[ISN] White House use of outside e-mail raises red flags

From: InfoSec News (alerts@private)
Date: Thu Mar 29 2007 - 22:36:55 PST


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9015092

By Todd R. Weiss
March 29, 2007 
Computerworld

For official government business, staff members in the Bush White House 
use government-issued e-mail accounts where all communications are then 
stored, archived and preserved for eventual inclusion in the National 
Archives.

But for several years, some high-ranking Bush staff members have also 
apparently been using outside e-mail accounts for nongovernmental, 
political communications. Those accounts, through the Republican 
National Committee (RNC) and the 2004 Bush-Cheney re-election campaign, 
allowed the officials to keep up with both their official and political 
responsibilities while not violating the Hatch Act. That law forbids 
many government officials from engaging in political activities from 
their workplaces.

While the focus of those particular incidents is on the White House, the 
issue is one that should be getting close scrutiny from businesses 
across the nation, experts said.

The concern is that if company communications are being conducted 
outside official corporate e-mail systems, there's no way to control 
their security, preservation or use, something that can leave companies 
vulnerable to a wide variety of legal problems and regulatory compliance 
issues.

In the White House case this week, the House Committee on Oversight and 
Government Reform sent letters Monday to the chairmen of the RNC and the 
former Bush-Cheney 2004 campaign committee, asking them to explain more 
about the use of the outside e-mail accounts. In the letters, Oversight 
Committee Chairman Henry Waxman (D-Calif.) said his group wants to know 
what's been done to preserve the contents of the outside e-mail accounts 
used by government officials for possible review and to assure that "no 
e-mails involving official White House business have been destroyed or 
altered.

"Congressional investigations have revealed that White House officials 
have used nongovernmental e-mail accounts, including those maintained by 
the RNC, to conduct official White House business," the letters said. 
"The Committee has questions about who has access to these e-mail 
records and how the RNC protects them from destruction or tampering. The 
Committee also directs you to preserve all such records because of their 
potential relevance to congressional investigations. Such e-mails 
written in the conduct of White House business would appear to be 
govemmental records subject to preservation and eventual public 
disclosure."

The Oversight Committee first learned of the outside e-mail accounts 
during investigations of White House contacts with convicted lobbyist 
Jack Abramoff, which found "that many of the e-mail exchanges between 
Jack Abramoff and White House officials were conducted via 
nongovernmental e-mail accounts. In at least one [incoming message to 
Abramoff], the e-mails indicate that these nonofficial accounts were 
being used because 'to put this stuff in writing in their [White House] 
e-mail system might actually limit what they can do to help us.'"

Waxman today sent a similar letter to White House Counsel Fred Fielding 
(download PDF [1]), asking for "information and a briefing regarding the 
e-mail policies of the White House" next week.

White House records fall under the Presidential Records Act of 1978, 
which was established to govern and manage the collection and use of all 
presidential records.

White House spokesman David Almacy said the outside e-mail accounts were 
set up to allow legitimate political activities to be conducted by 
appropriate staff members without using White House accounts, which 
would be illegal under the Hatch Act. "It was specifically set up that 
way so that people weren't using their official accounts for political 
activities," he said. Only certain White House staff members have such 
outside accounts, including those who regularly communicate with outside 
political groups, he said.

The creation and use of the outside e-mail accounts has been reviewed by 
White House lawyers, he said.

Since 2004, e-mails to and from White House staff members sent through 
the RNC e-mail system are archived and saved, he said. White House staff 
members are not able to access other home or other personal e-mail 
accounts on their work-issued computers because access is blocked, he 
said. "The reason primarily is presidential records and security. We 
want to be able to control what people bring onto their [work] 
computers. From a presidential records perspective, this is something 
that we take very seriously," Almacy said.

The White House e-mail case should be a wake-up call for businesses that 
face similar situations, said John Alber, a technology lawyer at Bryan 
Cave LLP in St. Louis. The problem, he said, is that all business 
communications must be securely archived and stored in the event of 
lawsuits, government inquiries or other legal scenarios. When such 
records aren't tightly controlled, any large unsubstantiated gaps in the 
stored data can mean disaster in court, he said.

A major issue is that virtually every business is overwhelmed today by 
the volume of electronic records and communications, he said. His own 
law firm is experiencing 60% increases in e-mail storage requirements 
each year for its 800 attorneys and other staff members. "It is nowadays 
a de facto document repository," he said of the law firm's Microsoft 
Exchange server system. "It is often that [some legal documents] only 
exist in an e-mail repository right now in Exchange," which wasn't 
designed for the long-term storage and archiving of such documents.

"If companies aren't worried about this, they'd better get worried," 
Alber said. "It's truly important stuff. Everybody has this problem. 
It's simply because of the way we do business. Almost everybody's behind 
the curve."

Michele Lang, a staff attorney for legal discovery software vendor Kroll 
Ontrack Inc. in Eden Prairie, Minn., said "there are a whole bunch of 
lessons" for businesses to take away from the unfolding White House 
e-mail case.

"Corporate America is having this very same problem with employees using 
[free consumer e-mail accounts from] Google, Yahoo or Hotmail," Lang 
said. By doing so, those employees are often storing sensitive corporate 
information with free services that don't have the data security, 
compliance and archiving that companies should mandate, she said.

"That's a scary situation for corporate America. Definitely there are 
loads of landmines here for the government ... and for corporate America 
to navigate."

[1] http://oversight.house.gov/Documents/20070329130758-87640.pdf


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Mar 29 2007 - 22:47:41 PST