Spying Case Against Robin Raphel Fizzles; AG Lynch’s “Houston, We Have a Problem” Moment

Posted: 2:05 am EDT


We blogged about the Robin Raphel case in September (see The Murky Robin Raphel Case 10 Months On, Remains Murky … Why?.

In November 2014, we also blogged this: Robin Raphel, Presumption of Innocence and Tin Can Phones for Pak Officials.

On October 10, the NYTimes reported that officials apparently now say that the spying investigation has all but fizzled. This leaves the Justice Department to decide whether to prosecute Ms. Raphel for the far less serious charge of keeping classified information in her home.

The fallout from the investigation has in the meantime seriously damaged Ms. Raphel’s reputation, built over decades in some of the world’s most volatile countries.

If the Justice Department declines to file spying charges, as several officials said they expected, it will be the latest example of American law enforcement agencies bringing an espionage investigation into the public eye, only to see it dissipate under further scrutiny. Last month, the Justice Department dropped charges against a Temple University physicist who had been accused of sharing sensitive information with China. In May, prosecutors dropped all charges against a government hydrologist who had been under investigation for espionage.
Some American investigators remain suspicious of Ms. Raphel and are loath to abandon the case entirely. Even if the government cannot mount a case for outright spying, they are pushing for a felony charge related to the classified information in her home.







In the case of Xiaoxing Xi, the Temple university professor and head of the school’s physics department, federal authorities handling the case were said to have misunderstood key parts of the science behind the professor’s work.  Mr. Xi’s lawyer said, “We found what appeared to be some fundamental mistakes and misunderstandings about the science and technology involved here.” The federal officials handling the Xi case did not know the science but went ahead and indicted him anyway.

Are we going to hear soon that the federal officials handling the Raphel case also made some fundamental mistakes and misunderstanding of the diplomatic tradecraft?  At least two of these officials leaked the probe to the news media even if no charges were filed against Ambassador Raphel.

This  was not a harmless leak. She lost her security clearance, and her job at the State Department without ever being charged of any crime. And in the court of social media, just the news that she is reportedly the subject of a spying investigation is enough to get her attacked and pilloried for treason. Perhaps, the most disturbing part in the report is that the authorities appear to have no case against her for spying, so now they’re considering slapping her with a felony charge under the Espionage Act.

Now, why would they do that?

Perhaps to save face and never having to admit that federal authorities made a mistake or lack an understanding of international statecraft? They could say —  see, we got something out of a year’s worth of investigation, so it was not completely useless.

Or perhaps because American investigators still viewed Ambassador Raphel’s relationships with deep suspicion?

Because, obviously, “deep suspicion” is now the bar for an espionage charge?

We should note that the hydrologist, Sherry Chen was cleared of spying charges but was notified in September that she will be fired by the National Weather Service for many of the same reasons the USG originally prosecuted her. Xiaoxing Xi of Temple University had been charged with “four counts of wire fraud in the case involving the development of a pocket heater for magnesium diboride thin films.” The USG asked to dismiss the case without prejudice, meaning it could be revived, according to philly.com.

Unlike the Chen and Xi cases, Raphel was never charged and was not afforded the right to defend herself in the court of law.  What we have in one case may have been a misunderstanding, a second case, may well have been a mistake, but a third case is certainly, a trend.

This is AG Loretta Lynch’s  “Houston, we have a problem” moment.


Was the Consular Consolidated Database (CCD) the main target of the twin hackers?

Posted: 1:27 am EDT


In May 2015, a federal grand jury indicted twin brothers Muneeb and Sohaib Akhter, 23, of Springfield, Virginia, on charges of aggravated identity theft, conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, access of a protected computer without authorization, conspiracy to access a government computer without authorization, false statements, and obstruction of justice.  According to USDOJ, the brothers and coconspirators also devised a scheme to hack into computer systems at the U.S.  Department of State to access network traffic and to obtain passport information.  (See Twin Brothers and Co-Conspirators on Alleged Scheme to Hack State Dept to Obtain Passport Information).

The bothers pleaded guilty on June 26, 2015.   On October 2, the USDOJ announced that Muneeb Akhter was sentenced for accessing a protected computer without authorization, making a false statement and obstructing justice.  Muneeb Akhter was sentenced to 39 months in prison and Sohaib Akhter was sentenced to 24 months in prison.  Each man was also sentenced to three years of supervised release. Case title: USA v. Akhter et al.  Below is an excerpt from the announcement:

[T]he Akhter brothers and co-conspirators engaged in a series of computer intrusions and attempted computer intrusions against the U.S. Department of State to obtain sensitive passport and visa information and other related and valuable information about State Department computer systems.  In or around February 2015, Sohaib Akhter used his contract position at the State Department to access sensitive computer systems containing personally identifiable information belonging to dozens of co-workers, acquaintances, a former employer and a federal law enforcement agent investigating his crimes.

Sohaib Akhter later devised a scheme to ensure that he could maintain perpetual access to desired State Department systems.  Sohaib Akhter, with the help of Muneeb Akhter and co-conspirators, attempted to secretly install an electronic collection device inside a State Department building.  Once installed, the device could have enabled Sohaib Akhter and co-conspirators to remotely access and collect data from State Department computer systems.  Sohaib Akhter was forced to abandon the plan during its execution when he broke the device while attempting to install it behind a wall at a State Department facility in Washington, D.C.

