Briefing on the State Department Inspector General's Report, Office of the Secretary: Evaluation of Email Records Management and Cybersecurity Requirements

Special Briefing
Senior State Department Officials
Via Teleconference
May 25, 2016


MODERATOR: Thank you, and thanks to everyone for joining us on such relatively short notice. Well, we all know why we’re here. The Office of the Inspector General’s Report on the Evaluation of Email Records Management and Cybersecurity Requirements, which is scheduled to be released publicly tomorrow, has, in true Washington fashion, been released to some of you a little bit early. And so we felt it would be useful to pull together a call on background with two senior State Department officials to walk through some of the report’s findings as well as recommendations, and also to try to answer some of your questions, for those of you who have read through the report already.

So for your edification, the two senior State Department officials that we have with us today are [names and titles withheld]. Now, they will henceforth be known as Senior State Department Official One and Senior State Department Official Two. And again, this is a call that is on background, and also, we would like it to be embargoed until the end of the call.

So without further ado, I’ll hand it over to Senior State Department Official Number One.

SENIOR STATE DEPARTMENT OFFICIAL ONE: Thank you, [Moderator], and good afternoon to everyone. I wanted to just make some general points about this inspection report.

First of all, Secretary Kerry asked our inspector general to undertake this review back in March of 2015, when he basically asked the IG to look at our records preservation and transparency systems. And we’re already working to implement numerous improvements to both our email and records management systems. Many of these improvements were underway even before the IG report came out. And I would also note that the State Department has accepted all eight of the recommendations in the report, and the OIG has basically said that the eight recommendations have been resolved, which means that they agree with our plans to address the different recommendations.

I would also like to highlight that – as stated very early on in the report – that many of the challenges that are highlighted in the review are actually common across all federal agencies. This is a time of great transition for all of us as we move from a decades-old, paper-based recordkeeping system to be able to keep up with our recordkeeping in this new electronic age that we find ourselves. And so while it is – we do face some challenges here at the State Department, other agencies are struggling with some of these same issues.

I think it’s clear from the report that the Department could have done a better job preserving emails and records of secretaries of state and their senior staff going back several administrations. And we also acknowledge the report’s finding that compliance with email and records management guidance has been inconsistent across several administrations.

That being said, as a result of concerted efforts going all the way back to late 2014, 2015, I think that the Department is much better situated today than during the historical periods that are described in this report. Certainly, by early 2015, we had taken a number of steps, and let me outline just a few of those.

By early 2015, we had received former Secretary Clinton’s emails that she provided us – 55,000 pages. And in 2015 and 2016, we worked very, very hard to release those emails. They are now available to the public. Other steps that we took: We have undertaken a program within the Department that has been approved by the National Archives and Records Administration to basically archive all of the email of certain senior officials. That is ongoing.

We also are in the process of selecting new technology which is going to help us meet the deadlines that have been set both by the White House and the National Archives for managing our records electronically. We hope to have that new technology in place by the end of this calendar year, and it is going to greatly enhance our records-keeping abilities; also our FOIA capability. So we’re really looking forward to that.

We have set up a permanent steering committee, if you will – an electronic records management working group that has been meeting since 2013 to look at policies and practices within the Department to make sure that we are moving ahead and progressing towards a more modern system. And in the past two years we’ve also increased the communication within the State Department with employees about their responsibilities for recordkeeping, and the Secretary himself issued a notice on the importance of FOIA not too long ago.

So this has high-level attention and it has ongoing efforts here in the State Department to address these many challenges that we face.

MODERATOR: Great. We’ll just send it over to Senior State Department Official Number Two to make some comments and then we’ll hand it over – or we’ll take some of your questions, rather.

SENIOR STATE DEPARTMENT OFFICIAL TWO: Thanks, [Moderator], and good afternoon to everybody. I just want to pick up on where we left off there, which is one of the key findings that we see in the OIG’s report is that while the Department has had policies going back over several administrations, we have not done a great job of ensuring that people understand them or have the tools to follow them in a straightforward and administrable way. One of the best examples of that is that print and filing emails continues to be the way that most Department employees are supposed to archive their emails. We are hoping to move past that system this year, but that is still pending. So one of the issues is that while we are doing better, we’re still not where we want to be and we need to do better.

