If you work at the U.S. Education Department, you can have your personal and work email on the same smartphone. Not so at the Environmental Protection Agency, where employees can’t put personal email on agency-issued phones.
President Barack Obama drools over his daughters’ iPhones, but has long been restricted to a super-secure BlackBerry. Over at the Interior Department, top staffers are routinely issued iPhones.
Then there’s Hillary Clinton, who followed her own path as secretary of state, with a private email on a home-based server and one BlackBerry for both statecraft and yoga routines. Clinton said she adhered to the rules in place at the time.
The U.S. government is struggling to tame a technological free-for-all for its 2.7 million civilian employees and their myriad phones, tablets and other devices. What’s emerged is a patchwork quilt of rules and practices that vary from agency to agency, all of which leave room for interpretation.
And it’s only going to get trickier. A new generation of workers now have better mobile devices than their agencies’ clunky options, and are pushing for more access and quicker connections. But that means greater security risks.
“You have a lot of people who want to use their own device,” said Daniel Castro, vice president of the Information Technology & Innovation Foundation, a Washington-based think tank. “You have people bringing in their iPhones because they didn’t want to use a BlackBerry.”
The newer devices make it easier to mix emails for business and pleasure.
When Clinton was secretary of state from 2009 to early 2013, the State Department’s security restrictions barred having two email accounts on a government phone. White House spokesman Josh Earnest said it wasn’t until January 2012 that some White House staffers could put work email on their own devices.
Analysts say it’s often those at the top of the pyramid who feel they can shun the rules. While the State Department counseled embassy employees not to use personal emails for government business, for example, Clinton was using her own email account.
Gary Gensler, the former chairman of the Commodity Futures Trading Commission, used a private email when working from home. And the former head of the EPA, Lisa Jackson, sent emails using the alias Richard.Windsor@epa.gov. And an inspector’s general report said Rafael Moure-Eraso, chairman of the Chemical Safety Board, improperly used a private email for government work in 2013. He says he has corrected the practice.
“If they decide the rules don’t apply to them, and you can’t install security, you can’t monitor and even track what they do, then you’ve created a blind spot,” said Bob Hansmann, director of product security for Austin, Texas-based Websense Inc. “You can’t defend what you cannot see.”
The EPA says Jackson’s secondary email was sanctioned by the national archivist and her predecessors followed similar procedures.
Denise Krepp doesn’t get it. She can’t understand how Hillary Clinton was allowed to run her own email server, with her own private email, mixing work and personal emails on a single device that didn’t automatically save the records into the archives.
That was strictly against the rules when Krepp worked at the Maritime Administration during the Obama administration, where she was the general counsel in charge of enforcing the email policy. Krepp herself carried two phones, one issued by the agency and one that she owned.
“I was constantly giving the lecture of be careful what you are putting in email. It’s going to be kept,” she said. “I’m puzzled by this – very, very puzzled.”
In addition to preserving the historical record, freelancing on email raises security concerns.
“The federal government is a huge target because of who they are,” said Richard Bejtlich, chief security strategist for FireEye, a cyber security firm. “They are big and they have hundreds of thousands of targets.”
In the fiscal year ended Sept. 30 the government logged 67,196 cybersecurity incidents at federal agencies, according to the Office of Management and Budget. The incidents ranged from lost laptops to the discovery of malicious software. The total was up 16 percent from the prior year – a surge the government attributes partly to enhanced detection capability.
The Government Accountability Office has warned about the growing security risks associated with mobile devices, noting in 2012 that attacks of malware had increased to 40,000 from 14,000 in just a year.
In the House of Representatives, lawmakers have wide leeway over the mobile devices they use and their preference of office computers. Some insist on iPads, others on BlackBerrys. Many go back and forth between their government issued email accounts for official business and personal accounts to keep in touch with donors or family.
For example, the No. 4 House Republican, Conference Chairwoman Cathy McMorris Rodgers of Washington, has two hand- held devices – a BlackBerry for her House email, and an iPhone for her personal use, spokeswoman Riva Litman said in an email.
Another House leader, No. 2 Democrat Steny Hoyer of Maryland, infrequently uses email. When he does, it’s mainly to communicate with his family.
The U.S. House restricts its members and staffers from using official devices and emails for anything campaign-related and tied to fundraising, even for charities. Beyond that, there is a general “de minimus” limit on personal use, though that has not been clearly defined. The Senate has similar rules.
The federal departments with the strictest rules are the Pentagon and intelligence agencies, where employees and visitors must turn off all mobile devices and deposit them in designated locked boxes before entering many offices and meeting rooms as part of routine security.
FBI agents are issued phones for communications so the bureau can reach them when needed, according to spokesman Paul Bresson. Many carry two devices, one for work and one for personal matters. Agents aren’t supposed to handle any sensitive material on their work or personal mobile devices.
Among the agencies most at risk is the State Department. Last month, U.S. and private security specialists were still trying to expel unidentified hackers from the unclassified portion of the U.S. State Department’s email system, two officials said. The problem persisted at least three months after the hackers were first discovered because the intruders’ techniques keep shifting, said the officials, who asked for anonymity because the inquiry is classified.
“The State Department’s email system has been compromised for months. It’s highly likely that it’s been compromised since forever,” Clay Johnson, a former presidential innovation fellow, wrote in a commentary published on Medium. Clinton’s “personal email was probably far more secure than her state.gov email account.”
Angela Greiling Keane, Chris Strohm, Michael Riley, Susan Decker, Elizabeth Wasserman, Billy House and Kathleen Hunter in Washington contributed to this report