Furthermore, beginning in or about November 2013, Muneeb Akhter was performing contract work for a private data aggregation company located in Rockville, Maryland.  He hacked into the company’s database of federal contract information so that he and his brother could use the information to tailor successful bids to win contracts and clients for their own technology company.  Muneeb Akhter also inserted codes onto the victim company’s servers that caused them to vote for Akhter in an online contest and send more than 10,000 mass emails to students at George Mason University, also for the purpose of garnering contest votes.

In or about October 2014, Muneeb Akhter lied about his hacking activities and employment history on a government background investigation form while successfully obtaining a position with a defense contractor.  Furthermore, in or about March 2015, after his arrest and release pending trial, Muneeb Akhter obstructed justice by endeavoring to isolate a key co-conspirator from law enforcement officers investigating the conspirators’ crimes.  Among other acts, Muneeb Akhter drove the co-conspirator to the airport and purchased a boarding pass, which the co-conspirator used to travel out of the country to the Republic of Malta.  When the co-conspirator returned to the United States, Muneeb Akhter continued to encourage the co-conspirator to avoid law enforcement agents.

One of the brothers was profiled by WaPo in 2014. Both brothers started college at 16 and they were George Mason’s youngest graduates in 2011. In 2012, the brothers received a $200,000 grant from the Defense Advanced Research Project Agency, or DARPA.

The details of this case are even more disturbing.  Under Count Eight  (Conspiracy to Access a Government Computer without Authorization).

60. The Bureau of Consular Affairs (hereinafter “Bureau”) is a division of the State Department, which administers laws, formulates regulations, and implements policies relating to consular services and immigration. It has physical offices in Washington, DC.

61. Passport Lockbox (hereinafter “Lockbox”) is a Bureau program that performs payment processing, scarming of applications, and initial data entry for US. passport applications. Lockbox has a computer database containing imaged passport applications associated with real individuals. The imaged passport applications in Lockbox’s database contain, among other things, a photograph of the passport applicant, as well as certain personal information including the applicant’s full name, date and place of birth, current address, telephone numbers, parent information, spouse’s name, and emergency contact information.

62. ActioNet, Inc. (hereinafter “ActioNet”) is a contractor that provided information technology support to the State Department. It has physical offices in Falls Church, Virginia, located in the Eastern District of Virginia.

63. From in or about October 2014 to in or about February 2015, SOHAIB AKHTER was a contract employee at ActioNet assigned to a position at the State Department as a Tier II Application Support Resource in the Data Engineering and Data Management Program within the Bureau.

64. Prior to accessing the Lockbox database, and throughout his tenure as a contractor with the State Department, SOHAIB AKHTER was made aware of and indicated he understood: (a) the confidential nature of the Lockbox database and the confidential personal data contained therein; (b) the information contained in the passport records maintained by the State Department pursuant to Lockbox is protected from unauthorized disclosure by the Privacy Act of 1974, 5 U.S.C. § 552a; and (c) passport applications maintained by the State Department in the Lockbox database should be accessed only in connection with an employee’s official government duties and not the employee’s interest or curiosity.

69. MUNEEB AKHTER and SOHAIB AKHTER, UCC-l, and other coconspirators known and unknown to the Grand Jury, engaged in a series of computer intrusions and attempted computer intrusions against the State Department to obtain sensitive passport and visa information and other related and valuable information about State Department computer systems.

70. SOHAIB AKHTER used his contract position at the State Department to search for and access sensitive passport information belonging to coworkers, acquaintances, a former employer, and federal agents investigating him for crimes alleged in this Indictment. After accessing sensitive passport information from State Department computers, SOHAIB AKHTER copied, saved, and shared this information with coconspirators.

71. SOHAIB AKHTER also attempted to use his access to State Department computer systems to create an unauthorized account that would enable him to access State Department computer systems undetected. SOHAIB AKHTER surreptitiously installed malicious programs onto State Department computer systems in order to execute his plan to create the backdoor login account.

72. SOHAIB AKHTER orchestrated a scheme to secretly install a physical device at a State Department building known as SA-17. Once installed, the device would enable SOHAIB AKHTER and coconspirators to collect data from and remotely access State Department computer systems.

73. SOHAIB AKHTER led the conspiracy, organized the intrusion to install the physical device, recruited coconspirators to assist in execution of the intrusion, and managed the execution of the intrusion.

74. MUNEEB AKHTER provided technical assistance to SOHAIB AKHTER for the unauthorized access. MUNEEB AKHTER programmed the physical device, known as a “gumstix,” so that it would collect data from State Department computers and transmit it wirelessly to computers controlled by MUNEEB AKHTER and SOHAIB AKHTER and coconspirators.

75. On the day the scheme was executed, UCC-1 transported materials, including the gumstix, from MUNEEB AKHTER, located at the AKHTER residence, to SOHAIB AKHTER, located at SA-17.
78. In or about October 2014, SOHAIB AKHTER was hired by ActioNet to perform contract work for the State Department at both ActioNet offices in Falls Church, Virginia, and Bureau offices in Washington, DC.

79. Beginning on or about February 12, 2015, and continuing thereafter until on or about February 19, 2015, in Falls Church, Virginia, in the Eastern District of Virginia, and elsewhere, SOHAIB AKHTER, while employed at ActioNet, accessed the Lockbox database without authorization. .

