New Homeland Security Records Reveal Top Officials Were Exempted from Strict Ban Placed on Web-Based Personal Email Accounts Despite Heightened Security Concerns
JUNE 16, 2016
Jeh Johnson granted special waiver on first day of official ban.
Practice Continued Even After Clinton Email Revelations.
(Washington, DC) – Judicial Watch today announced it obtained 693 pages of Department of Homeland Security records revealing that Secretary Jeh Johnson and 28 other agency officials used government computers to access personal web-based email accounts despite an agency-wide ban due to heightened security concerns. The documents also reveal that Homeland Security officials misled Rep. Scott Perry (R-PA) when Perry specifically asked whether personal accounts were being used for official government business.
The records were obtained in response to a February 2016 court order by the U.S. District Court for the District of Columbia following a Judicial Watch Freedom of Information Act (FOIA) lawsuit (Judicial Watch v. Department of Homeland Security (No. 1:15-cv-01772)).
The Judicial Watch lawsuit was filed in October 2015 after the Department of Homeland Security failed to comply with a July 2015 FOIA request seeking the following:
- All requests (in any form) submitted by senior DHS officials for waivers to use personal Web-based email accounts on government-owned computers.
- Copies of all waivers granted to senior DHS officials to use personal Web-based email accounts on government-owned computers.
Judicial Watch sought the documents following a Bloomberg News report revealing that 29 high-level Homeland Security officials, including Johnson, obtained exemptions from a February 2014 agency-wide ban on the use of web-based email systems due to increased security concerns. The waivers were granted despite security officials’ warning of the risks of malicious attacks and data exfiltration from webmail use.
Included among the records is a February 19, 2014 memorandum from security officials at the Department of Homeland Security strongly warning: “According to the Office of the Chief Information Officer, access to webmail using DHS networks is responsible for almost half of all attempts to compromise DHS network security.” The memo explains that webmail use resulted in 14 Trojan-Horse attacks in August 2013 and 25 attacks in December 2013 on Homeland Security computer networks.
As a result, in the same memo, Department of Homeland Security officials imposed a total ban on employee use of web-based email systems:
New restrictions are being implemented that will no longer allow employee access to personal webmail sites from government computers [Emphasis added]. This action is being taken to strengthen cybersecurity and enhance protection of the Department’s computer networks. Effective tonight, access to webmail sites like AOL, Hotmail, Comcast, Gmail, Yahoo, and other email services will be prohibited.
The records reveal that despite this strict prohibition, Johnson was given an exemption from the ban on the first day of its implementation simply because he liked to check his personal email from the office everyday. In an April 7, 2014 email, DHS Deputy Director for Scheduling and Protocol Mary Ellen Brown wrote to DHS Chief of Staff for the Under Secretary for Management Vincent Micone: “Hi Vince – I wanted to flag that S1 [Secretary Johnson] accesses his [redacted] account every day and I didn’t know if we could add his computer to the waiver list? Let us know at your convenience. Thanks! ME”
Micone responds several minutes later: “ME, This will be done… no problem. Thanks, Vince”
The documents also reveal that on April 29, 2014, Connie LaRossa, then- director of legislative affairs for Homeland Security, was granted a waiver to use her web-based email account for official government business. The justification LaRossa used for requesting access to Yahoo email was that some congressional staffers wanted to send her “political information” that they “do not want to transmit via government mail.”
Despite LaRossa’s waiver, in an April 7, 2014, seems to contradict answers prepared Rep. Scott Perry in response to his query about the use of personal email accounts for official business, Homeland Security explicitly denied it was being done. In one question, Rep. Perry asked: “Are DHS officials permitted to maintain private email accounts that are used to conduct official business? If so, who and under what circumstances?”
Homeland Security officially responded: “To date, no requests have been approved to use a private email account for official business.”
Others Homeland Security officials included among those receiving waivers permitting them to use personal, web-based email on government computers despite the official ban included:
ANMS2 [Alejandro N. Mayorkas, deputy secretary]
Bunnell, Stevan E. [general counsel]
Chavez, Richard [director of the Office of Operations Coordination]
Gottfried, Jordan [Chief of Staff]
JCJ [Jeh Charles Johnson, secretary of Homeland Security]
Kronisch, Matthew [associate general counsel (Intelligence)]
Marrone, Christian [chief of staff]
Meyer, Jonathan [deputy general counsel]
Rosen, Paul [deputy chief of staff]
Shahoulian, David [deputy general counsel]
Silvers, Robert [deputy chief of staff]
Taylor, Francis X [undersecretary for intelligence and analysis]
Veitch, Alenandra [acting deputy assistant secretary]
Waters, Erin [director of strategic communication]
The use of personal email accounts on Homeland Security computers continued for more than a year after the official ban was put in place in April 2014, until July 2015 – over four months after revelations about Hillary Clinton’s controversial email practices. In a July 20, 2015 email, Luke McCormack, then-Chief Information Officer of the Justice Department, ordered Jeanne Etzel, Executive Director of Homeland Security’s Next Generation Program, to “pull down” the personal “webmail” email accounts of the 29 Department of Homeland Security executives previously approved to use personal email accounts, except for that of Secretary Jeh Johnson [“S1”].
McCormack ordered this at the “DUSM’s direction.” (Deputy Undersecretary for Management, Charles Fulghum.) This order came the same day a Bloomberg story was published regarding Homeland Security officials’ “bending the rules” on personal email use on government computers. The next day, Secretary Johnson’s webmail access also was blocked.
“Jeh Johnson and top officials at Homeland Security put the nation’s security at risk by using personal email despite significant security issues,” said Judicial Watch President Tom Fitton. “And we know now security rules were bent and broken to allow many these top Homeland officials to use ‘personal’ emails to conduct government business. This new Obama administration email scandal is just getting started. If the waivers were appropriate, then they wouldn’t have been dropped like a hot potato as soon as they were discovered by the media.”