The personal BlackBerry that Hillary Clinton used as secretary of state was likely much less secure than the State Department-issued devices used by her staff and subordinates, according to knowledgeable former officials and executives.

And the security risks were magnified because Clinton used her personal BlackBerry on travel in foreign countries where State Department employees are routinely cautioned about the use of mobile devices.


A POLITICO review of press pool photos turned up instances of Clinton using her Blackberry in Vietnam, Brazil and South Korea.

The risk of targeted theft of an official’s data is greatest in nations with telecoms that are owned or largely controlled by the government, said Martin Libicki, a cybersecurity expert and senior scientist at the Rand Corporation. That’s because state-aligned hackers could pull any unencrypted data, such as the metadata connected with a phone call, straight off the cell towers.

In Vietnam in particular, analysts say, there’s a concern Chinese government hackers could pull information from the Vietnamese government-owned telecom — either through an intelligence-sharing agreement with Vietnam or because Vietnamese officials make little effort to keep Chinese spies out of their networks.

Some of the security deficit for Clinton’s BlackBerry can be attributed to predictable differences between an enterprise security system managed by a staff of IT professionals and a homebrew system like Clinton’s, administered by an individual or a small staff, people familiar with BlackBerry enterprise security told POLITICO.

A recent Verizon report, for example, found it takes companies roughly a month on average to discover they’ve been breached, even with complex security and a team of staffers. “For an individual, it could take them forever,” Stephen Perciballi, a systems security engineer who previously worked for Softchoice, a major BlackBerry retailer for government and industry.

Beyond the advantages conferred on large organizations by their professional IT teams, 24-hour network monitoring and security operations centers, the security of an individually owned BlackBerry — and the emails and other information stored in it — comes down to basic questions of hardware and software, insiders said. Questions that Clinton and the State Department declined repeatedly to answer.

The security of BlackBerry systems, for instance, is dependent on roughly 600 “IT policies” — essentially security measures that can be switched on or off, according to a person with detailed knowledge about BlackBerry’s federal operations. The more switches that are turned on, the more secure the device or network of devices will be. Individuals generally turn on far fewer of those security measures and take more security shortcuts than would IT professionals charged with keeping State Department information out of the hands of foreign hackers, the source said.

The most important component for BlackBerry security is the BlackBerry Enterprise Server, a piece of “middleware” that encrypts email and securely connects other applications with the BlackBerry handset, making it significantly more secure than the basic BlackBerry an average consumer might buy. These systems are typically bought by organizations but can also be bought — at great expense — by individuals or families with major security concerns.

A spokesman for Clinton declined several times to say whether the former secretary employed such an enterprise server during her tenure. In the past, her office has said making details of her email security public would aid hackers. “Robust protections were put in place,” according to a statement earlier this month, and “third party experts” were consulted and employed.

Perciballi also cited the enterprise server as a key component to any fully secure system.

“My first question would be was she using a [BlackBerry Enterprise] Server,” he said. “If so, that would be 80 percent better.”

Clinton insisted in a press conference last week that her private email account and the server that housed the emails were never breached — a statement that drew raised eyebrows among security experts who noted that many breaches can go undetected for months, years or even forever — hiding even from people trained to root them out.

Perciballi responded to the claim by paraphrasing a cybersecurity maxim: There are two kinds of people — those who have been breached and those who don’t yet know they’ve been breached.

To be even mildly confident of the “no breaches” claim, Perciballi said, he’d want a team of specialized forensic analysts to personally inspect the network and emails.

Questions about the security of Clinton’s BlackBerry are compounded by the added digital threats that come with foreign travel.

POLITICO did not find any evidence of Clinton using her BlackBerry in China or Russia while secretary — two nations that represent the greatest threat of online compromise. Yet, travel in other nations also poses hacking risks, though not as severe.

A spokesman for Clinton said that “the State Department took technical security for the entire traveling party very seriously.” He referred more detailed questions to State, noting, “It is for them to address an understandably sensitive topic as they deem appropriate to do so.”

A senior State Department official declined to discuss specific protocols for mobile phones abroad for security reasons, noting only that the “department provides guidance and briefings to its employees on best practices relating to the maintenance of secure communications around the globe, including mobile communications devices.” The official referred specific questions about Clinton’s security setup to her staff.

Clinton has also insisted she did not discuss any classified information on the personal email account that she accessed through her private BlackBerry. But even unclassified communications involving the secretary of state would be useful intelligence for another nation’s spy service. Something as simple as the frequency with which Clinton emailed different state officials or other Cabinet secretaries could provide insight into how a particular policy is being developed, say former counter-intelligence officials.

Before and during any foreign travel, the State Department’s Diplomatic Security Service briefs officials on both physical and digital threats, a former DSS official told POLITICO, including detailed instructions about when officials should and shouldn’t carry digital devices and other precautions to take.

As a result, the former official said, there’s no situation in which Clinton or her closest advisers would not have known exactly what was permitted and what was advisable.

“The Department does a really good job working with the intelligence community assessing risk,” the former official said. “We go in with the capabilities and resources to mitigate risk irrespective of where we are … Occasionally there’s time with the secretary to give a briefing, but we talk with staff as well. Staff are clearly briefed on what the threats are.”

The former official stopped short of saying that top diplomats sometimes disregard digital security directives but acknowledged there’s often a push and pull between officials who want to get as much work done as efficiently as possible while in country and security professionals who ask them to forego some modern conveniences.

The former official also said Clinton’s communications would almost certainly have been more secure on a State Department-issued device.

“Unless you’ve provided your personal phone to the State Department to put all the appropriate levels of encryption on it, you’ll be more vulnerable,” the former official said. “The State Department is very adept at knowing the risks involved. They’ve been doing it for a long time now.”

Even with the State Department’s expertise, however, security experts said, there’s no guarantee that adversaries couldn’t worm their way into an official’s unclassified email and officials are advised to presume that any unclassified system is insecure and could be compromised.

Indeed, the State Department’s unclassified email system was compromised last year and, according to a Bloomberg report, the hackers, who may be Russian, have still not been totally shut out of the system.

The State Department shut down its systems over the weekend and through Tuesday for a series of security upgrades. State Spokeswoman Jen Psaki said the closure was only for upgrades and not because the department had been hacked again.

“The generic caution to anyone who is of high interest to a foreign intelligence service as Ms. Clinton would be is to just assume that any business you’re conducting over non-secured networks — so a personal device or a government one — is something that’s going to potentially be targeted by foreign intelligence service,” said Michelle Van Cleave, former National Counterintelligence Executive during the George W. Bush administration.

“When you’re on an unclassified network,” she said, “the advice is just to assume you’re not secure wherever you are.”