80. Between on or about February 12, 2015, and on or about February 19, 2015, SOHAIB AKHTER conducted approximately 119 searches for U.S. passport records using the Passport Lockbox Lookup report. He accessed personal passport information for approximately 62 different individuals, including: G.R., a DHS special agent investigating the crimes alleged in this Indictment; UCC-1; A.I.; A.M., the CEO of Victim Company 2; and himself. In addition, SOHAIB AKHTER attempted to access passport information for S.T., a DHS special agent investigating the crimes alleged in this Indictment.

82. In or about February 2015, SOHAIB AKHTER viewed and copied from State Department computer systems the personal passport information associated with several individuals, including DHS Special Agent G.R.

83. In or about March 2015, MUNEEB AKHTER told UCC-1 that he and SOHAIB AKHTER stored the personal passport information that SOHIAB AKHTER removed from State Department systems on an external hard drive. MUNEEB AKHTER told UCC-1 that Special Agent G.R.’s information would be valuable to criminals on the “dark net” and that he was considering selling the information.

84. In or about February 2015, SOHAIB AKHTER downloaded several programs to a State Department computer. These programs included malicious software, or malware, which SOHAIB AKHTER hoped would enable him to access State Department computers remotely.

85. In or about February 2015, SOHAIB AKHTER told UCC-1 that if he was able to gain remote access to State Department computer systems, he could: access information on individuals’ passport applications; access and unilaterally approve visa applications without State Department authorization in exchange for payment; and create passports and visas and sell them on the “dark net.”

86. On or about February 15, 2015, SOHAIB AKHTER called UCC-1 and asked him to buy a drill. UCC-1 purchased the drill and then, pursuant to SOHAIB AKHTER’s request, drove to the AKHTER residence to pick up additional items from MUNEEB AKHTER. At the AKHTER residence, in Springfield, Virginia, in the Eastern District of Virginia, MUNEEB AKHTER told UCC-1 that he was programming a SD card, which was later to be inserted into the gumstix. MUNEEB AKHTER gave UCC-1 a bag containing a screwdriver, tape, glue, and the gumstix. Pursuant to SOHAIB AKHTER’s request, UCC—l drove to SA-17, in Washington, DC, and delivered the bag and items to SOHAIB AKHTER outside SA-17. Later that day, MUNEEB AKHTER drove separately to Washington, DC, and delivered the SD card to SOHAIB AKHTER.

87. On or about the evening of February 15, 2015, SOHAIB AKHTER called MUNEEB AKHTER and told him that he attempted to install the gumstix behind a wall inside SA-17 but was ultimately unsuccessful.

88. On or about February 19, 2015, SOHAIB AKHTER sent an email from his State Department email account to the email address akhters3@vcu.edu containing lines of code and headers for State Department servers.


We’re not sure reading this if the intrusion was done on the State Department’s Travel Document Issuance System (TDIS) which includes information from U.S. citizens and nationals applying for passports, other Department of State computer systems, passport acceptance agents, the Social Security Administration, the lockbox provider (CITIBANK), passport specialists, and fraud prevention managers, or, if the intrusion occurred on the Passport Information Electronic Records Systems (PIERS), or wait … the motherload, the Consular Consolidated Database (CCD) The Passport Lockbox program cited in the indictment is vague; it’s not a system of record according to the State Department’s System of Records Notices.  But the indictment identifies it as a State Department database. Could this be in reference to the Citibank® Lockbox Services? That is a high-speed processing environment and image-based platform for receivables management, advanced reporting and image inquiry used by the State Department to enable the scanning of applications, extraction of applicant photos received at lockbox locations and storing and batching of images.

Note that #69 of the indictment also alleges “a series of computer intrusions and attempted computer intrusions against the State Department to obtain sensitive passport and visa information;” does that mean the targeted system was the CCD?  The CCD provides access to passport data in Travel Document Issuance System (TDIS), Passport Lookout Tracking System (PLOTS), and Passport Information Electronic Records System (PIERS).  As of December 2009, the CCD also contains over 100 million visa cases and 75 million photographs, utilizing billions of rows of data, and has a current growth rate of approximately 35 thousand visa cases every day.

By the way, one of the brothers was a contract employee assigned to a position at the State Department as a Tier II Application Support Resource in the Data Engineering and Data Management Program within the CA Bureau from October 2014 to in or about February 2015 (#63).  In November 2014, the State Department suffered some “technical difficulties.” See State Dept Re-attached to the Internet, and About Those “Unrelated” Embassy Outages; State Department’s “Technical Difficulties” Continue Worldwide, So What About the CCD?

Was it just a coincidence that a master of the universe hacker was working at the State Department at the time when the agency’s systems were having technical difficulties?

Or were the Akhter twins the “technical difficulties”?





When the Boss Is Last to Know: Chaffetz Snoops at the Secret Service

Posted: 1:06 pm EDT


The Department of Homeland Security Inspector General has completed its independent investigation into allegations that one or more Secret Service agents improperly accessed internal databases to look up the 2003 employment application of Congressman Jason Chaffetz, Chairman of the House Committee on Oversight and Government Reform. The Inspector General has confirmed that between March 24 and April 2, 2015, on approximately 60 different occasions, 45 Secret Service employees accessed Chaffetz’ sensitive personal information. The OIG concluded that only 4 of the 45 employees had an arguable legitimate need to access the information.

Here is the IG’s conclusion:

This episode reflects an obvious lack of care on the part of Secret Service personnel as to the sensitivity of the information entrusted to them. It also reflects a failure by the Secret Service management and leadership to understand the potential risk to the agency as events unfolded and react to and prevent or mitigate the damage caused by their workforce’s actions.

