Rabbit Hole News: State Dept’s Private Email Usage Policy, Plus Attn: State/OIG – Firecracker Coming Your Way

Posted: 01:47 EST

 

Shortly after the NYT broke the story about the former secretary of state’s exclusive used of a personal email account to conduct government business, we sent an inquiry to the State Department’s Office of Inspector General. We don’t know if they could comment about it but we wanted to ask anyway.  We’ve looked at the regs but the FAM is silent on the use of private email, or at least we thought it was. It almost seem as if the rule makers presumed that all employees will be using official email, thus, the rules only spell out the requirement for the preservation of records.

If Secretary Clinton was using a private email account and if her close advisers were also using private email accounts, we wanted to know how is this reconciled with the ability of individuals to FOIA government documents. We were also interested how this would keep other senior or even regular employees from using Yahoo or Gmail to conduct official business.

State/OIG’s response was, “we are not in a position to comment at this time.”

Actually, we asked the wrong questions.

In 2012, we blogged about the OIG inspection report of the U.S. Embassy in Kenya. (See State/OIG Releases Ambassador Scott Gration’s Embassy Report Card – And Look, No Redactions!). We mentioned in passing the ambassador’s use of commercial email for official government business. In light of these news reports that Secretary Clinton exclusively used nongovernment email during her four year tenure as secretary of state, the old 2012 report is getting some legs again.

 

.
Below is an excerpt from that 2012 report specifically addressing the ambassador’s use of commercial email for daily communication of official government business. The ambassador was also slammed for using “a government-owned laptop that is not physically or electronically connected to the Department’s OpenNet network.”  

Mission Leadership Challenge 

Very soon after the Ambassador’s arrival in May 2011, he broadcast his lack of confidence in the information management staff. Because the information management office could not change the Department’s policy for handling Sensitive But Unclassified material, he assumed charge of the mission’s information management operations. He ordered a commercial Internet connection installed in his embassy office bathroom so he could work there on a laptop not connected to the Department email system. He drafted and distributed a mission policy authorizing himself and other mission personnel to use commercial email for daily communication of official government business. During the inspection, the Ambassador continued to use commercial email for official government business. The Department email system provides automatic security, record-keeping, and backup functions as required. The Ambassador’s requirements for use of commercial email in the office and his flouting of direct instructions to adhere to Department policy have placed the information management staff in a conundrum: balancing the desire to be responsive to their mission leader and the need to adhere to Department regulations and government information security standards. The Ambassador compounded the problem on several occasions by publicly berating members of the staff, attacking them personally, loudly questioning their competence, and threatening career-ending disciplinary actions. These actions have sapped the resources and morale of a busy and understaffed information management staff as it supports the largest embassy in sub-Saharan Africa.

Authorized Automated Information Systems 

The Ambassador uses a government-owned laptop that is not physically or electronically connected to the Department’s OpenNet network. Authorized Department OpenNet email systems are available on the Ambassador’s office desktop. According to 12 FAM 544.3 and 11 State 73417 (from the Assistant Secretary for Diplomatic Security to the Ambassador), it is the Department’s general policy that normal day-to-day operations be conducted on an authorized information system, which has the proper level of security controls. The use of unauthorized information systems increases the risk for data loss, phishing, and spoofing of email accounts, as well as inadequate protections for personally identifiable information. The use of unauthorized information systems can also result in the loss of official public records as these systems do not have approved record preservation or backup functions. Conducting official business on non-Department automated information systems must be limited to only maintaining communications during emergencies.

Recommendation 57: Embassy Nairobi should cease using commercial email to process Department information and use authorized Department automated information systems for conducting official business. (Action: Embassy Nairobi)

Source:  Inspection of Embassy Nairobi, Kenya | Report Number ISP-I-12-38A, August 2012 | pdf

 

We should point out that the 2012 report was issued prior to the tenure of IG Steve Linick and Secretary Clinton tenure at the State Department ended in February 2013.  But with 2016 just around the corner, this email debacle will not die a quiet death.

