State Department Has No Record of Clinton IT Security Training

Cybersecurity experts troubled that Clinton and two top deputies apparently skipped training

• June 12, 2015 1:05 pm


The State Department has no record of former Secretary Hillary Clinton or her two top aides receiving IT security training while Clinton led the department, the Washington Free Beacon has learned.

In response to a Freedom of Information request filed by the nonprofit Competitive Enterprise Institute in March, State said it could not locate any record of Clinton, chief of staff Cheryl Mills, or deputy chief of staff Huma Abedin undergoing any sort of IT security training.

"One former, senior executive branch personnel official contacted me to point out the requirement that appointees take this training, and that if Mses. Clinton, Abedin or Mills had deigned to follow the law, a record of this would exist," explained CEI senior fellow Chris Horner, who filed the FOIA request.

"He also noted, however, that if anyone was to turn up their noses and refuse the training—and be permitted to—these are the folks.  We now know this to be the case," Horner said in an email.

The request also asked for "all separation documents … completed or submitted" by Clinton, Mills, or Abedin. State returned no responsive documents to that request.

The department previously stated that it had no record of Clinton signing such separation documents, designed to ensure that former employees do not retain confidential information after their departure. State’s reply appears to confirm that neither Clinton nor her top aides submitted those documents.

Cybersecurity experts say Clinton, Mills, and Abedin should have undergone IT security training at State, and that their apparent failure to do so is part of a systemic problem.

"She should have done it, but the data point that she did not is sadly unsurprising," said Steve Bucci, the director of the Heritage Foundation’s Douglas and Sarah Allison Center for Foreign and National Security Policy.

"It is unfortunately not uncommon for people who think a lot of themselves (this can go way below the secretary level) to say ‘I’m too busy/important/smart to actually do this stuff that common workers are required to do,’" he said in an email.

Bucci, a former civilian Pentagon cybersecurity official and director of the of the IBM Institute for Advanced Security, said that if Clinton and her aides had undergone IT training, there would likely be documentation confirming it available through a FOIA request.

"Federal regulations require everyone to do that sort of training, everyone," he wrote. "If a senior executive, government or civilian, does not take security training they are making a huge mistake."

State only responded to CEI’s FOIA request after the libertarian-leaning nonprofit group sued the department to compel the documents’ release.

The March 12 request asked for "all documentation that Mrs. Clinton, Ms. Abedin and Ms. Mills undertook, or refused/declined to complete, cybersecurity awareness training, however State describes this (e.g., Information Security Awareness training), including but not limited to certification of completion or documentation that they took or refused/decline to take the training."

More than a month later, beyond the 20-day statutory window for a response, State had not done so. CEI sued to compel production of the documents. On May 18, the department’s Records and Information Management Division complied, telling CEI that it found "no responsive document(s) to your request."

Horner says that reply means no such documents exist, and therefore that Clinton, Abedin, and Mills never partook in any sort of IT security training.

"The idea that [State] may simply have forgotten to preserve [those documents] is absurd," Horner said. "They keep and have kept the most mundane documents. This is surely more not less true when it comes to documents reflecting a legally required reporting and attesting function, directly related to information security."

Neither the State Department nor the Clinton campaign responded to requests for comment by press time.

Clinton’s has come under fire for her use of a private email server run out of her Chappaqua, N.Y., home. Experts say it probably left her emails, which included tens of thousands of messages both personal and official, vulnerable to cyber breaches.

"If all that she had was standard technology . . .  it would be merely a speed bump for a sophisticated adversary to gain access to everything there," a former National Security Agency cybersecurity official told the Washington Post in March.

Clinton has insisted she did not send or receive classified information through her two personal email addresses, and However, emails released by the State Department last month show she did receive information subsequently classified by the FBI.

Revelations that neither Clinton nor her two top aides underwent standard IT security training procedures could revive concerns about the vulnerability of sensitive information sent to her personal email addresses.

At the very least, foregoing such training set a bad example for State Department subordinates.

"That sends a message that security is, in fact, unimportant to the organization," Bucci said.