond a reasonable doubt. Fair or not, I don't have the same burden. I didn't create these lopsided burden levels in the law, I'm just the messenger.
Judge: Unless either side can offer strong scientific evidence either way, let's move on to the next issue: the classification markings. Since the prosecution made the claim, I'll let the defense start.
D: HC stated that she did not know the markers meant the information was classified, and thought they may have been paragraph labels left over from the staff's copying and pasting of text. The FBI said it was a "handful of messages" such that it's not as if she kept ignoring the markings in bunches of messages. It's only a few.
"(c)" also means "Copyright", and it could have indeed been left over paragraph labels. Numbering paragraphs with "(a)", "(b)", "(c)", etc. is common in the work world. For example, you can see similar notation on the State of California's penal codes [Example, Link].
That mark is thus used for multiple purposes and is not unique to classification labeling.
Further, the SD stated that the markers were left in by accident and that at least in two cases the material was not classified at the time sent, merely that the markers were inadvertently left in from the editing process. Whether all the instances of such markers were in error by SD staff has not been made public yet. [If you have a reliable source of such info, please let me know.]
P: HC signed a document early in her tenure as Secretary of State that confirmed she had been briefed on security procedures. Thus, she should have known what "(c)" meant. And the SD stated that all employees handling CM are to take a class.
D: A briefing is not a class. You don't normally call a class a "briefing". There's no [public] evidence she actually took the class. As far as whose fault that is, we don't know why the ball was dropped at SD. Somebody failed to register HC or failed to notify her that she had to be register. We don't have enough information to know who to blame for that.
P: Had she got IT approval for her home server, as discussed earlier, she may have been guided to the proper class.
D: Again, that's speculation on your part. The IT team is not necessarily the message security team. We don't know who runs the security class; you are speculating on the SD organization structure.
That's moot anyhow, for the issue is what HC should have done or not done, not how SD is organized. I will agree that perhaps she should have been more curious and known all the rules in the policy manual, or asked around more, but as I already argued, that's not realistic nor common in bigger organizations. We'd all probably miss some policy details, and therefore it's mild negligence at best, not gross negligence. We are measuring mortals, not super-heroes.
Judge: We already covered the issue of policy manuals. Let's instead move on to the drone strike issue. Defense, please proceed.
D: It's been alleged that any mention of drone strike plans are automatically classified and should be treated as such. However, HC has stated that they were policy questions and not specific tactical details. The targets were already known to be enemies of the USA such that them knowing they are targets would not change anything, if by chance they had intercepted the messages. [The details of the drone-related messages are not public to my knowledge.]
P: Knowing you are a general target versus knowing you are an active and current target are two different things. Giving away that detail gives the enemy more information such that they can prepare, working to avoid a soon-to-come strike.
D: That's a judgement call, one the Secretary of State is tasked with making. Perhaps you want them to take extra effort to hide, it may remove enemy leaders from direct decision making. It's harder to coordinate your troops if you are bunkered up versus on the battle field guiding soldiers. Head games are part of the art of war. It's the kind of strategy one finds in Sun Tzu's classic and respected written work, "The Art of War".
P: You are getting silly; somebody should police your fortune cookie intake. (Chuckles from jury box.) That's pure speculation. There's no direct evidence she was actually playing such "head games" as you call them, with the enemy at the time. That could be after-the-fact justification made up out of the blue.
D: The mind-game plan is a valid possibility. You may disagree with that strategy, but you are second-guessing HC's job decisions, not pointing out criminal activity. By the way, if you are so great at it, YOU should lobby to be Secretary of State.
Judge: Order in the court! Stick to the topic, not personal insults.
D: The prosecution needs to show beyond a reasonable doubt that all drone targeting information should automatically be classified or assumed to be classified. Instead, they are inventing rules and micro-managing their imaginary version of the SD. Again, head-games with the enemy are common tactics, and educated military planners use them all the time.
P: I believe it's pretty obvious that drone targeting information should be sent through systems intended for CM, such as CMS's. If the SD wanted to scare their targets, there are better ways to put out such information rather than wait around for a hacker to find it. Why would they wait for a hacker to deliver it?