The unclassified cable  STATE 065111 on securing email accounts sent to all overseas posts on June 28, 2011 only says “avoid conducting official Department business from your personal email accounts.”

See the magic word there? It did not say you can’t, only that you shouldn’t.

So for the second day in a row, the subject of the Clinton emails was featured in the Daily Press Briefing. The State Department’s deputy spox, Marie Harf was impressive when she said that “There was no prohibition” on the use of personal email.  She emphasized that “There was not then and there is not now a prohibition on using a personal email for official business, and at the time she was in office, there was no time requirement for when those needed to be preserved as records.”

Entertainment value? High.

In any case, the question that we probably should have asked the OIG is this — if an ambassador was “hammered” for his use of nongovernment, private email, can we presume that ordinary bureaucrats would get a similar treatment? And if this is so  — don’t we then have a set of rules that applied to everyone but the head of the agency?   We originally cited 5 FAM 440 (pdf) as the rules governing  Electronic Records, Facsimile Records, and Electronic Mail Records in the State Department.  But wait —  the 2012 OIG report on Kenya cited 12 FAM 544.3 Electronic Transmission Via the Internet (pdf), a section of the FAM that has been in the rules books since 2005. It says in part:

It is the Department’s general policy that normal day-to-day operations be conducted on an authorized AIS [automated information system], which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information. The Department’s authorized telework solution(s) are designed in a manner that meet these requirements and are not considered end points outside of the Department’s management control.
[…]
c. Employees should be aware that transmissions from the Department’s OpenNet to and from non-U.S. Government Internet addresses, and other .gov or .mil addresses, unless specifically directed through an approved secure means, traverse the Internet unencrypted. Therefore, employees must be cognizant of the sensitivity of the information and mandated security controls, and evaluate the possible security risks and then decide whether a more secure means of transmission is warranted (i.e., secure fax, mail or network, etc.)

d. In the absence of a Department-provided secure method, employees with a valid business need may transmit SBU information over the Internet unencrypted after carefully considering that:

(1) SBU information within the category in 12 FAM 541b(7)(a) and (b) must never be sent unencrypted via the Internet;

(2) Unencrypted information transmitted via the Internet is susceptible to access by unauthorized personnel;

(3) Email transmissions via the Internet generally consist of multipoint communications that are routed to their destination through the path of least resistance, which may include multiple foreign and U.S. controlled Internet service providers (ISP);

(4) Once resident on an ISP server, the SBU information remains until it is overwritten;

(5) Unencrypted email transmissions are subject to a risk of compromise of information confidentiality or integrity;

(6) SBU information resident on personally owned computers connected to the Internet is generally more susceptible to cyber attacks and/or compromise than information on government owned computers connected to the Internet;

(7) The Internet is globally accessed (i.e., there are no physical or traditional territorial boundaries). Transmissions through foreign ISPs or servers can magnify these risks; and

(8) Current technology can target specific email addresses or suffixes and content of unencrypted messages.

 

General policies, of course, can have exceptions and if that’s what happened here, wouldn’t it be nice to know who were granted exceptions to use private email accounts besides the secretary of state and why? And did the Legal Advisor or somebody else signed off on those exceptions? Was the clintonemail.com server an authorized AIS [automated information system] of the State Department, and if so, who authorized it?

We cannot predict where this email controversy is going to end, but some Internet sleuth is digging up Dubai, Denmark, Luxembourg in what seems to be an already convoluted matter.  If you read the link below there is an interesting question whether the Clinton e-mail server was hosted for some period of time by an outside hosting firm.  If the hosting firm was based overseas, wouldn’t this be an added headache for cybersecurity and something the OIG’s new Office of Evaluations and Special Projects (ESP) might be interested in?

.

.

