Glaring shortcomings in cyber-security training throughout the State Department on former Secretary Hillary Clinton’s watch reflected a pervasive anti-security “culture” she encouraged there, according to multiple former intelligence and military officials.
Acting State Department Inspector General Harold W. Geisel issued six critical reports that charged top officials did not submit themselves to the department’s mandatory “security awareness training” during Clinton’s tenure. The training covers procedures for properly handling of sensitive and classified government documents and how to secure digital communications.
Senior officials from deputy assistant secretaries to chiefs of missions at U.S. embassies did not submit themselves to regular training sessions as required by the department and government-wide standards, according to Geisel.
Geisel first warned in November 2010 mandatory security training was not being given to senior department officials. A highly redacted November 2012 audit by the IG found in a random check of 46 officials that “all 46 employees had not taken the recommended role-based security-related training course in the time-frame (that is, 6 months) as recommended in the Information Assurance Training Plan.”
Annual IT security training is mandatory throughout the U.S. military and within all intelligence agencies and is required by the National Institute for Standards and Technology, which sets government-wide security standards.
“A strong IT security program cannot be put in place without significant attention given to training agency IT users on security policy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources,” according to NIST publication 800, the “bible” for government security.
“Failure to give attention to the area of security training puts an enterprise at great risk because security of agency resources is as much a human issue as it is a technology issue,” NIST warned.
“When you get the training, they give you lots of scenarios and lots of duplicate and redundant situations where you see the impact of security violations,” said Col. James Waurishuk, who retired in August 2014 from the U.S. Special Operations Command.
“If you don’t take the training, you don’t see it, so you don’t understand it.” he said.
Waurishuk, a 30-year military veteran, was also critical of Clinton for hiring Bryan Pagliano, a former IT staffer with her unsuccessful 2008 presidential campaign, in the department’s Bureau of Information Resources Management as a “strategic advisor.” Pagliano had no national security experience and no security clearance for handling classified documents.
“Here’s a person brought in for his campaign expertise, but doesn’t have knowledge, training or grasp of the national security environment, the threats and the gravity of failing to ensure secure environments. To put somebody at that level in charge without that degree of experience, that’s reckless,” Waurishuk said.
Other former military and intelligence officials blame Secretary Clinton for setting a poor example when she decided to conduct official government business on a private email account and a private server located at her home in New York.
“There was a corporate culture among the highest echelons of State Department that she perhaps deliberately chose to ignore these security protocols. And consequently, they just were not enforced,” said James Williamson, a former Special Forces and counter-terrorism officer who is now president and CEO of Global Executive Management. His firm offers crisis management, diplomatic and security services to its clients.
“I would hold Mrs. Clinton directly responsible for inculcation of this culture within her organization,” Williamson said.
Brig. Gen. (Ret.) General Kenneth Bergquist said effective government security awareness starts at the top.
“What you have is a culture that emanates from the top,” said Bergquist. He was selected by the Chairman of the Joint Chiefs of Staff as the first president of the new Joint Special Operations University. He was assigned after the 9/11 terrorist attacks to the U.S. Central Command as special operations staff director.
Clinton and her inner circle of aides and advisers “have no experience whatsoever or cultural reference to security of documents and security of information. They had never really been involved in any aspects of what I call the culture of security awareness. So they were starting out from a basis of ignorance,” said Bergquist, who also worked at the Central Intelligence Agency told the DCNF.
Geisel said in a November 2010 audit that the State Department “should improve methods to identify individuals with significant security responsibilities, ensure that they take the required training every 3 years, record the training records in the Office of Personnel Management-approved centralized system, and provide management with tools to monitor compliance with the training requirement.”
In July 2011 the IG found that there was a ‘lack of maintenance of classified information nondisclosure agreements” for security training.
The November 2011 IG audit found that “The Department is not tracking and documenting Significant Security Responsibilities (SSR) training attendance.”
In a redacted November 2012 audit, the IG warned that training for top State Department officials was widespread.
The IG’s office added that top line officials who held “significant security responsibility” personnel did not appear to be getting training.
Among those who were identified by the IG as not getting the security training were the State Department’s chief of mission, deputy assistant secretary, information management specialist, information technology specialist and the office director for the security engineering officer.
Bergquist said that he understood that many in Secretary Clinton’s inner circle did not want to bother with training. “They said, ‘I don’t want to spend four hours going through this type of training. I’ve got more important things to do. That’s low on my priority list,” the general said.
Bergquist called it “hubris. That kind of attitude permeates down.”