Newly released documents are raising more questions about whether the State Department IT specialist who managed Hillary Clinton’s private email system was qualified for the job.
Bryan Pagliano’s resume, which the State Department recently turned over to Judicial Watch, shows he had neither experience nor certification in protecting email systems against cyber security threats.
The IT director on Clinton’s 2008 campaign, Pagliano was hired as a Schedule C employee by the State Department in May 2009, much to the confusion of the agency’s career IT officials, who had never had a political appointee work in their shop.
His first job, which was set at the GS-15 pay grade, was that of information technology specialist. His official job duties are still unknown, but while he performed them he was also in charge of managing Clinton’s email system.
His resume shows he had only basic computer networking certifications, and none that would have provided the foundation for protecting a sensitive email system like Clinton’s. In addition to certifications in MSCE NT and 2000, CCNA, A+, and CCA, Pagliano had a political science degree from Emory University.
Questions have swirled around the security of Clinton’s email system, which utilized her personal non-government BlackBerry and the server, which was kept at her house in New York. The Democratic presidential front-runner has insisted that there is no evidence that the server was hacked, and the FBI has reportedly not found evidence of a hack. But experts have said it is possible that Clinton’s system was infiltrated in other ways besides a traditional hack or by sophisticated foreign government operatives who could cover their tracks.
The Romanian hacker Guccifer recently claimed that he infiltrated Clinton’s server after breaking into her friend Sidney Blumenthal’s AOL account in 2013. The claim has not been corroborated and Climton’s campaign has denied it.
Pagliano’s hire, despite his thin resume, “demonstrates his political connections more than qualifications that folks would typically want for a sensitive position like that,” Judicial Watch president Tom Fitton told The Daily Caller.
The CEO of one security consulting firm that handles all manner of security threats for the federal governments, private companies and heads of state concurs.
“While Pagliano does, in fact, have some IT experience, it’s a far cry from anything near qualifying for a position of that level of responsibility,” Global Executive Management CEO Jamie Williamson told TheDC.
“His resume is sparse for actual qualifying work experience and, it appears, that working for the Clinton campaign is probably the sole qualification.”
Emails recently obtained by Judicial Watch show that Pagliano was hired after Laura Pena, a longtime Clinton associate who worked at State’s Office of White House Liaison, asked a top State Department official, Patrick Kennedy, to find a spot for him in the agency’s IT department.
Kennedy complied and passed the resume on to chief information officer Susan Swart and her deputy, Charlie Wisecarver.
Other emails show that the pair were confused about the request to find a spot for a political hire.
“Of course, Kennedy and other Clinton subordinates, being the astute individuals they are, and knowing where their bread is buttered, would enthusiastically back her choice for hire even if Pagliano had only been the Good Humor ice cream man,” Williamson said of the peculiar request to hire Pagliano.
The system that Pagliano set up for Clinton was not sophisticated. It also lacked basic protections, at least for a portion of Clinton’s tenure.
The Washington Post provided details of the system in a report earlier this year showing that the setup was relatively primitive.
The server was nothing remarkable, the kind of system often used by small businesses, according to people familiar with its configuration at the end of her tenure. It consisted of two off-the-shelf server computers. Both were equipped with antivirus software. They were linked by cable to a local Internet service provider. A firewall was used as protection against hackers.
The system also had virtually no protection in the first few months of operation. An analysis conducted by the cyber security firm Venafi Inc. found that it was without standard encryption during its first two months of existence.
“It is unknown whether the system had some other way to encrypt the email traffic at the time. Without encryption – a process that scrambles communication for anyone without the correct key – email, attachments and passwords are transmitted in plain text,” The Post reported.
The system was also accessible via a login page on the World Wide Web, a configuration that added additional vulnerability.
Managing and protecting the system would have required monitoring from a full staff of qualified, full-time computer security specialists, a trainer at the one of the world’s premier cyber security training firms told The Post.
“For data of the sensitivity…we would need at a minimum a small team to do monitoring and hardening,” said Jason Fossen, a cyber security specialist with the SANS Institute.
Notably, Pagliano’s resume shows no indication that he received SANS certification in information security.
His training after taking the job at the State Department also appears to be devoid of any in-depth information security or cyber security courses.
A copy of Pagliano’s State Department employee profile obtained by The Daily Caller through a Freedom of Information Act lawsuit (which is being handled by the watchdog group Cause of Action) shows that he received some in-service training which was geared more to managerial aspects of IT rather than technical areas.
His first training session was an “Ethics Orientation for New Employees” course which he took just after starting his job.
In July 2009, Pagliano took a course entitled “How to be a Contracting Office.” Two months later he sat for sessions entitled “Managing State Projects” and “Information Assurance.”
Pagliano’s superiors in the IT department have said they were not aware that he was moonlighting as Clinton’s private email system administrator. But officials at State reportedly found out about the arrangement in 2011.
In that same year, Pagliano attended a “Protecting Personally Identifiable Information” training session.
Pagliano did not return requests for comment.