While the Inspector General of the State Department might not be in a position to comment about this issue publicly at this time, or might not want to wade into the rabbit hole with this political firecracker, it may not have much of a choice.  Even our apolitical neighbors were dismayed by this.  The perception that the rules may have been applied selectively, based on rank undermines the Service.  That in itself is an excellent excuse to review the entire practice and determine whether exceptions were made.  The Republican National Committee has reportedly already asked the Office of Inspector General to look into whether Clinton’s practices led her or the department to violate the Federal Records Act.

It’s only a matter of time before there is a formal congressional request. Heads up State/OIG, this firecracker is heading your way.

* * *

Related post:
So wait — Hillary Clinton never got a state.gov email? What does the FAM say?

Related items:

NARA Bulletin 2013-03 | Guidance for agency employees on the management of Federal records, including email accounts, and the protection of Federal records from unauthorized removal

State Department June 28, 2011 Unclassified Cable 065111 on Securing Email Accounts via (foxnews)

 

 

Ambassador Mark Lippert tweets, “doing well & in great spirits …”

Posted: 11:04 EST

 

 

More details from Reuters and Voice of America below:

  • Ambassador Lippert was attacked and  slashed in the face by a Korean nationalist at about 7:40 a.m. local time Thursday (2240 GMT Wednesday) at a forum hosted by the Korean Council for Reconciliation and Cooperation in Seoul.  The attack took place in a government arts centre across the street from the heavily guarded US embassy.
  • He was treated at Yonsei University’s Severance Hospital where he underwent a two and a half hour surgery that required 80 stitches.
  • A small fruit knife  was used in the attack.
  • The attack resulted on a gash on the ambassador’s face measuring 11 centimeters (4 inches) long and 3 centimeters (1 inch) deep, located from his right cheekbone to jaw on the right side of his face and a puncture wound on his left wrist, causing nerve damage that was repaired.  There was reportedly no major damage to his facial nerves or salivary glands. Reports say he will be hospitalised for three or four days.
  • The forum organizer denied that the alleged assailant was a member. “Kim was able to gain admittance by taking advantage of a bureaucratic oversight, saying he was from an old group that no longer exists but remains on the organization’s list.  He said it was an annual event and there had been no such incident like this in past, so they did not request extra police presence.” The assailant who was caught and identified also tried to attacked the Japanese ambassador to South Korea in 2010 by throwing a piece of concrete. He was reportedly given a suspended jail term for that incident.

 #

Related post:

U.S. Ambassador to South Korea Mark Lippert injured in attack by armed assailant (updated)

U.S. Embassy Caracas Issues Security Message on Recent Detention of Several U.S. Citizens in Venezuela

Posted: 00:53 EST

 

We saw this the other night:

 

On March 4, the US Embassy in Caracas issued the following security message on the recent detention of U.S. citizens in Venezuela:

The U.S. Embassy wishes to call to the attention of U.S. citizens traveling to or living in Venezuela the Government of Venezuela’s recent detention of several U.S. citizens in Venezuela. Under the Vienna Convention, if you are arrested overseas, you have the option to request that the police, prison officials, or other authorities alert the nearest U.S. embassy of your arrest and to have communications from you forwarded to the nearest U.S. embassy. In practice, the Venezuelan government frequently fails to notify the U.S. Embassy when U.S. citizens are arrested or detained, and/or delays or denies to U.S. detainees. Please ask friends or family to notify the U.S. Embassy immediately on your behalf should you be detained by government authorities.

This announcement is available on the U.S. embassy website, but is not/not available on the embassy’s Facebook or Twitter feed.  When we inquired from the embassy’s Public Affairs Office, we were told to direct our inquiry to the Consular Section. Like whaaat?

.

 

This can’t possibly be an easy time for what is already a challenging environment, so let that slide for now.  The American Citizen Service at Embassy Caracas did not respond to our inquiry.  A related note, the Diplomatic Security’s Crime and Safety report on Venezuela in 2014 says:

Harassment of U.S. citizens by airport authorities and some segments of the police are limited but do occur. Any incident should be reported to American Citizen Services (ACS) Unit at the U.S. Embassy. The ACS Unit can be reached by telephone at +58 (212) 907-8365 or by e-mail at ACSVenezuela@state.gov.