And then the final thing I wanted to flag is that while the OIG report provides a clear-eyed assessment that we have not lived up to all of our obligations in the past – and that has caused problems – we’ve taken significant steps not only to improve our systems today, but a lot of the past problems have been mitigated by getting emails back, by putting them on the internet and adopting new technology. So we’re looking forward to building on the OIG report. We’re building on the work that our transparency coordinator is doing and moving forward.

MODERATOR: Great, thanks so much. Great, we’ll begin with your questions. Operator, do you want to explain quickly how that works?

OPERATOR: Thank you. Ladies and gentlemen, if you wish to ask a question, press *1 on your touchtone phone. Again, *1 at this time if you wish to ask a question.

We’ll go to the line of Brad Klapper with AP.

QUESTION: (No response.)

OPERATOR: Mr. Klapper, your line is open.

QUESTION: (No response.)

MODERATOR: Okay, let’s move to the next question.

OPERATOR: Thank you. We’ll go to the line of Arshad Mohammed with Reuters.

QUESTION: Two questions, please: One, is there a reason why this call cannot be done on the record, in the interests of transparency, rather than on background?

Secondly, on pages 36 and 37 of the report, the report states, “By Secretary Clinton’s tenure, the Department’s guidance was considerably more detailed and more sophisticated. Beginning in late 2005 and continuing through 2011, the Department revised the FAM and issued various memoranda specifically discussing the obligation to use Department systems in most circumstances and identifying the risks of not doing so.”

And it also goes on to state that Secretary Clinton used – well, that “Throughout Secretary Clinton’s tenure, the FAM stated that normal day-to-day operations should be conducted on an authorized AIS, yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via personal email account on her private server.” Then it says, “The current CIO and Assistant Secretary for DS believed that Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their officers – with their offices.”

So my question is: Given that the FAM had been revised during the period that Secretary Clinton was in office to make clear that all ordinary normal day-to-day communications should be on an authorized Department system, one, why didn’t the secretary do that – former Secretary Clinton? And two, why did she not reach out to the Chief Information Officer and the Assistant Secretary for DS’s offices to seek their advice and permission on this?

MODERATOR: Just let me jump in before handing it over to Senior State Department Official Number Two, on the question of whether we could do this – it’s our preference that we do it on background for a number of reasons, not least of which is the fact that this has been – this report’s been leaked early to many in the news media, but it has not been officially released. So we’ll address these on the record, some of these questions, in the days to come, but at this point we’re going to keep it on background.

But over to Senior State Department Official Number Two.

SENIOR STATE DEPARTMENT OFFICIAL TWO: Thanks, [Moderator]. To your two questions about why Secretary Clinton didn’t use state.gov email and why she didn’t seek approval for her personal system, unfortunately I don’t think we can speak to that and we’d have to refer you to Secretary Clinton and her team. The OIG report does not get into that and doesn’t make findings with respect to that.

You did ask about or recite several of the (inaudible) provisions that were in place during Secretary Clinton’s tenure. And one thing that is clear is that the policies on email evolves over time and our guidance to officials on how to comply with them evolved and improved over time. Some of the most relevant NARA guidelines on the use of personal email were not issued until 2013. And to this day, the Federal Records Act still permits the use of personal email to some extent provided that you follow the key principle, which is to capture them.

So while we would never – while we wouldn’t encourage the use of a personal email, there was no absolute prohibition on it during this or any other tenure, administration. And while it may have been difficult to approve such a system in light of the policies, we think it’s very important to note that both the OIG and NARA have said by going out and getting records back from Secretary Clinton that we have mitigated the past problems associated with this use.

MODERATOR: Okay. Next question is – we’ll go to the next question, rather. Sorry.

OPERATOR: Thank you. We’ll go to the line of Justin Fishel with ABC News.