D: The delivery methods are not mutually exclusive, the SD may have put out such information in other ways such that if a hacker found it, it would merely be redundant. Or HC may have weighed the trade-offs and felt that if such info leaked out, it wouldn't hurt, or even helped our side.
P: Again, that's all speculation.
D: So is yours. It's speculation versus speculation. You are not going to win your case on your speculation about how SD or the Secretary of State should do business. We are not debating war strategy here, but whether HC clearly violated secrecy laws. The law doesn't say that all drone targeting information is automatically subject to classification. It's a rule you made up out of the blue.
P: Common-sense makes that rule.
D: As you define it.
Judge: The jury will define common sense. We covered all three subjects. It's now time for each side to make their summary case, with brief rebuttals from each side. Defense, you start.
D: The prosecution's job is to show beyond a reasonable doubt that HC was "grossly negligent" with CM, which they failed to do. They guess or invent motivations and work rules to make their case, not facts.
There's no scientific evidence that a PES is summarily less secure than a commercial email service, such as AOL, or ROES for ordinary work emails. Different experts give different opinions, which means the evidence is not strong enough to qualify as "beyond a reasonable doubt". Secretary Powell has stated he observed that government systems are unreliable in general, and SD's ROES was actually breached, proving that HC's judgement matched actual events. Reality showed her right, what more do you want?
She has admitted her PES decision was a poor choice, but it's clearly not a "grossly negligent" choice. It was an informed judgement call that looks more clear-cut in hindsight.
As far as the classification markings, there's no evidence she was properly informed of what the markings meant, and according to the FBI there were only a "handful" of messages containing such markings. A handful among roughly thirty thousand messages. Waldo is easier to find.
As far as the drone targeting issue, that's a judgement call and arguments can be made either way as to whether it was good judgement.
We are not here to grade HC's work as secretary of state as far as professional judgement calls; that's what voting and the political process is for. We are here to determine if it's beyond a reasonable doubt that HC was "grossly negligent" with CM. Judgement calls are judgements. Her decisions are not anywhere near "grossly negligent", neither by themselves nor as a group.
Prosecution (P): If one looks at each point by itself, perhaps it could be argued it's a relatively minor slip in judgement. We all make mistakes. But taken as a whole, it adds up to gross negligence. She kept making similar mistakes along the path by ignoring suspicious clues and not asking more questions.
Say you are taking a walk around the perimeter of your work place. If you encounter a suspicious package, it would be good judgement to notify building security, rather than just walk on by it without a word. But if you did walk by ONE such package without saying or doing anything, you could be accused of poor judgement. It's not something to be proud of, but not a crime.
However, if you ignored FOUR of such packages and just kept walking, it would be gross negligence, especially if you are in top management: you are paid to solve and prevent problems. We expect a degree of competence in our higher public officials, and such an official ignoring four suspicious packages during a walk around the office building is GROSS negligence.
To review, the four skippings are using a home system (PES), not getting formal approval for the PES, not recognizing the marker in messages, and not using a secure system (CMS) for drone targeting information.
The defense is correct in saying that we probably all have violated some formality of our company's policy manuals. At larger organizations, the manuals are indeed big and tedious. But HC kept making obvious slip-ups and ignoring obvious oddities without asking for assistance, putting CM at risk. One or even two slip-ups might be forgive-able, but NOT four. Repeating instances of negligence and sloppiness adds up "gross negligence". She was a machine-gun of negligence, not a hand pistol.
Judge: It's time for the defense's rebuttal.
D: Speaking of the word "gross", the prosecution is making gross exaggerations. Only one of the four actions listed is a clear mistake, and two are judgement calls, not clear mistakes.
Failing to get written permission for a PES is the clear mistake. But it's not a "gross" mistake. Secretary Powell made the same mistake when he chose to use AOL's email service: he didn't get written permission either. What's the chance of two Secretary of State's from two parties making the same gross mistake in a row?
If multiple people inadvertently make the same mistake, it's probably not "gross", but a hole in the system. If cars keep crashing at the same intersection over time, it's time to question the intersection's design rather than just blame the drivers.