The recent detention of U.S. citizens in Venezuela is clearly an escalation beyond simple harassment.

The United States does not appear to have a bilateral agreement with Venezuela concerning mandatory notification when it comes to the arrest of U.S. nationals in Venezuela.

However, Venezuela is a party to the Vienna Convention on Consular Relations (VCCR), a multilateral treaty to which the United States and more than 170 other countries are party. This is the same treaty that President Maduro cited in announcing the reduction of U.S. Embassy staff in Caracas (see Venezuela: Nicolas Maduro’s Theory of Everything — Blame The Yanquis!).

Venezuela is also a party to Treaty of Peace, Friendship, Navigation and Commerce with the United States of America, Jan. 20, 1836, 12 Bevans 1038 (entered into force May 31, 1836), a bilateral agreement addressing consular issues with the U.S. since 1836 (see Consular Notification and Access-pdf).

Let’s stop here for a moment and look at Texas. As in Medellin v. Texas. The United States has been cited for failing to provide consular notification in cases brought by Paraguay in 1998, by Germany in 1999,and by Mexico in 2003 before the International Court of Justice.

State Department officials have travelled since 1997 but more extensively since 2003, throughout the United States to give classes and seminars about consular notification and access to federal, state, and local law enforcement, corrections and criminal justice officials.

The obligations of consular notification and access apply to U.S. citizens in foreign countries just as they apply to foreign nationals in the United States. The State Department’s guidance to the arrest of foreigners in the United States is to “treat a foreign national as you would want a U.S. citizen to be treated in a similar situation in a foreign country.”

Because when we don’t, it’s hard to make a  case that other countries should abide by their obligation for consular notification and access when U.S. citizens are arrested overseas.

And as if things are not strange enough in the U.S.-Venezuela relations, take this one:
.

.

 

Arms Traffickers Extradited for Conspiring to Kill U.S. Officials in Colombia and Providing Support to the FARC

Posted: 00:37 EST

 

The Justice Department announced on February 26, the extradition of Cristian Vintila, 44, Massimo Romagnoli, 43, and Virgil Flaviu Georgescu, 42, international arms traffickers charged with conspiring to sell large quantities of military-grade weaponry to the Fuerzas Armadas Revolucionarias de Colombia (the FARC) – a designated foreign terrorist organization – to be used to kill officers and employees of the United States in Colombia. Vintila, Georgescu, and Romagnoli, all of whom were arrested in December 2014, were extradited from Montenegro and were arraigned in front of U.S. District Court Judge Ronnie Abrams last week.

Assistant Attorney General for National Security John P. Carlin, U.S. Attorney Preet Bharara for the Southern District of New York and Administrator Michele Leonhart of the Drug Enforcement Administration (DEA) announced today the extradition of Cristian Vintila, 44, Massimo Romagnoli, 43, and Virgil Flaviu Georgescu, 42, international arms traffickers charged with conspiring to sell large quantities of military-grade weaponry to the Fuerzas Armadas Revolucionarias de Colombia (the FARC) – a designated foreign terrorist organization – to be used to kill officers and employees of the United States in Colombia. Vintila, Georgescu, and Romagnoli, all of whom were arrested in December 2014, were extradited from Montenegro yesterday and will be arraigned in front of U.S. District Court Judge Ronnie Abrams later today.

“As alleged, these three men were ready and willing merchants of death, poised to sell sophisticated weapons to a terrorist organization,” said U.S. Attorney Bharara.  “It is further alleged that they conspired to sell the weaponry with the understanding that it would be used to shoot down American aircraft and kill American officers.  We once again laud the efforts of the DEA to stem the flow of lethal weapons that could be aimed at U.S. officers and to deter weapons traffickers who mean harm to the United States.”