Screen Shot 2015-09-30

via dhs/oig

All personnel involved – the agents who inappropriately accessed the information, the mid-level supervisors who understood what was occurring, and the senior leadership of the Service – bear responsibility for what occurred. Better and more frequent training is only part of the solution. Ultimately, while the responsibility for this activity can be fairly placed on the shoulders of the agents who casually disregarded important privacy rules, the Secret Service leadership must do a better job of controlling the actions of its personnel. The Secret Service leadership must demonstrate a commitment to integrity. This includes setting an appropriate tone at the top, but more importantly requires a commitment to establishing and adhering to standards of conduct and ethical and reasonable behavior. Standards of conduct and ethics are meaningful only if they are enforced and if deviations from such standards are dealt with appropriately.

It doesn’t take a lawyer explaining the nuances of the Privacy Act to know that the conduct that occurred here – by dozens of agents in every part of the agency – was simply wrong. The agents should have known better. Those who engaged in this behavior should be made to understand how destructive and corrosive to the agency their actions were. These agents work for an agency whose motto – “worthy of trust and confidence” – is engraved in marble in the lobby of their headquarters building. Few could credibly argue that the agents involved in this episode lived up to that motto. Given the sensitivity of the information with which these agents are entrusted, particularly with regard to their protective function, this episode is deeply disturbing.

Additionally, it is especially ironic, and troubling, that the Director of the Secret Service was apparently the only one in the Secret Service who was unaware of the issue until it reached the media. At the March 24th hearing, he testified that he was “infuriated” that he was not made aware of the March 4th drinking incident. He testified that he was “working furiously to try to break down these barriers where people feel that they can’t talk up the chain.” In the days after this testimony, 18 supervisors, including his Chief of Staff and the Deputy Director, were aware of what was occurring. Yet, the Director himself did not know. When he became aware, he took swift and decisive action, but too late to prevent his agency from again being subject to justified criticism.

Read the full report here. Check out Appendix 1 for the chronological access to the Chaffetz record which includes multiple field offices, including the London office. Appendix 2 is the timeline of record access.

We can’t remember anything like this happening in the recent past.  There was the 1992 passportgate, of course, which involves a presidential candidate, but that’s not quite the same. In 2009, the DOJ said that a ninth individual pleaded guilty for illegally accessing numerous confidential passport application files, although it was for what’s considered “idle curiosity.”

Whether the intent of the Chaffetz record breach was to embarrass a sitting congressman or curiosity (not everyone who looked at the files leak it to the media), the files are protected by the Privacy Act of 1974, and access by employees is strictly limited to official government duties. Only 4 of the 45 employees who did access the Chaffetz records had a legitimate reason to access the protected information. If the DOJ pursued 9 State Department employees for peeking at the passport records of politicians and celebrities, we can’t imagine that it could simply look away in this case. Particularly in this case.  Winter is definitely coming to the Secret Service.



Federal Employees With Stolen Fingerprints From OPM Breach – Now Up to 5.6 Million

Posted: 12:05 pm EDT
Updated: 6:39 pm PDT



Here is the official statement from OPM dated September 23, 2015:

As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness.  During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed.  Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.  This does not increase the overall estimate of 21.5 million individuals impacted by the incident.  An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals.

Federal experts believe that, as of now, the ability to misuse fingerprint data is limited.  However, this probability could change over time as technology evolves.  Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future.  This group will also seek to develop potential ways to prevent such misuse.  If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.

As we have stated previously, all individuals impacted by this intrusion and their minor dependent children (as of July 1, 2015) are eligible for identify theft and fraud protection services, at no cost to them.  In conjunction with the Department of Defense, OPM is working to begin mailing notifications to impacted individuals, and these notifications will proceed on a rolling basis.

OPM and our partners across government are working to protect the safety and security of the information of Federal employees, service-members, contractors, and others who provide their information to us. Together with our interagency partners, OPM is committed to delivering high-quality identity protection services to impacted individuals. The interagency team will continue to review the impacted data to enhance its quality and completeness, and to monitor for any misuse of the data. The U.S. Government will continue to evaluate the coverage being provided and whether any adjustments are needed in association with this incident.

Sigh. Grrr. Sigh. Grrr. Sigh. Grrr. Sigh. Grrr.






GAO: FASTC Fort Pickett Fully Meets Requirements, FLETC Glynco, Not Really

Posted: 3:25 am EDT

We have previously written about the State Department’s Foreign Affairs Security Training Center (FASTC) project that has been snared in a tug of war in Congress.

On September 9, the Government Accountability Office finally released its review of the project. Concerned by the considerable variation in the cost estimates for FASTC and FLETC, members of Congress requested that GAO provide further information on both the requirements and costs of DS training. GAO examined (1) key site requirements critical to the provision of DS training and the extent to which the FASTC and FLETC proposals meet these requirements and (2) the estimated capital and recurring costs of these proposals and the extent to which the capital cost estimates conform to leading practices for reliable cost estimates. The GAO report was publicly released on September 16.

