Pentagon Chief Didn't Violate Governmentwide Ban on Using Personal Email for Business

Pentagon Secretary Ash Carter acknowledged erring when he used a personal email account for official business, but he did not violate a governmentwide ban on sending work messages through personal accounts.

That is because there is no governmentwide prohibition against using personal email to conduct official business. And the only limitation when talking shop in personal email has nothing to do with security but with preserving potential records.

Using personal email while carrying out government business is an issue that’s come up repeatedly in recent months.

In March, it was revealed that a homemade personal account transmitted and stored the communications of presidential contender Hillary Clinton when she was secretary of state.

In July, Homeland Security Secretary Jeh Johnson admitted checking his personal Gmail account through his work computer. According to security consultants, that could have introduced vulnerabilities into the DHS network.

In October, hackers reportedly broke into CIA Director John Brennan's AOL account and leaked government-related unclassified documents -- although these dated from 2007 and 2008 when he served as a campaign adviser and transition team member for future President Barack Obama.

The restriction on using personal email relates to personal accountability, not information integrity.

"There is no ban on using non-official accounts provided copies of all email records are captured in agency recordkeeping systems within 20 days," National Archives and Records Administration spokeswoman Laura Diachenko told Nextgov on Oct. 22.

Nextgov had reached out to the National Archives when the details about the the Brennan hack were still murky. A White House Office of Management and Budget official deferred to the National Archives for information about the governmentwide policy on personal email use.

For his part, Carter reportedly continued relying on his personal account, which broke departmental rules, for at least two months after the public learned of Clinton's household email system.

A Pentagon spokeswoman referred Nextgov to page 32 of DoD Instruction 8550.01 for information on the Office of the Secretary of Defense policy on using personal email for work. Carter apparently ran afoul of the requirements, which state, "barring absence of official communication channels, personal accounts shall not be used to conduct official DoD communication."

The New York Times on Wednesday first reported Carter's personal email gaffe, after independently obtaining copies of his messages through the Freedom of Information Act.

In response, Carter told reporters on Thursday that he takes responsibility for the "mistake" and acknowledged the potential security risks.

"Particularly someone in my position and the sensitivities about the position should have known better,” he said. “And there were plenty of people during the time that you're taking office and so forth who explain to you what the rules are about e-mail. It's not like I didn't have the opportunity to understand what the right thing to do is. I didn't do the right thing. This is entirely on me."

But remember, official communications channels at the departments of Defense, Homeland Security and State are not the safest systems either.

At the Pentagon, a targeted email attack infected an unclassified Joint Staff network in July, Cyber Command head Adm. Mike Rogers said at an invitation-only Wilson Center event in September.

Within the past year, hackers entered State systems multiple times and might have accessed sensitive files, according to a Sept. 30 department inspector general assessment. In 2014, intruders, believed to be working for the Russian government, were active in State's unclassified email system for months, as reported at the time.

A Sept. 4 DHS inspector general memo found internal websites used by the Secret Service and Immigration and Customs Enforcement for sharing investigation files contained numerous potential doorways for hackers.

Carter, to his credit, did save his personal emails, which were related to unclassified routine administrative issues, according to Pentagon officials.

Carter is "confident" the work-related email "has been and will continue to be preserved within the federal records system," Carter spokesman Peter Cook said in a statement on Thursday.

But can anybody be confident those messages were secure?