According to the Indictment, which was unsealed in December 2014:

Since at least May 2014, Vintila has been a Romania-based weapons trafficker, Romagnoli has been a Europe-based weapons trafficker, who is able to procure fraudulent end-user certificates (EUCs) for military-grade weaponry, and Georgescu has been a Romania-based weapons broker.  Between May and October 2014, Vintila, Romagnoli, and Georgescu conspired to sell an arsenal of weapons, including machine guns and anti-aircraft cannons, with the understanding that the weapons would go to the FARC to be used by FARC against the United States.  During a series of recorded telephone calls and in-person meetings, Vintila, Romagnoli and Georgescu agreed to sell the weapons to three confidential sources working with the DEA (the CSs), who represented that they were acquiring these weapons for the FARC.  Vintila, Romagnoli and Georgescu agreed to provide these weapons to the CSs with the specific understanding that the weapons would be used to kill officers and employees of the United States and, in particular, to shoot down American helicopters and airplanes.  Romagnoli further agreed to provide fraudulent EUCs in order to make the illegal sale of weapons look legitimate.

During their recorded meetings, Vintila and Romagnoli provided the CSs with catalogues of military-grade weapons they were prepared to provide the FARC.  Vintila gave the CSs a catalogue of weapons that included pistols, machine guns and other high-powered weaponry, and Romagnoli showed the CSs a catalogue that included automatic weapons and shoulder-fired rocket launchers.  Romagnoli additionally showed one of the CSs a sample fraudulent EUC.  Vintila, Romagnoli, and Georgescu also discussed the logistics of receiving payment for the weapons from the CSs and delivering the weapons to the FARC.

The indictment charges Vintila, Romagnoli, and Georgescu, with two separate terrorism offenses:

Count one charges all three defendants with conspiracy to kill U.S. officers or employees.  If convicted of count one, the defendants each face a maximum sentence of life in prison.  Count two charges all three defendants with conspiracy to provide material support or resources to a designated foreign terrorist organization, the FARC.  If convicted of count two, the defendants each face a maximum sentence of 15 years in prison.  The statutory maximum sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendants will be determined by the judge.

The allegations contained in the indictment are merely accusations, and the defendants are presumed innocent unless and until proven guilty.

Read the full announcement here.

 

 

U.S. Ambassador to South Korea Mark Lippert injured in attack by armed assailant (updated)

Posted: 15:18 EST
Updated: 17:40 EST

 

According to Yonhap, the U.S. Ambassador to Seoul Mark Lippert was injured today after a knife attack by an armed assailant.

Screen Shot 2015-03-04 at 6.04.51 PM

Via Twitter

.

.


Via
CNN:

U.S. Ambassador to South Korea Mark Lippert was attacked in Seoul, possibly by more than one person, according to U.S. government sources in the U.S. and South Korea.   Lippert was injured by a small razor blade, according to Seoul police. His injuries are not life threatening, according to Marie Harf, a State Department spokeswoman.  A U.S. embassy spokesperson said he is in stable condition.

“The President called U.S. Ambassador to the Republic of Korea, Mark Lippert, to tell him that he and his wife Robyn are in his thoughts and prayers, and to wish him the very best for a speedy recovery,” said Bernadette Meehan, National Security Council spokesperson.

Click here for an update  from CNN with additional details on the attack and the alleged perpetrator. The Associated Press also has an updated story here.

.

.

Sending our  get well wishes to  & , Sejun and !

Watch: Hillary Clinton talks use of email in 2011 TODAY interview

Posted: 08:22 PST

 
“I have a lot of security restraints on what I can and can’t do,” the then secretary of state tells Savannah Guthrie in an October 2011 interview.

 SOURCE: Today Show
03/04/2015   00:33

 

The following excerpted from the Daily Press Briefing of March 3, 2015:

 

QUESTION: Why is she using a personal account?

MS. HARF: Uh-huh. Well, let’s – I just have a couple points, sort of top lines, and then follow up with many questions, okay?

QUESTION: Okay.

MS. HARF: First, the notion that the Department didn’t have the content of these emails until she turned them over isn’t accurate. A vast majority of them were to or from State.gov addresses or to addressees. So they were obviously retained and captured in that moment. So that notion is just not accurate and I wanted to put that out there first.