People are digging up the proverbial fine print in the policy manual AFTER the fact to embarrass their political enemies using technicalities. If you cannot bust somebody for a real crime, you dig and dig in the fine print until you find technicalities to bust them with instead.
And failing to recognize or sound an alert about classification markings is an open question because we don't know if she had proper training in such markings or not.
And it's a handful of messages out of roughly 30,000 messages that had that issue. Would each of you (jurors) catch all such markings in 30,000? Her job was to make diplomatic ties with countries and help manage international conflicts, not proof-read and correct messages like your 4th grade teacher did to your homework. Despite the name, "Secretary of State", the position is not a "secretary".
As far as the other judgement calls, again, your job as jurors is to apply the law, not fill out HC's performance evaluation. They are not technically "wrong" decisions.
Speculation about why HC made such calls is irrelevant; you here to identify gross negligence beyond reasonable doubt, not play with the prosecution's guesses about HC's internal motivation or internal decision process steps. The members of the prosecution are not certified mind readers. Their "chain" is imaginary: they only have one or two real links. You don't reach the level of "gross" via a two-link chain, and two weak links at that.
They are taking two minor lapses, which are essentially technicalities, and two subjective judgement calls, and trying to convince you that together these four make a large python, when in fact it's a tiny Christmas ornament that would blow away in a light breeze.
Judge: Prosecution, a brief final rebuttal is yours.
P: If HC wasn't capable of verifying secret content or markings herself, she should have assigned the job to somebody who had the time and skills, and make sure it was being done. She failed repeatedly to plug OBVIOUS gaps by not taking control or by not assigning somebody to investigate or plug the gaps. Nobody expected her to do everything at SD, as the defense implies, but it is realistic to expect her to have made sure common-sense things get done one way or another. She was the leader.
There is a pattern of neglect and bad decisions that put national secrets at risk. The defense just makes one silly excuse after another for each and every lapse in common-sense judgement. This chain of incompetence adds up to one big giant chain of negligence. It's a real chain, and the total weight of this chain is gross negligence with national secrets. I rest my case.
Judge: Jurors, the decision is now yours.
* These are hypothetical experts. Their conclusions are based on my personal knowledge of IT and personal reading up on the topic.
GOP, ACA, and Math
I invite any conservative to propose a better alternative to ACA. All the proposals from conservatives so far either don't have any real numbers behind them, or some group or type of coverage takes a hit to help a different group.
There are inherent trade-offs that need to be balanced; there is no free lunch or magic formula. It's easy to complain, but hard to offer alternatives that actually add up. (Single payer has reduced general medical costs overseas, but arguably creates less choice and longer waits.)
Some have proposed requiring states to accept out-of-state insurance companies to increase competition. For one, this risks trampling on state's rights. Second, states can already optionally allow any outside insurance company they want in by lowering or eliminating state standards. It hasn't reduced their costs in practice. It appears to be a ploy by GOP to reduce patient safeguards (and increase profits) by not allowing states to legislate medical safeguards.
Yes, taking away safeguards will reduce rates for many or most. But, some will then get hit harder with the consequences of lower safeguards. That defeats the very purpose of insurance. GOP seems to want insurance-lite. It's okay to propose such to the public, but be honest that it's really half-*ss insurance rather than dress it up in fancy political-speak.
Obama got the Lie-of-the-Year award for implying most or all can "keep your doctor". Don't make the same mistake, GOP, or you will also deserve a Lie-of-the-Year award, and the boot. (I kept my doctor, by the way.)
I've seen multiple surveys showing only around 20 to 25% want to go back to the way it was during the Bush years. That suggests voters want SOME kind of Federally-managed health insurance.
GOP/Trump have pushed the idea that there are easy fixes that ONLY they know how to do using some unspecified side-effect-free deregulation and making "great deals". Your turn guys; you hyped the magic beans, now grow your bean stalk and make the Giant pay for it, like promised.
Monday, January 2, 2017
Sunday, January 1, 2017
Subscribe to:
Posts (Atom)