Screen Shot 2015-09-16

via GAO

See Figure 3: Key Events in Plans to Consolidate Bureau of Diplomatic Security Training (pdf)

Excerpt below:

State has been in the process of looking for a site suitable for its DS training facility for more than a decade. In 2011, State and the General Services Administration (GSA) identified Fort Pickett near Blackstone, Virginia, as the preferred site for the Foreign Affairs Security Training Center (FASTC). The initial 2012 master plan for FASTC would have consolidated hard- and soft-skills training at Fort Pickett for an estimated cost of $925 million. In March 2013, State reduced the scope of FASTC to exclude facilities for soft-skills training and life support functions, such as dormitories and a cafeteria, ultimately decreasing the estimated cost of the current proposal to $413 million. Also in 2013, the Office of Management and Budget (OMB) directed State to work with the Department of Homeland Security (DHS) to assess the viability of using the Federal Law Enforcement Training Centers (FLETC) in Glynco, Georgia, to accommodate DS’s training. In November 2013, FLETC submitted a business case to OMB indicating that it could meet DS’s requirements, including soft-skills training, for an estimated cost of $272 million. Following this assessment, DS, FLETC, and OMB could not agree on a path forward.

In April 2014, the administration reaffirmed the selection of Fort Pickett for FASTC, and State and GSA began implementing their plan to construct FASTC. State and GSA have obligated about $71 million to date toward FASTC at Fort Pickett.2 In May 2015, GSA purchased land and, in June 2015, awarded a contract for the initial phase of construction of FASTC.
[W]e analyzed four of DS’s requirements that we determined were critical in the selection of a site for DS’s training facility and found that Fort Pickett fully met all four while FLETC did not fully meet any.7 First, building FASTC at Fort Pickett would enable DS to consolidate at one location 10 of the 12 widely scattered hard-skills training venues it is currently using.8 FLETC can accommodate many of these venues on its Glynco campus but would have to conduct some exercises at a Marine Corps training facility about 30 miles away. Second, we found that Fort Pickett is available for nighttime training, which DS conducts on about 190 days per year, while at FLETC there may be some limitations on nighttime training. We also determined that the Fort Pickett site held advantages in terms of proximity to Washington, D.C., and exclusivity of use, both of which were requirements highlighted in reports stemming from the Benghazi ARB.

We found that neither the FASTC nor the FLETC estimate for capital costs fully meets best practices. The FASTC estimate fully or substantially meets three of the four characteristics—comprehensive, well documented, and accurate—and partially meets one characteristic of reliable cost estimates— credible; the FLETC estimate partially or minimally meets all four characteristics.10 FLETC officials noted that their estimate was prepared in a short period of time based on incomplete information regarding State’s requirements; more complete information would have enabled them to develop a more comprehensive estimate. See enclosure V for more detail on our assessment. Our assessment of the reliability of these cost estimates focused on the processes used to develop the estimates rather than estimates themselves, enabling us to make a more direct comparison of their reliability.

In addition to capital costs for acquisition and construction of a DS training center, the government will incur costs of sending students to training. These recurring student costs include travel, lodging, meals and incidental expenses, and compensation for time spent traveling. We projected these costs over 10, 25, and 50 years in three different scenarios for both the FASTC and FLETC proposals. We estimate that the costs of sending students to FASTC over 10 years will be $43 million to $121 million less, in net present value, than sending students to FLETC.11 The difference in student costs between FASTC and FLETC increases over time, from between $122 million and $323 million less for FASTC after 25 years, to between $309 and $736 million after 50 years. See enclosure III for further details on the assumptions used in each of these scenarios.

Click on 672362 to read the full report (38 pages – pdf).

Maybe this is the end of it and the project at Fort Pickett can finally go forward?  It is likely that there will be at least one more hearing on this, one congressional committee (was that HOGR?) promised a hearings once the GAO report is completed.


State Dept: “In the process of updating” its new rules for speaking and writing. Again.

Posted: 1:23  am EDT


In December 2012, we were informed by inside the building sources that the State Department was rewriting its 3 FAM 4170 rules on official clearance for speaking, writing, and teaching. (see State Dept to Rewrite Media Engagement Rules for Employees in Wake of Van Buren Affair).

On July 27, 2015, two months short of Year 3 since Peter Van Buren retired, the State Department without much fanfare released its new 3 FAM 4170 rules in 19 pages. (see State Dept Releases New 3 FAM 4170 aka: The “Stop The Next Peter Van Buren” Regulation).

The new 3 FAM 4171.b says (see pdf):

 Former Department of State employees (including former interns and externs) must seek guidance from A/GIS/IPS for applicable review process information. Former USAID employees (including former interns and externs) must consult the Bureau for Legislative and Public Affairs for applicable review process information.

On September 3, we asked the State Department for guidance on pre-publication requirement for former/retired employees under the new 3 FAM 4170.

Last Friday, after a second inquiry, we finally got a response from a State Department spokesman as follows:

 The Department is in the process of updating the Foreign Affairs Manual (FAM) guidance relating to the pre-publication obligations of former employees.  Former employees’ obligations will vary based upon the non-disclosure agreements they may have signed. For example, they may have obligations under the Classified Information Non-Disclosure Agreement (SF-312) or the SCI (Sensitive Compartmented Information) Non-Disclosure Agreement (Form 4414).

If employees have signed a non-disclosure/secrecy agreement with another agency, then they may also have pre-publication review obligations with those agencies as well. This obligation is separate from any requirement for pre-publication review that an employee may have with the State Department but the Department can provide the coordination with those other agencies, if requested.