QUESTION: Hey, guys. Thanks for doing this. Okay. One quick question – two questions. I don’t see a conclusion in here anywhere explicitly stated, although I do infer from this that she did violate email policy. But do you believe she violated the policies that were in place about her use of personal email and retention of email? Why isn’t that explicitly stated? And where did you get the email where she talks about, to her Deputy Chief of Staff, where it says, quote, “We should talk about putting you on an email – on State email or releasing your email address to the Department so you’re not going to spam,” and Clinton writes back, “Let’s get separate address or device but I don’t want the risk of personal being accessible.” I couldn’t find that in the FOIA’d released documentation, so I’m curious where you got that email and why it isn’t public. Or is it, and I’m just missing it? Those are my questions.

SENIOR STATE DEPARTMENT OFFICIAL TWO: [Moderator], I can take those as well. First, I do believe the OIG report finds that by leaving the Department without turning over all of her emails, Secretary Clinton didn’t comply with the records rules. However, OIG and NARA have found that by (inaudible) back to us, she mitigated those problems. And you’ve heard us say this a number of times over the past year; we worked very hard to put those online to show the work that she did here at the Department.

With respect to that second email, or the email that you were referencing, I don’t think I know exactly where we obtained that email. I think you are correct that it is not in the emails that we put online. We do have it; it is in our custody. But as to why we wouldn’t have it from Secretary Clinton in what she turned over, I would have to refer you to her and her team on that.

QUESTION: Well, but all her emails were – work-related emails were supposed to be turned over. So did she – I don’t understand. Did she not turn them all over? Are there emails we’re not seeing? I mean, [Moderator], can you answer why we would be seeing emails now in an IG report that we did not see in the FOIA releases? I really don’t understand that.

SENIOR STATE DEPARTMENT OFFICIAL TWO: I can take that. And I apologize if I didn’t – if I wasn’t clear. Secretary Clinton has said both to us and in a court filing that she turned over work-related emails that she had in her possession. There are instances, and they’re identified in the OIG report, where people are aware of emails that involved her that she did not turn over. The fact that she has said she’s turned over what she had and through other preservation and reviews we’ve identified additional emails, and we only put online through the FOIA process what Secretary Clinton turned over, to the extent that the OIG found an additional email, that’s not inconsistent with what we’d expect.

MODERATOR: Thanks. Next question, please.

OPERATOR: Thank you. We’ll go to the line of Carol Morello with Washington Post.

QUESTION: Hello. I have a couple questions. It says in the beginning that you have – you did not request more money in your 2017 budget to address these problems, and you’re going to need it. So I wanted to ask why you didn’t when you saw this coming down the pike. Also on page 40, it talks about a meeting in which a number of security officials were concerned about Secretary Clinton’s use of personal email. And according to this report, the director of IRM said that their mission is to support the Secretary and they should never speak of her personal email system again. I wonder if you think that was a proper thing to do at the time, and would it be proper today?

SENIOR STATE DEPARTMENT OFFICIAL TWO: Thank you. I – and perhaps Senior Official One can speak to some of the funding issues, but I will note I think the OIG report does say that we have requested additional funding for 2017 and that we are going to need it. But with respect to the – the conversation that’s outlined on, I think you said, page 40, we don’t have any insight into those conversations beyond what the OIG report says. Some people in the Department had an awareness of Secretary Clinton’s email address. It wasn’t a secret. She corresponded with numerous people. And – but having some awareness of her email practices is different from having a complete picture of how Secretary Clinton used email. The IG report does find that no one in the Legal Advisor or any other bureau in the Department was asked to or did approve the server.

SENIOR STATE DEPARTMENT OFFICIAL ONE: I can go ahead and address the funding issue. It’s true that the office that processes FOIA has in fact been underfunded for a number of years. Recognizing that in 2017, there was a one-time request made for additional staff. That took place. Those people were added. Going forward, now we are certainly including additional funding in the funding request for the next few years.

MODERATOR: Great, thank you. Next question, please.

OPERATOR: Thank you. We’ll go to the line of Brad Klapper with AP.

QUESTION: Hi, can you hear me now?

MODERATOR: Yeah.

QUESTION: Okay, great. I just wanted to ask – a lot of the – the directives in the audit are described as clear, but Clinton didn’t follow them on the use of personal email server, BlackBerry, and then, as Carol said, when queried, there was a false claim that she got approval, and then we saw even hacking attempts in 2011 that didn’t get anyone to reassess whether her practices were not good. So I wondered if you could address this kind of systemic problem that seemed to indicate she was flatly above all the rules and guidelines.

