I have to say that I was stunned by the revelation this week in the New York Times that former Secretary of State Hillary Clinton didn’t have a US State Department email address, but was instead, using her private account to conduct diplomacy. Having worked in the US financial system, I know that every banker—particularly those that give financial advice—uses secure, archived email to record their interaction with clients—to mutual benefit. There’s a lot at stake in those communications, and keeping them archived and encrypted is the best way to preserve and protect one version of the truth.
When—as apparently Mrs. Clinton has done—someone decides for themselves which communications are relevant to the job and which aren’t, you’re introducing both a clear conflict of interest and most important, doubt about the full truth.
Organizations I’ve worked with in regulated industries have clear polices backed up by compliance training, auditing and technology that ensure the rules are followed. If that’s not occurring the US Department of State, who conducts some of the most important confidential conversations imaginable, how secure is our diplomacy? Just imagine the kinds of conversations going on now as Secretary Kerry negotiates a nuclear power deal with Iran?
What’s also particularly disturbing is that (presumably) hundreds of people who received email from her knew she was using a personal email address. The fact that red flags were not raised day one on the job for her shows a troubling lack of empowerment among the state department team. Are they willing to speak the truth to power?
To summarize, from a governance perspective, what went wrong based on our “4P Model: People, Policy Process and Practice”
- People. She wasn’t challenged by State Department staff to follow the rules. Is an organization that follows hierarchy to that degree capable of having the kind of open dialog about US policy required to make good decisions?
- Policy. According to the New York Times article, policy is in place for government officials to use only official email accounts for government business. The policy simply wasn’t followed.
- Process. Here, the US State Department apparently didn’t have internal audit processes in place to ensure that policy was followed. Or perhaps they do, but it’s enforced selectively? Either scenario is troubling.
- Practice. Lots of failures here.
- First, the internal audit team failed. If the average State Department staff were not able to question her use of personal email, certainly an internal audit team should be empowered to do so. What other rules are routinely ignored that are designed to protect confidentiality and national security?
- Second, this type of personal communications tool use should have been discovered through security software and firewalls—particularly those that track email and the exchange of digital information within the State Department.
- Third, what training is in place to ensure policy is understood and followed? Even the CEO’s of the largest banks in the country take annual compliance courses to ensure they’re aware of the rules.
Perhaps it’s time that a full information security audit is due at the US State Department.