A couple other points: There was no prohibition on using a non-State.gov account for official business as long as it’s preserved. So obviously, that’s an important piece of this. When in the process of updating our records management – this is something that’s sort of ongoing given technology and the changes – we reached out to all of the former secretaries of state to ask them to provide any records they had. Secretary Clinton sent back 55,000 pages of documents to the State Department very shortly after we sent the letter to her. She was the only former Secretary of State who sent documents back in to this request. These 55,000 pages covered her time, the breadth of her time at the State Department.

Secretary Kerry is the first Secretary of State to rely primarily on his State.gov account. So what Secretary Clinton did was by no means unusual. In fact, it had been the practice before Secretary Kerry. So certainly, I know there’s a lot of interest in this. I would also point out that the notion that she had this email account is certainly not news; it’s been reported on for more than two years at this point. So I was a little surprised – although maybe I shouldn’t have been – by some of the breathless reporting coming out last night, but I guess that’s the nature of where we are today.

QUESTION: Okay. So just to address one of the things you said. You said there was no prohibition on using —

MS. HARF: Correct.

 

Continue reading

Our American Ambassadors — Just Saying Hello Collection (Videos)

Posted: 00:50 EST

U.S. Ambassador to Moldova James Pettit

 

U.S. Ambassador to New Zealand and Samoa Mark Gilbert

 

U.S. Ambassador to India Richard Verma

 

Continue reading

Insider Quote: “It’s a good thing that I treated them well …”

Posted: 00:46 EST

 

“Oh, yes. I’ve been traveling. I went back to doing what I started out doing 35 years ago. I take courier trips. And the people that used to work for me I now work for them and it’s a good thing that I treated them well.”

– Richard E. Thompson
Diplomatic Courier
Interviewed by Raymond Ewing on April 16, 2001 for the ADST Oral History Project (pdf)

Former Iran Hostage John Limbert on Bibi’s Bizarre Piece of Diplomacy

Posted: 12:39 EST

 

In 1979, John Limbert was a new FSO posted to the U.S. Embassy in Tehran when it was overrun by Iranian students. He was one of the fifty-two U.S. personnel who spent 444 days as Iran hostages from 1979-81. Later in his career, he was appointed Ambassador to the Islamic Republic of Mauritania. He currently serves as Professor of International Affairs at the U.S. Naval Academy.  In yesterday’s issue of the Guardian, Ambassador Limbert writes that “there is a remarkable parallel between denunciations of Binyamin Netanyahu’s March 3 speech to Congress and of a possible nuclear agreement between Iran and the P5+1. Those who condemn the former haven’t heard it; and those who condemn the latter haven’t seen it.”  Excerpt:

[H]is words will not matter. What will matter is the obvious symbolism of his presence in a partisan and political event. Netanyahu will denounce Iran and its evil ways, but behind these denunciations his real target lies elsewhere. The speech will be a divisive event, in which, for his own reasons, Netanyahu has entered the American political arena and thrown in his lot with President Obama’s opponents. In this political mêlée, Iran becomes the means to weaken him.

Such a bizarre piece of diplomacy may play well with the far right in the United States and with Netanyahu’s own constituency in the coming Israeli elections. In the process he does not seem to care how many dishes he breaks or how much he damages Israel’s relations with the president of its most important ally.
[…]
If Netanyahu dislikes and distrusts the Islamic Republic, fair enough. In his negative views he has lots of company. But does Iran’s being difficult mean that there should be no deal to limit its nuclear program? Shouldn’t the P5+1 negotiate the best possible, but perhaps imperfect, agreement? In 1981, the Iranians and Americans reached a deal that brought me and 51 of my embassy colleagues home after 14 months’ captivity in Iran. The deal stuck, although the United States neither liked the Iranians, nor trusted them. At times it is necessary to talk to unattractive regimes and to negotiate agreements that deliver outcomes less than ideal. Rejecting a nuclear deal with Iran – before such a deal has been reached – will do nothing to bring about a better outcome.