And then, secondly, we didn’t – the audit noted that there was no cooperation by Clinton or a bunch of her top aides that were asked to be interviewed, so what does that say about having fixed all these problems when you can’t even get the people who were kind of identified as being involved in some of these problems to even talk to your inspector general?

SENIOR STATE DEPARTMENT OFFICIAL TWO: Thank you. I think that the – for us, one of the main findings of the OIG report – in fact, one of the first sections of the OIG report – about how while we had policies and rules in place, the Department did not do a very good job of ensuring that people understood them or had the tools to follow them. And we take very seriously our obligation as a department to facilitate compliance. So I don’t think it’s a finding in the OIG report, and I don’t believe it’s a finding by the Department that anyone was above or not subject to the rules. It’s just that we didn’t do a great job ensuring that they were followed.

And the problems go back several administrations. There are – there are – the findings with respect to Secretary Clinton are similar to the findings of how Secretary Powell conducted his email use. This has been a – a historic and systemic challenge.

And you asked how we’re going to ensure compliance today. The report does a very nice job of laying out how Secretary Kerry is having his – uses a state.gov, is having his emails automatically archived, and how he understands the policies and procedures that guide records management. So we’re quite pleased with the trajectory that the OIG report lays out.

In terms of cooperation by Secretary Clinton and her staff, we’d have to refer you to her and her team to speak to their decision making. As the OIG report notes, former employees are not obligated to speak to the inspector general. And I would also add that through the Department’s cooperation, the OIG did have access to a large volume of material related to Secretary Clinton’s tenure – email records and the like. So we are quite satisfied, I think, with the history in the OIG report, the fact-finding, and we think it provides a good launching point to continue our efforts to improve, starting with Secretary Kerry.

MODERATOR: Senior State Department Official number two, if you could just also – I don’t know if you could address the part about the cyber security incidents.

SENIOR STATE DEPARTMENT OFFICIAL TWO: Oh, thank you. So the section on the report on cyber security lays out the way the Department’s policies and approach to cyber security have evolved over time. It’s certainly consistent with what you see across the board both in the government and the private sector. Our understanding has gotten better over time. We have policies in place to encourage the use of State systems because there are risks associated with not using State systems.

However, I think it’s important to underscore that the OIG itself says that this report is not a report on the security of any secretary’s email systems, including Secretary Clinton’s. There are no findings about the security of Secretary Clinton’s email system. The hacking email that is referenced includes language to the effect that the hack was not successful. That’s just from the email that it cited. But beyond that there’s no finding one way or the other about the security.

MODERATOR: Great. Time for just two more questions. We’re trying to get to all of you. I apologize. Next question, please.

OPERATOR: Thank you. To the line of Josh Gerstein with Politico.

QUESTION: Hi. So I had two questions. One is: Do you disagree with the inspector general’s findings about what the policies were that were in effect during Secretary Clinton’s tenure, in particular this finding that the day-to-day business of the Department was to be conducted on authorized information systems? Because when this issue was raised about 14 months ago in media reports, the Department suggested that the media was misinterpreting those rules and that they only applied to sensitive information and that there was no broad policy on that point.

And my second question is: Based on any of the findings in the report – I realize some of them pertain to former employees; I assume some of the employees discussed in the report are current employees – is the Department considering any follow-on action or personnel action as a result of the findings in the report? Thank you.

SENIOR STATE DEPARTMENT OFFICIAL TWO: Thank you for the question. I don’t think the Department has any basis to disagree with what the OIG set forth in terms of what policies were in existence at what time, insofar as essentially what they did is quote them and cite them. But what we do want to underscore is that the OIG also found that the Department has not done a great job historically of overseeing those policies and ensuring that they are understood and followed.

With respect to plans for discipline, at this time the Department does not have any plans for discipline concerning the records management issues. We note that the IG report says that the problems associated with Secretary Clinton’s emails has been mitigated by her return of those records, and we think that’s a great start. And our focus is on ensuring that compliance going forward is as good as it can be. We’re automatically archiving Secretary Kerry’s emails. We have plans to improve the checkout procedure for our current administration and the check-in procedure for the next one.

