WASHINGTON — The names of CIA personnel could have been compromised not only by hackers who may have penetrated Hillary Clinton's private computer server or the State Department system, but also by the release itself of tens of thousands of her emails, security experts say.
Clinton, the presumptive Democratic presidential nominee, turned over to the State Department 55,000 emails from her private server that were sent or received when she was secretary of state. Some contained information that has since been deemed classified, and those were redacted for public release with notations for the reason of the censorship.
At least 47 of the emails contain the notation "B3 CIA PERS/ORG," which indicates the material referred to CIA personnel or matters related to the agency. And because both Clinton's server and the State Department systems were vulnerable to hacking, the perpetrators could have those original emails, and now the publicly released, redacted versions showing exactly which sections refer to CIA personnel.
"Start with the entirely plausible view that foreign intelligence services discovered and rifled Hillary Clinton's server," said Stewart Baker, a Washington lawyer who spent more than three years as an assistant secretary of the Homeland Security Department and is former legal counsel for the National Security Agency.
If so, those infiltrators would have copies of all her emails with the names not flagged as being linked to the agency.
In the process of publicly releasing the emails, however, classification experts seem to have inadvertently provided a key to anyone who has the originals. By redacting names associated with the CIA and using the "B3 CIA PERS/ORG" exemption as the reason, "Presto — the CIA names just fall off the page," Baker said.
The CIA declined to comment.
A U.S. official said the risk of the names of CIA personnel being revealed in this way is "theoretical and probably remains so at this time." The official, who did not have the authority to publicly address the matter, spoke on condition of anonymity and would not elaborate.
Steven Aftergood, who directs the Federation of American Scientists' Project on Government Secrecy, said even if any identities were revealed, they might be the names of analysts or midlevel administrators, not undercover operatives.
"I don't think there's any particular vulnerability here," Aftergood said.
Clinton has acknowledged that the email server, set up in the basement of her New York home, was a mistake. But she says she never sent or received anything that was marked classified at the time of transmission. Clinton, who was secretary of state from 2009 to 2013, insists the personal server she used was never actually breached.
The AP discovered last year that Clinton's private server was directly connected to the internet in ways that made it more vulnerable to hackers. A recent State Department inspector general's report indicated the server was temporarily unplugged by a Clinton aide at one point during attacks by hackers, but her campaign has said there's no evidence the server was hacked.
In each year from 2011 to 2014, the State Department's poor cybersecurity was identified by its inspector general as a "significant deficiency" that put the department's information at risk. Another State Department inspector general report revealed that hacking attempts forced Clinton off her private email at one point in 2011.
Then in 2014, the State Department's unclassified email system was breached by hackers with links to Russia. They stole an unspecified number of emails. The hack was so deep that State's email system had to be cut off from the internet while experts worked to eliminate the infestation.
Baker points out another instance where Clinton's server might have been hacked.
A March 2, 2009, email warned against State Department officials using Blackberries. Eric Boswell, assistant secretary of state, says the "vulnerabilities and risks associated with the use of Blackberries ... considerably outweigh their convenience."
Nine days later, another email states that Clinton approached Boswell and says she "gets" the risk. The email also said: "Her attention was drawn to the sentence that indicates we (the diplomatic security office officials) have intelligence concerning this vulnerability during her recent trip to Asia."
Clinton traveled to China, Indonesia, Japan and South Korea in February 2009.