Continue reading, Netanyahu’s supporters (and critics) don’t really care what he says to Congress.

 * * *

State/OIG Challenges: Access and OIG Network Vulnerabilities

Posted: 01:42 EST
Updated: 3/3/2015 @1051 PST

Update: In response to our inquiry, State/OIG informed us that the 128 debarment and suspension referrals it made to the State Department “were accepted by the Department and action was taken.” However, we were also informed that the OIG actually “made more referrals, but no action has been taken by the Department to date.”*

As to the issue of OIG’s IT independence and integrity, “a memorandums of understanding have been executed in which the Department has agreed to obtain prior approval from OIG before accessing its network. In addition, we are engaging a third party to explore options to enhance the independence of our network system.”**

 

* * *

Last week, the State Department Inspector General Steve Linick appeared before the Committee on Homeland Security and Government Affairs on the Senate panel’s hearing on improving the efficiency, effectiveness and independence of inspector generals.  State/OIG has oversight of an agency with more than 72,000 employees (includes locally employed staff) in over 280 overseas missions and domestic entities, the BBG and the U.S. Section of the International Boundary and Water Commission. These agencies’ total annual appropriated funding includes approximately $15 billion, nearly $7 billion in consular fees and other earned income, and full or partial oversight of an additional $17 billion in Department-managed foreign assistance.

Some highlights:

  • Although the Department has made improvements on overseas security, challenges remain. Through our inspection and audit work, OIG continues to find security deficiencies that put our people at risk. Those deficiencies include failing to observe set-back and perimeter requirements and to identify and neutralize weapons of opportunity. Our teams also uncover posts that use warehouse space and other sub-standard facilities for offices, another security deficiency. Our audit of the Local Guard Program found that firms providing security services for embassy compounds were not fully vetting local guards they hired abroad, placing at risk our posts and their personnel. In other audits, we found that the Bureau of Diplomatic Security (responsible for setting standards) and the Bureau of Overseas Buildings Operations (responsible for constructing facilities to meet those standards) often do not coordinate adequately to timely address important security needs.
  • We found that follow-through on long-term security program improvements involving physical security, training, and intelligence-sharing lacked sustained oversight by Department principals. Over time, the implementation of recommended improvements slows. The lack of follow-through explains, in part, why a number of Benghazi ARB recommendations mirror previous ARB recommendations.
  • The Department’s obligations in FY 2014 equaled approximately $9 billion in contractual services and $1.5 billion in grants, totaling approximately $10.5 billion. However, the Department faces challenges managing its contracts, grants, and cooperative agreements. These challenges have come to light repeatedly in OIG audits, inspections, and investigations over the years. […]In FY 2014, more than 50 percent of post or bureau inspections contained formal recommendations to strengthen controls and improve administration of grants.
  • OIG’s assessments of the Department’s cybersecurity programs have found recurring weaknesses and noncompliance with the Federal Information Security Management Act (FISMA) with respect to its unclassified systems.[…] Our work in the information security area is ongoing. Since my arrival, OIG has arranged for penetration testing of the Department’s unclassified networks in order to better assess their vulnerability to attack.

What’s happening in FY2015? The following were specifically identified in IG Linick’s testimony (pdf):