MODERATOR: Great. Sorry, I misspoke – we have two more questions, I think. So next question, please.

OPERATOR: Thank you. Lucas Tomlinson with Fox News.

QUESTION: Hi. Just two questions: Do you think Secretary Clinton did anything wrong, and was she allowed to use a personal server while she was Secretary of State? Thank you.

SENIOR STATE DEPARTMENT OFFICIAL TWO: So I think the IG report speaks for itself in that it found that leaving the Department with her emails, Secretary Clinton didn’t act in compliance with all the records policies in place. However, it also finds – and NARA has found – that she mitigated those problems and the Department has mitigated those problems.

With respect to whether Secretary Clinton was allowed to use a personal email, the IG report finds that she did not seek approval and the Department did not provide it. She has said that she wouldn’t make the same decision again, and the IG report notes that the Department’s – senior Department officials say that they wouldn’t have recommended it had she asked.

MODERATOR: Great. Last question.

OPERATOR: Go to the line of Elise Labott with CNN.

QUESTION: Hi. I would love to go back to some of the questions that Karen DeYoung and our previous questioner, Lucas Tomlinson, asked. I just want to drill down on – it does seem to be a little bit of a discrepancy whether – it seems as if some of – in the report that some of Secretary’s Clinton staff had told – had said that the legal department signed off on it. Could you clarify that?

I think we’re just – this is a State Department call, this is not an OIG call. I think we’re trying to nail down whether there were people in the Department that told her that she could go ahead with using this email system, and if not, that would suggest that she was told what the policies were, that they were told that she would be doing it anyway, and that is working above the rules. And you said earlier that this was – this does not show that anybody was subject or above the rules. I’m wondering if you could square that, because either she was – felt that she was above the rules or people just – in the State Department just ignored the rules and let her go ahead anyway. If you could flesh that out a little bit, I’d appreciate it. Thank you.

SENIOR STATE DEPARTMENT OFFICIAL TWO: Sure. So I think what you’re referring to is a section in the report where one Department employee stated that Department legal staff had reviewed and approved Secretary Clinton’s email practices. The OIG report in the next sentence says that it found no evidence that the Office of the Legal Adviser reviewed or approved Secretary Clinton’s personal system. So we can’t speak to why the individual who is said to have said that believed that to be the case, but what we can point to is the OIG’s findings that the Department’s Office of the Legal Adviser did not approve this system.

Your second question, I think, boils down to, again, was Secretary Clinton not subject to the rules, and I think what the OIG found is that the Department had rules but didn’t do a very good job of ensuring that they were followed. And while some people in the Department had awareness of Secretary Clinton’s email practices, that awareness didn’t extend to a complete understanding, whole picture, of what she was doing. Secretary Clinton has said that she would not make the same decision again, and the Department has said in the OIG report that it wouldn’t have recommended the approach.

So where we stand today is, looking back over several administrations, you see the Department working very hard to update its policies and then having its implementation of those policies lag. And today we’re in a much better posture. Secretary Kerry has his emails automatically archived. We’re going to improve the way he is checked out of the building and the way the next secretary of state is checked in. I don’t think that there’s any finding in the report that Secretary Clinton – or Secretary Powell, for that matter – were not subject to the rules. It’s more of a function of the Department not doing a great job of ensuring that its rules were understood and that the tools were in place to comply with completely.

And then, of course, we have to emphasize – because it’s very important to us, receiving this report today – NARA and the OIG findings that we’ve mitigated the problems associated with Secretary Clinton’s emails is very important. It means that we’ve gone out, we’ve gotten them back, they’re part of our corporate record. They’re available for the public to review on the internet. We underwent a massive review and production process over the last 14 months or so to get those out. And so in May 2016, we’re feeling like we’re very much on the trajectory to improve going forward and have – and that we’ve addressed many of the problems that are identified in this report.

MODERATOR: Thank you, everyone, for joining us, and thanks to both of our senior State Department officials for speaking with you all today. That concludes our phone call, our – again, on background, and was embargoed until now. So everyone have a good afternoon. Thanks. Bye-bye.