SF-312 Classified Information Nondisclosure Agreement via GSA.gov specifically contains the following paragraphs:

3. I have been advised that the unauthorized disclosure, unauthorized retention, or negligent handling of classified information by me could cause damage or irreparable injury to the United States or could be used to advantage by a foreign nation. I hereby agree that I will never divulge classified information to anyone unless: (a) I have officially verified that the recipient has been properly authorized by the United States Government to receive it; or (b) I have been given prior written notice of authorization from the United States Government Department or Agency (hereinafter Department or Agency) responsible for the classification of information or last granting me a security clearance that such disclosure is permitted. I understand that if I am uncertain about the classification status of information, I am required to confirm from an authorized official that the information is unclassified before I may disclose it, except to a person as provided in (a) or (b), above. I further understand that I am obligated to comply with laws and regulations that prohibit the unauthorized disclosure of classified information.

5. I hereby assign to the United States Government all royalties, remunerations, and emoluments that have resulted, will result or may result from any disclosure, publication, or revelation of classified information not consistent with the terms of this Agreement.

8. Unless and until I am released in writing by an authorized representative of the United States Government, I understand that all conditions and obligations imposed upon me by this Agreement apply during the time I am granted access to classified information, and at all times thereafter.

Sensitive Compartmented Information Non-Disclosure Agreement Form 4414 via NCSC (pdf) contains the following:

4. (U) In consideration of being granted access to SCI and of being assigned or retained in a position of special confidence and trust requiring access to SCI, I hereby agree to submit for security review by the Department or Agency that last authorized my access to such information or material, any writing or other preparation in any form, including a work of fiction, that contains or purports to contain any SCI or description of activities that produce or relate to SCI or that I have reason to believe are derived from SCI, that I contemplate disclosing to any person not authorized to have access to SCI or that I have prepared for public disclosure. I understand and agree that my obligation to submit such preparations for review applies during the course of my access to SCI and thereafter, and I agree to make any required submissions prior to discussing the preparation with, or showing it to, anyone who is not authorized to have access to SCI. I further agree that I will not disclose the contents of such preparation with, or show it to, anyone who is not authorized to have access to SCI until I have received written authorization from the Department or Agency that last authorized my access to SCI that such disclosure is permitted.

5. (U) I understand that the purpose of the review described in paragraph 4 is to give the United States a reasonable opportunity to determine whether the preparation submitted pursuant to paragraph 4 sets forth any SCI. I further understand that the Department or Agency to which I have made a submission will act upon it, coordinating within the Intelligence Community when appropriate, and make a response to me within a reasonable time, not to exceed 30 working days from date of receipt.

9. (U) Unless and until I am released in writing by an authorized representative of the Department or Agency that last provided me with access to SCI, I understand that all conditions and obligations imposed on me by this Agreement apply during the time I am granted access to SCI, and at all times thereafter.

Whoa! Is there a way out?

The State Department has  several student paid/unpaid internship programs.  The program’s eligibility requirement includes the ability to receive either a Secret or Top Secret clearance (pdf). So, does a student who receives a one-year internship at State be in the hook for life when it comes to obtaining clearance for speaking, writing, teaching and all media engagement as it is written under 3 FAM 4170? Are the interns/externs aware of their obligations under these rules before they sign up for these internships?

Where can interns/externs obtain a release in writing from a State Department representative?  We originally sent our inquiry to A/GIS/IPS cited as the contact office, but could not even get a response from there. There is no easily available email box to send the request either for a clearance or to request a release.

NOTE: For current employees, the reviewing office is the Bureau of Public Affairs (paclearances[at]state.gov). It looks like State/PA also has The PA Clearances Database accessible online. You need to sign up to register for an account to allow the online submission of clearance requests to the Bureau of Public Affairs. The site says “Using this site will expedite your clearance request.”

For former and retired State Department employees, how far back is the USG going to reach back? For life?

On December 29, 2009, President Obama issued Executive Order 13526 which prescribes a uniform system for classifying, safeguarding, and declassifying national security information.  “No information may remain classified indefinitely,” the order says.  The default declassification date, is 10 years. After 25 years, declassification review is automatic, with nine narrow exceptions that allow information to continue to be classified. Classifications beyond 75 years require special permission.

Given the default declassification at 10 years, can retired and former employees get an automatic release from these obligation at 10 years after they leave their jobs at the State Department?

For employees who are no longer attached in any capacity to the State Department, and haven’t been for 20 years, and have no interest in pursuing consulting or WAE appointments at the agency, ought they not be able to obtain a release from their obligations under these nondisclosure provisions?

Perhaps it’s time for State to put together its own Publication Review Board (PRB)? The CIA has one, and this article by John Hollister Hedley, the Chairman of the PRB on former CIA employees seeking to become published authors is instructive:

The courts have held that this signed agreement is a lifetime enforceable contract.(3) The courts also have noted that the secrecy agreement is a prior restraint of First Amendment freedom. But they ruled it a legitimate restraint, provided it is limited to the deletion of classified information and so long as a review of a proposed publication is conducted and a response given to its author within 30 days.(4)
The important thing is for us to be reasonable and professional about what we protect. It does not take a genius to know what information requires a hard look: for example, in an age of terrorism and for privacy act considerations, we have to protect identities not already in the public domain. Also taboo–because they impact adversely our ability to conduct our business, most of it necessarily in secret–are cover arrangements, liaison relationships, covert facilities, and unique collection and analytic capabilities. These constitute the sources and methods that truly need protection. For the most part, they can easily be avoided without keeping an author from telling a story or restricting an author’s opinion on a variety of intelligence subjects.