  • Planned FY 2015 security audits include an audit of the approval and certification process used to determine employment suitability for locally employed staff and contracted employees, an audit of emergency action plans for U.S. Missions in the Sahel region of Africa, and an audit of the Vital Presence Validation Process (VP2) implementation. VP2 is the Department’s formal process for assessing the costs and benefits of maintaining its presence in dangerous locations around the world. Note: The VP2 is a result of the tragedy in Benghazi.
  • The DS/International Programs Directorate of the Bureau of Diplomatic Security is up for inspection. Note: This is  one of the main bureaus in aftermath of the Benghazi attack that came under congressional scrutiny. Charlene Lamb has now been succeeded by Christian J. Schurman who was named Deputy Assistant Secretary of State and Assistant Director for International Programs on September 15, 2014. DAS Schurman is a Diplomatic Security (DS) Special Agent with 27 years of service who was recently promoted to the rank of Minister Counselor in April 2014.
  • In FY 2015, OIG plans on issuing, among others, audits involving non-lethal aid and humanitarian assistance in response to the Syrian crisis, the Iraq Medical Services Contract, and the Bureau of International Narcotics and Law Enforcement’s Embassy Air Wing Contract in Iraq.
  • ESP is conducting a joint review with the Department of Justice’s OIG of the handling of the use of lethal force during a counternarcotics operation in Honduras in 2012.

 

IG Linick also highlighted new OIG initiatives to enhance the effectiveness and efficiency of OIG’s independent oversight of the Department’s programs and operations including:

  • the issuance of issue Management Alerts and Management Assistance Reports
  • the creation of the Office of Evaluations and Special Projects (ESP), and using ESP to improve OIG’s capabilities to meet statutory requirements of the Whistleblower Protection Enhancement Act of 2012
  • new oversight of overseas contingency operations specifically for Operation Inherent Resolve (OIR)—the U.S.-led overseas contingency operation directed against the Islamic State of Iraq and the Levant (ISIL),
  • data and technology enhancements
  • suspension and debarment:  between 2011 and 2014, OIG referred 128 cases to the Department for action *
  • new offices in Charleston, South Carolina, where one of the Department’s Global Financial Services Center resides, and in Frankfurt, Germany, the site of one of the Department’s Regional Procurement Support Office.
  • co-locating an OIG attorney-investigator as a full-time Special Assistant U.S. Attorneys (SAUSAs) in the U.S. Attorney Office for the Eastern District of Virginia in order to prosecute more quickly and effectively cases involving fraud against the Department of State

 

This hearing followed a well -publicized accessibility issues the Peace Corps and EPA OIG had with their own agencies. In his prepared testimony, IG Linick stated that “unfettered and complete access to information is the linchpin that ensures independence and objectivity for the entire OIG community.

He was careful to note “the importance of forging productive relationships with Department leadership and decision-makers” and cited the Department notice issued by Secretary Kerry at the start of his tenure over a year ago “outlining OIG authorities and obligations under the IG Act and advising staff of our need for prompt access to all records and employees.”  He then shared with Congress the OIG’s two main challenges:

  • Access: Generally, most of our work is conducted with the Department’s full cooperation and with timely production of material. However, there have been occasions when the Department has imposed burdensome administrative conditions on our ability to access documents and employees. At other times, Department officials have initially denied access on the mistaken assumption that OIG was not entitled to confidential agency documents. In these instances, OIG ultimately was able to secure compliance but only after delays and sometimes with appeals to senior leadership. These impediments have at times adversely affected the timeliness of our oversight work, resulting in increased costs for taxpayers.Delays in responding to document requests also occur because the requested information has not been maintained at all or in a manner to allow timely retrieval. Such disorganization of information may negatively impact not only OIG audits, inspections, evaluations, and investigations but also the integrity of Department programs and operations. For example, an OIG Management Alert identified missing or incomplete files for contracts and grants with a combined value of $6 billion.
  • OIG Network Vulnerabilities:  Vulnerabilities in the Department’s unclassified network also affect OIG’s IT infrastructure, which is part of the same network. We noted in our November 2013 information security Management Alert that there are literally thousands of administrators who have access to Department databases. That access runs freely to OIG’s IT infrastructure and creates risk to OIG operations. Indeed, a large number of Department administrators have the ability to read, modify, or delete any information on OIG’s network including sensitive investigative information and email traffic, without OIG’s knowledge. OIG has no evidence that administrators have actually compromised OIG’s network. However, the fact that the contents of our unclassified network may easily be accessed and potentially compromised unnecessarily places our independence at risk. We have begun assessing the best course of action to address these vulnerabilities. **

* * *