As exemplified by the lede from this Wall Street Journal article on August 19, much of the national skews media have focused their questions on how much damage disclosures about the presumed compromise of Hillary Clinton’s private email server will do to her campaign for President in November 2016.

It’s a reasonable question that goes directly to the question of Clinton’s suitability to have access to national security information, a requirement to be President of the United States, but even that is one which should be further down on the list of more important questions.

In our opinion, the question that should be number one is, “Presuming that all of the emails processed through Secretary of State Hillary Clinton’s private email server are now in the hands of technically competent foreign intelligence services, how much damage has been done to the national security of the United States?”

Determinations of any criminal, professional, or political liability assignable to Clinton and others entrusted to properly protect national security and other sensitive information all hinge on a full and complete answer to that question.

When there appears to have been an unauthorized disclosure of national security information, the agency which originated the information and originally classified it (assuming it had been classified TOP SECRET, SECRET, or CONFIDENTIAL) will undertake a damage assessment.  Depending on a staggering range of factors which determine the disclosure’s harm to the national security, that assessment can and often will require the authorized recipients of the information to conduct similar and parallel assessments inside their own agencies or companies.

The damage assessment must necessarily begin with a determination of exactly what information was compromised.    The national security information classification system (see Executive Order 13526 of December 29, 2009)  prescribes how information will be classified and who has the authority to classify information.  It also prescribes (through administrative regulations) how that same information must be accounted for; secured during use, transmission, and storage; and disseminated to other authorized recipients.  One needs to accurately know what one had before one can determine what has been lost.

Generally, the damage assessment works backward from the recognition that unauthorized release or compromise has occurred.  That starting point, though, presumes that the loss of information event has been stopped and that it is known what information has been compromised.

For example, if a US embassy is overrun (e.g. AmEmb Tehran in November 1979), the various administrative records required to be kept by the agencies can identify what national security information could have been compromised.  By various means the damage assessment will determine what information was positively destroyed (e.g, papers incinerated beyond possible reconstruction versus papers merely shredded) and therefore likely not compromised.

Or if an individual with authorized placement and access to national security information (e.g., Robert Hanssen or Bradley/Chelsea Manning) is determined to have intentionally and without authorization released it to unauthorized recipients, the information which the individual released may be voluminous, but its limits can be defined.  This, of course, depends on the violator’s being available and willing to cooperate with those conducting the damage assessment.   But even without the violator’s cooperation, if the prescribed security processes for safeguarding national security information have been dutifully monitored and enforced, the violator’s actual access can still be determined.

But suppose an individual with authorized placement and access to national security information somehow intentionally bypasses a system’s safeguards and gains access to information to which he was not authorized.  Suppose further that unlike Hanssen and Manning, the offender is unwilling or unable to knowledgeably cooperate in the damage assessment.  And finally, suppose that the protective security processes were not consistently followed or enforced.  The case of Edward Snowden fits that description.  In that case, determining exactly what information was compromised is much more difficult, maybe impossible.

Based on the foregoing information, here are a few opinion-based observations about Hillary Clinton’s conduct :

1.  The Department of State is a member of the US Intelligence Community and is subject to all laws and regulations governing the handling, storage, and dissemination of national security information.

2.  As Secretary of State, Hillary Clinton was the head of an agency, the Department of State.  She had original classification authority under the provisions of Executive Order 13526 of December 29, 2009.  She was legally obligated and duty-bound to know, understand, and obey all of the regulations and laws which gave her the authority to classify, handle, store, and disseminate national security information.  She had the same obligations to see that her subordinates were properly trained and compliant.

3.  As President of the United States, President Barack Obama was legally obligated and duty-bound to ensure that his subordinate agency heads, including Secretary of State Hillary Clinton, complied with the provisions of Executive Order 13526 of December 29, 2009, as well as all other regulations and laws applicable to the the classification, handling, storage, and dissemination of national security information.

4.  No agency head, including the Secretary of State, has the authority to declassify or downgrade the classification of information classified by another agency without the consent of the original classifying authority.  For example, if the Department of State received classified geospatial information from the National Geospatial-Intelligence Agency, that classification could not have been removed or downgraded (or ignored!) by anyone at State Department without coordination with and the explicit approval of NGA.

5.  Merely removing the classification and handling markings on a document or portions of a document does not automatically downgrade or declassify that document or the portion excerpted.   Consequently, removing classification and control markings does not authorize handling, storage, and dissemination methods inconsistent with the original classification.

6.  If an agency such as State Department receives information classified by another agency (e.g., NGA, CIA, DoD, etc.), the receiving agency is forbidden to disclose that classified information to a third agency without the consent of the original classifying authority.  This is closely related to item 4 above.

7.  Most agencies in the US Intelligence Community have a rule or policy which dictates how fresh original information relating to our national security will be treated so that the information, its source(s), and the method(s) of its collection are handled, stored, and disseminated safely until its formal classification, if any, can be determined and approved by the original classifying authority.  Unless the circumstances clearly warrant a higher original classification, a designated supervisor is likely to provisionally classify the information CONFIDENTIAL, the lowest classification, until a final more appropriate classification determination can be made.

8.  Individual pieces of information that are legitimately unclassified (e.g., magazine or newspaper articles) can sometimes be legitimately classified and controlled when collated with other unclassified information, analyzed, and disseminated as finished intelligence.   In some instances this is done because the mere dissemination of the aggregated information by a particular agency may  reveal national intelligence acquisition requirements which are legitimately classified.  Thus, open-source intelligence (OSINT) can be classified.

Until the US Intelligence Community learns conclusively what information resided on or passed through Hillary Clinton’s private email server, accurately assessing how much her actions damaged the national security will be very difficult.  Adding to the complexity of the damage assessment is the uncertainty about who was able to remotely access the information on her private email server and when the accesses occurred.

Proven witting mishandling of national security information reflects on an applicant’s suitability for access to national security information.   While a single violation might not be sufficient to revoke or deny a security clearance, multiple violations are.

Based on her now-proven mishandling of national security information while she was Secretary of State and after, it is likely that if Hillary Clinton were to apply today for a job requiring a security clearance, competent background investigators and adjudicators would almost certainly conclude her previous conduct makes her an unsuitable applicant for any job requiring access to national security information.  They would likely recommend that her security clearance be denied.

Comments?