In prepublication reviews, we have to show we know the difference between what truly is sensitive and what is not. We do not earn respect just by saying “no,” but neither do we earn respect just by giving away information. Our unique role is to judge whether a denial of disclosure would stand up in court, whether we could make a compelling case in a court of law that specific damage to US national security would result. We can have it both ways: we can protect that which needs to be protected, while being forthcoming about intelligence activities in a way that can help educate, inform, enlighten, and even entertain the general public. That is the cost of doing business in this free society we help to preserve; trying to have it both ways is a challenge that comes with the territory.

The article is focused on pre-publication review of manuscripts but notes that the submissions ranges “from 1,000-page book manuscripts to one-page letters to the editor. There are speeches, journal articles, theses and op-eds, book reviews, and movie scripts. There are scholarly treatises, works of fiction, and, recently, a cookbook featuring a collection of recipes acquired and served by Agency officers and spouses around the world. Perhaps the most novel review (no pun intended) involved an interactive CD-ROM video spy game co-authored by former Director of Central Intelligence (DCI) William Colby and KGB Gen. Oleg Kalugin.”

We should note that the State Department’s pre-publication review has three purposes per 3 FAM 4170:

(1) The personal capacity public communications review requirement is intended to serve three purposes: to determine whether the communication would disclose classified or other protected information without authorization; to allow the Department to prepare to handle any potential ramifications for its mission or employees that could result from the proposed public communication; or, in rare cases, to identify public communications that are highly likely to result in serious adverse consequences to the mission or efficiency of the Department, such that the Secretary or Deputy Secretary must be afforded the opportunity to decide whether it is necessary to prohibit the communication (see 3 FAM 4176.4).

The CIA’s PRB on the other hand says that  the sole purpose of its prepublication review is “to assist authors in avoiding inadvertent disclosure of classified information which, if disclosed, would be damaging to national security–just that and nothing more.”


Related items:

SF312-13 | Classified Information Nondisclosure Agreement

FORM_4414_Rev_12_2013 | Sensitive Compartmented Information Non-Disclosure Agreement

PSA: Know the Risk #Raise Your Shield Campaign: Spear Phishing

Posted: 4:02 am EDT


The National Counterintelligence and Security Center (NCSC) is responsible for leading the counterintelligence and security mission across the USG. It is putting out the campaign focusing on spear phishing. It will reportedly be targeting social media, human targeting, and travel awareness. You can learn more at http://www.ncsc.gov but fair warning, the website is slow and cumbersome, hard to navigate and not terribly user-friendly.

Via the Office of the Director of National Intelligence:


Here’s the Don’t Be THIS Guy: Spear Phishing video:


HOGR Hearing: Violence on the Border, Keeping U.S. Personnel Safe

Posted: 2:47 pm EDT


The House Oversight and Government Reform Committee held a hearing on September 9, to examine the efforts to ensure the safety of U.S. personnel and assets in northern Mexico and along the U.S.-Mexican border. The Committee notes on its introduction the risks posed to U.S. personnel and the public by the criminal violence in northern Mexico are numerous including:

  • February 2015the U.S. Consulate in Matamoros reported 227 separate security incidents in the U.S. border region.
  • May 2015two government buildings in Matamoros were struck by bomb attacks. 
  • June 2015a gunman on the Mexican side of the border fired multiple shots at a U.S. Customs and Border Protection helicopter. 
  • June 2015a U.S.-contracted vehicle was hijacked by armed criminals which resulted in the theft of over 11,500 Border Crossing Cards.

The video is available here. The witnesses include three officials from the State Department (DS, OBO, WHA), an official from DHS/CBP, and a representative from the American Federation of Government Employees (AFGE).  There is no representative from the American Foreign Service Association (AFSA) in this hearing.

Screen Shot 2015-09-09

U.S. Mission Mexico | Border Posts

William H. Moser Deputy Director, Bureau of Overseas Building Operations U.S. Department of State Document
Gregory B. Starr Assistant Secretary, Bureau of Diplomatic Security U.S. Department of State Document
Sue Saarnio Deputy Assistant Secretary, Western Hemisphere Affairs U.S. Department of State Document
Robert L. Harris Director, Joint Task Force – West U.S. Customs and Border Protection Document
Brandon Judd President, National Border Patrol Council American Federation of Government Employees Document

The hearing is also available here via C-SPAN.


OPM Spends $133 Million on Credit Monitoring, Still No Credit Freeze

Posted: 12:34 am PDT


On September 1, OPM announced the $133M contract for identity thief protection and credit monitoring services for the 21.5 million individuals affected by the massive OPM breach that includes security clearance data. Our go-to expert on this says that “perhaps the agency should be offering the option to pay for the cost that victims may incur in “freezing” their credit files, a much more effective way of preventing identity theft.” Excerpt from Krebs on Security:

The only step that will reliably block identity thieves from accessing your credit file — and therefore applying for new loans, credit cards and otherwise ruining your good name — is freezing your credit file with the major credit bureaus. This freeze process — described in detail in the primer, How I Learned to Stop Worrying and Embrace the Security Freeze — can be done online or over the phone. Each bureau will give the consumer a unique personal identification number (PIN) that the consumer will need to provide in the event that he needs to apply for new credit in the future.

Here is part of the OPM announcement:

The U.S. Office of Personnel Management (OPM) and the U.S. Department of Defense (DoD) today announced the award of a $133,263,550 contract to Identity Theft Guard Solutions LLC, doing business as ID Experts, for identity theft protection services for 21.5 million individuals whose personal information was stolen in one of the largest cybercrimes ever carried out against the United States Government. These services will be provided at no cost to the victims whose sensitive information, including Social Security numbers, were compromised in the cyber incident involving background investigations.

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future,” said Beth Cobert, Acting Director of the Office of Personnel Management. “Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

ID Experts will provide all impacted individuals and their dependent minor children (under the age of 18 as of July 1, 2015) with credit monitoring, identity monitoring, identity theft insurance, and identity restoration services for a period of three years. This task order was awarded under GSA’s Blanket Purchase Agreements (BPA) for Identity Monitoring, Data Breach Response and Protection Services which GSA awarded today.

The U.S. Government, through the Department of Defense, will notify those impacted beginning later this month and continue over the next several weeks. Notifications will be sent directly to impacted individuals.






Heard that? Crickets.


Asset Freeze Against Former Monk Accused of Defrauding Chinese Investors Highlights EB-5 Visa Program

Posted: 12:38 am EDT


Via Securities and Exchange Commission:

Washington D.C., Aug. 25, 2015 —The Securities and Exchange Commission today announced an asset freeze obtained against a man in Bellevue, Wash., accused of defrauding Chinese investors seeking U.S. residency through the EB-5 Immigrant Investor Pilot Program by investing in his companies.

The SEC alleges that Lobsang Dargey and his “Path America” companies have raised at least $125 million for two real estate projects: a skyscraper in downtown Seattle and a mixed-use commercial and residential development containing a farmers’ market in Everett, Wash.  But Dargey diverted $14 million for unrelated real estate projects and $3 million for personal use including the purchase of his $2.5 million home and cash withdrawals at casinos.

“We allege that Dargey promised investors their money would be used to develop specific real estate projects approved under the EB-5 program, but he misused millions of dollars to enrich himself and jeopardized investors’ prospects for U.S. residency,” said Jina L. Choi, Director of the SEC’s San Francisco Regional Office.

According to the SEC’s complaint filed yesterday in U.S. District Court for the Western District of Washington:

  • Under the EB-5 program, foreign citizens may qualify for U.S. residency if they make a qualified investment of at least $500,000 in a specified project that creates or preserves at least 10 jobs for U.S. workers.
  • Dargey and his companies obtained investments from 250 Chinese investors under the auspices of the EB-5 program.  Path America SnoCo and Path America KingCo operated as regional centers through which EB-5 investments could be made.
  • Dargey told U.S. Citizenship and Immigration Services (USCIS) and EB-5 investors that he would use investor money only for the Seattle skyscraper and Everett, Wash., projects.
  • Dargey and his companies misled investors about their ability to obtain permanent residency by investing in the Path America projects.  For example, Dargey knew that USCIS can deny investors’ residency applications if investor money is used for a project that materially departs from the approved business plan presented to USCIS.  Dargey failed to tell investors that he and his companies had departed from the business plan by using investor money for personal expenses and unrelated projects.

Late yesterday, the court granted the SEC’s request for an asset freeze and issued an order restraining Dargey and his companies from soliciting additional investors.  The SEC also was granted an order expediting discovery, prohibiting the destruction of documents, and requiring Dargey to repatriate funds he transferred to overseas bank accounts.

The SEC’s investigation was conducted by Brent Smyth and Michael Foley of the San Francisco office and supervised by Steven Buchholz.  The SEC’s litigation will be led by Mr. Smyth and Susan LaMarca.  The SEC appreciates the assistance of the USCIS.

According to the Seattle Times, citing a civil fraud suit filed Monday by the Securities and Exchange Commission (SEC), Dargey, a former monk, allegedly diverted millions to spend on a $2.5 million home, other real-estate investments and gambling at 14 casinos across the West. The report notes that the EB-5 visa program allows wealthy foreigners to invest at least $500,000 in a commercial enterprise that creates at least 10 full-time jobs, in exchange for a permanent-residency visa or green card. China dominates the list of countries from which immigrant investors hail.

Department of Homeland Security’s USCIS administers the Immigrant Investor Program, also known as “EB-5,” created by Congress in 1990 to stimulate the U.S. economy through job creation and capital investment by foreign investors. Under a pilot immigration program first enacted in 1992 and regularly reauthorized since, certain EB-5 visas also are set aside for investors in Regional Centers designated by USCIS based on proposals for promoting economic growth. As of August 3, 2015, USCIS had approved approximately 697 regional centers. Regional centers can operate in multiple states.

In its adjudication policy memorandum dated May 30, 2013, USCIS writes on how adjudication of EB-5 petitions and applications must only adhere to the “Preponderance of the Evidence Standard“:

As a preliminary matter, it is critical that our adjudication of EB-5 petitions and applications adhere to the correct standard of proof. In the EB-5 program, the petitioner or applicant must establish each element by a preponderance of the evidence. See Matter of Chawathe, 25 I&N Dec. 369, 375-376 (AAO 2010). That means that the petitioner or applicant must show that what he or she claims is more likely so than not so. This is a lower standard of proof than both the standard of “clear and convincing,” and the standard “beyond a reasonable doubt” that typically applies to criminal cases. The petitioner or applicant does not need to remove all doubt from our adjudication. Even if an adjudicator has some doubt as to the truth, if the petitioner or applicant submits relevant, probative, and credible evidence that leads to the conclusion that the claim is “more likely than not” or “probably true”, the petitioner or applicant has satisfied the standard of proof.


Related posts:


Related items: