Over and over, the United States has touted education — for which it has spent more than $1 billion — as one of its premier successes in Afghanistan, a signature achievement that helped win over ordinary Afghans and dissuade a future generation of Taliban recruits. As the American mission faltered, U.S. officials repeatedly trumpeted impressive statistics — the number of schools built, girls enrolled, textbooks distributed, teachers trained, and dollars spent — to help justify the 13 years and more than 2,000 Americans killed since the United States invaded.
But a BuzzFeed News investigation — the first comprehensive journalistic reckoning, based on visits to schools across the country, internal U.S. and Afghan databases and documents, and more than 150 interviews — has found those claims to be massively exaggerated, riddled with ghost schools, teachers, and students that exist only on paper. The American effort to educate Afghanistan’s children was hollowed out by corruption and by short-term political and military goals that, time and again, took precedence over building a viable school system. And the U.S. government has known for years that it has been peddling hype.
USAID program reports obtained by BuzzFeed News indicate the agency knew as far back as 2006 that enrollment figures were inflated, but American officials continued to cite them to Congress and the American public.
As for schools it actually constructed, USAID claimed for years that it had built or refurbished more than 680, a figure Hillary Clinton cited to Congress in 2010 when she was secretary of state. By 2014, that number had dropped to “more than 605.” After months of pressing for an exact figure, the agency told BuzzFeed News the number was 563, a drop of at least 117 schools from what it had long claimed.
Katherine Archuleta who remains OPM director following the drip, drip, drip reports on the OPM data breach wrote a blog post at 8 pm on Saturday, July 4th, updating the “hardworking Federal workforce” on the “Cyberintrustion Investigation.”
The update does not provide any real update on the investigation, except to say they hope to have something this week. Two sentences on the investigation from an eight para message. Oy!
The purpose of the message appears to be — to show that the director is working on a Federal holiday. At 8 pm, too. While you all are celebrating the Fourth of July, the OPM director who is “as concerned about these incidents as you are,” is writing a blog post, and talking about the “tireless efforts” of her team. She wants folks to know that she “shares your anger,” and that she remains “committed to improving the IT issues that have plagued OPM for decades.” She also writes that she is “committed to finishing the important work outlined” in her Strategic IT Plan.
Hey, no one is personally responsible for this breach except the hackers, and it looks like Ms. Archuleta is committed enough that she won’t be going anywhere. No, not even to go back in time.
Here’s the part of her message that gave me a nasty headache. She writes, “I encourage you to take some time to learn about the ways you can help protect your own personal information.”
Ay, holy molly guacamole!
May I also encourage OPM to take some time to learn about the ways it can help protect the personal information of Federal employees, job applicants, retirees and contractors, and their family members, because why not? See this timeline:
Cybersecurity is already a priority in our lives and work. We’re all in this great mess because it wasn’t a priority for OPM. I certainly welcome more substantive details of this breach but these updates that are nothing more than rumble burble CYA are mighty useless, and they don’t do anything to improve my perception of OPM or its leadership.
As our hardworking Federal workforce enjoys a much-deserved holiday weekend, I want to share a quick update on the ongoing investigation into the recent theft of information from OPM’s networks.
For those individuals whose data may have been compromised in the intrusion affecting personnel records, we are providing credit monitoring and identity protection services. My team has worked with our identity protection contractor to increase staff to handle the large volume of calls, and to dramatically reduce wait times for people seeking services. As of Friday, our average wait time was about 2 minutes with the longest wait time being about 15 minutes.
Thanks to the tireless efforts of my team at OPM and our inter-agency partners, we also have made progress in the investigation into the attacks on OPM’s background information systems. We hope to be able to share more on the scope of that intrusion next week, and in the coming weeks, we will be working hard to issue notifications to those affected.
I want you to know that I am as concerned about these incidents as you are. I share your anger that adversaries targeted OPM data. And I remain committed to improving the IT issues that have plagued OPM for decades.
One of my first priorities upon being honored with the responsibility of leading OPM was the development of a comprehensive IT strategic plan, which identified security vulnerabilities in OPM’s aging legacy systems, and, beginning in February 2014, embarked our agency on an aggressive modernization and security overhaul of our network and its systems. It was only because of OPM’s aggressive efforts to update our cybersecurity posture, adding numerous tools and capabilities to our networks, that the recent cybersecurity incidents were discovered.
I am committed to finishing the important work outlined in my Strategic IT Plan and together with our inter-agency partners, OPM will continue to evaluate and improve our security systems to make sure our sensitive data is protected to the greatest extent possible, across all of our networks.
We are living in an era where cybersecurity must be a priority in our lives at work and at home. I encourage you to take some time to learn about the ways you can help protect your own personal information. There are many helpful resources available on our website.
I’m wishing you a safe and relaxing 4th of July weekend.
The State Department’s Consular Consolidated Database problems that affected travelers globally is is now back online at 165 of 220 visa issuance posts worldwide. The latest update does not explain in details the cause of the glitch except to cite the hardware issue. It also says that service was restored “using a redundant, secondary backup system and other sources.” It does not explain what “other sources” mean but if it took at least 9 days to get that redundant, secondary back-up system to kick in, that’s not a very good system.
The Consular Affairs-issued FAQ asks how many people were affected by this outage? The answer it provides to this question is neither here nor there. Folks, if you can’t answer your own question, please don’t include it.
According to travel.state.gov, the average visa applications processed every day worldwide is 50,000 x 9 days (June 9-19)=450,000 + 25,000 (half the average daily applications) x 4 days (June 22-25) = 100,000. Total number potentially affected 550,000. Is that close enough?
The June 25 update says that if systems had been operating normally, posts would have issued approximately 540,000 visas since the outage started. Whoa! Help us out here. What kind of refusal/approval rates are we looking at here? That 540,000 figure is a little hinky because not all applicants who apply are issued visas. If it would have issued 540,000 visas, what would have been the total number of applicants? Note that all of them must pay the visa fees. We estimate that the USG loss from this latest glitch is between $72 to $84 million (average daily applications globally x no. of days x $160 visa fee). Is that too low?
Meanwhile, StarrFMonline.comreported that the US Embassy in Accra, has “dismissed reports that it is ripping Ghanaians off by accepting visa fees in spite of the visa issuance imbroglio that has hit US embassies across the world.” The consular section chief had to explain that “if anybody was refused a visa, that was because of the case and has nothing to do with our technical issues.”
On June 24, the Bureau of Consular Affairs reports that 50 posts, representing nearly 73 percent of its nonimmigrant visa demand worldwide, are back online and issuing visas. It also says that “posts overseas have issued more than 150,000 non-immigrant visas since June 9.” And that for context, if systems had been operating normally, posts would have issued approximately 450,000 visas during the June 9-23 timeframe.
On June 25, the Bureau of Consular Affairs reports that 165 posts, representing more than 85 percent of nonimmigrant visa demand worldwide, are now online and issuing visas. The update says that if systems had been operating normally, posts would have issued approximately 540,000 visas since the outage started.
Via travel.state.gov, June 25 update:
Visa Systems Issues
The Bureau of Consular Affairs reports that 165 posts, representing more than 85 percent of our nonimmigrant visa demand worldwide, are now online and issuing visas.
Posts overseas issued more than 82,000 visas on June 24.
Posts overseas have issued more than 238,000 non-immigrant visas this week. For context, if systems had been operating normally, posts would have issued approximately 540,000 visas since the outage started.
We will continue to bring additional posts online until connectivity with all posts is restored. All posts worldwide are now scheduling interviews with applicants, including with those who applied after the systems problems began on June 9.
We deeply regret the inconvenience to travelers who are waiting for visas, as well as their families and U.S. businesses that have been affected.
We continue to post updates to our website, travel.state.gov.
Q: Reports indicate that your backlog is 700,000 visas. Is this accurate?
No. While there is a large backlog of cases to clear, it never approached that level, and we have already made good progress issuing those visas. Many posts are working overtime this week and during the upcoming weekend, and we expect to eliminate the backlog in a week or less.
Q: How old is this equipment? And does the age of the equipment and the need to have so many repairs to the hardware mean that this equipment should have been replaced? Is this a funding issue at the base of it?
The hardware that impacted the biometrics system is several years old. The Department was working to move the biometrics system off of this hardware.
The operational requirements to keep this database running for domestic and overseas passport and visa issuances caused delays in upgrading the database according to our planned maintenance schedule.
We have been working to upgrade our systems over the past year.
We will move ahead with planned migration and systems upgrades as soon as we fully restore service.
Q: How did you restore service?
We restored service using a redundant, secondary backup system and other sources. That data allowed us to begin to re-connect posts to the affected portion of the system and synchronize biometric data. This system is running on newer hardware, and has a synchronized standby system in a different Department data center.
In parallel, we are continuing to restore data from backups and overseas post databases. This process is ongoing.
Q: Do you know whether this is equipment that was acquired directly by the State Department, or was this acquired through a third-party contractor?
The equipment was acquired by the Department of State.
Q: How many people were affected by this outage?
During the past two weeks, consular sections have continued to interview travelers who applied June 8 or earlier. Those posts reconnected to our system are now issuing visas for those applicants.
Q: How are cases being prioritized?
We continue to facilitate urgent cases for those individuals who need to travel imminently, and will continue to do so until the systems are normal.
We apologize to travelers and recognize that this has caused hardship to some individuals waiting for visas as well as families and employers.
Q: What about the foreign agricultural workers (H2A visa holders?)
More than 2,500 temporary or seasonal workers have been issued new visas in Mexico since last week.
We will continue to prioritize H-2 applicants as our systems return to normal, and issue as many approved cases as possible. However, we will not be able to process these as quickly as we typically do until our systems are functioning normally. We continue to ask that any employers with urgent needs contact the post which is processing their applicants and we will do everything we can to facilitate the cases.
We are no longer asking CBP to provide Port of Entry waivers, as we have now begun issuing visas at border posts.
Visa applicants, including agricultural workers, who have not received a visa should not report to the border. Please contact the nearest embassy or consulate.
Looking at an American intervention that’s going to end, not with a bang, but on a deadline, it can be tough to find the silver lining.
This week Forbes contributor Loren Thompson tried to do that in a piece called “Five Signs Afghanistan Is Becoming An American Success Story,” making the case that staying the course in Afghanistan is “paying off.” His premise that Americans can hold their head high on Afghanistan is based on five points: the solid performance of Afghan forces, the country’s improved political climate, Islamabad’s renewed interest in cooperating with Kabul, a booming Afghan economy, and popular support for Afghanistan’s national institutions. It’s a concise, readable assessment, with one problem: The country Thompson describes doesn’t exist.
Gary Owen is a veteran, development worker, and blogger at “Sunny in Kabul.” He is also a regular contributor to the Afghan Analysts Network and Vice News. Gary Owen is a pseudonym. Follow Gary Owen on Twitter @elsnarkistani.
Excerpt from the transcript of Hillary Clinton’s remarks on the email controversy swirling about via Time’s @ZekeJMiller:
There are four things I want the public to know.
First, when I got to work as secretary of state, I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.
Looking back, it would’ve been better if I’d simply used a second email account and carried a second phone, but at the time, this didn’t seem like an issue.
Second, the vast majority of my work emails went to government employees at their government addresses, which meant they were captured and preserved immediately on the system at the State Department.
Third, after I left office, the State Department asked former secretaries of state for our assistance in providing copies of work- related emails from our personal accounts. I responded right away and provided all my emails that could possibly be work-related, which totalled roughly 55,000 printed pages, even though I knew that the State Department already had the vast majority of them. We went through a thorough process to identify all of my work- related emails and deliver them to the State Department. At the end, I chose not to keep my private personal emails — emails about planning Chelsea’s wedding or my mother’s funeral arrangements, condolence notes to friends as well as yoga routines, family vacations, the other things you typically find in inboxes.
No one wants their personal emails made public, and I think most people understand that and respect that privacy.
Fourth, I took the unprecedented step of asking that the State Department make all my work-related emails public for everyone to see.
I am very proud of the work that I and my colleagues and our public servants at the department did during my four years as secretary of state, and I look forward to people being able to see that for themselves.
Again, looking back, it would’ve been better for me to use two separate phones and two email accounts. I thought using one device would be simpler, and obviously, it hasn’t worked out that way.
The Clinton folks have also released a Q&A on her email use:
So if we tell over 70,000 employees that they should secure their email accounts and “avoid conducting official Department business from your personal email accounts,” then we go off and use our own private non-government email, what leadership message are we sending out to the troops? Follow what I say not what I do?
The secretary of state is the highest classifying authority at the State Department. Since she did not have a state.gov account, does this mean, she never sent/receive any classified material via email in the entirety of her tenure at the State Department? If so, was there a specific person who routinely checked classified email and cable traffic intended for the secretary of state?
BREAKING: Clinton says she never sent classified material on personal email as secretary of state.
The podium heads insist that there is no restriction in use of private emails. Never mind that this is exclusive use of private emails. If a junior diplomat or IT specialist sets-up his/her own email server to conduct government business at the home backyard shed in Northern Virginia, do you think Diplomatic Security would not be after him or her? Would he/she even gets tenured by the Tenuring Board despite systems management practices contrary to published guidelines? If the answer is “yes,” we’d really like to know how this works. For ordinary people.
And then there’s this — if there were a hundred people at State that the then secretary of state regularly sent emails to, was there not a single one who said, “wait a minute’ this might not be such a great idea?
The State Department has multiple automated information systems. All employees, including locally employed staff and contractors (apparently with the exception of Secretary Clinton and who knows how many others), have state.gov email addresses for use in their unclassified workstations. But not everyone has classified access and in some places, you have to go to a controlled location just to read your classified email. Here is a quick description from publicly available documents:
OpenNet is the Department’s internal network (intranet), which provides access to Department-specific Web pages, email, and other resources.
ClassNet is the Department’s worldwide national security information computer network and may carry information classified at or below the Secret level.
SMART-SBU or just “SMART” replaces existing Department of State unclassified email and cable systems with a Microsoft Outlook-based system.
SMART-C is the Classified State Messaging and Archive Retrieval Toolset
No one “scans” emails for classified material?
The real question seems to be — well, if all her email communication was conducted through a private email server — how can we be sure that no classified and sensitive information were transmitted using her private email account? We can’t, how can we?
However, for ordinary employees with badges and logins, an Information System Security Officer (ISSO) has “read access to the employee’s mailbox to ensure that no messages contain classification levels higher than that allowed on the authorized information system” (see 12 FAM 640-pdf). Which seems to indicate that ISSOs as a matter of course, “scan” State Department electronic mailboxes and files to ensure that there are no material there beyond “Sensitive But Unclassified” in the unclass system, for example.
Moving on to fumigation
Anyways — remember the WikiLeaks fallout? At that time, federal employees and contractors who believe they may have inadvertently accessed or downloaded classified or sensitive information on computers that access the web via non-classified government systems, or without prior authorization, were told to contact their information security offices for assistance.
If the unthinkable does happen, their unclassified computers required the equivalent of um… let’s say, digital “fumigation.” But who does that for private email servers?
The office that handles FOIA requests is the Office of Information Programs and Services (A/GIS/IPS/RL) under the Bureau of Administration. The Department also has its own chief information officer. Can we please have the State Department’s IT and FOIA experts talk about this from the podium? Please, please, please, pretty please, this is getting more painful to watch every day.
In related news — when you see reports that US embassies have been cited multiple times by State/OIG for use of “personal email folders,” we suggest you take a deep breath.That’s not/not the same as the use of personal private emails like Yahoo or Gmail. What those OIG reports are probably referring to are the personal storage folders, also known as .pst files in Microsoft Outlook on the employees’ hard disk drives. Why would you want to save your emails in the personal folders of your computer?
Because a .pst file is kept on your computer, it is not subject to mailbox size limits on the mail server. By moving items to a .pst file on your computer, you can free up storage space in the mailbox on your mail server.
Just because you have classification authority, must you?
Below is an excerpt from the State Department Classification Guide | January 2005, Edition 1 (pdf via the Federation of American Scientists)
High Level Correspondence. This includes letters, diplomatic notes or memoranda or other reports of telephone or face-to-face conversations involving foreign chiefs of state or government, cabinet-level officials or comparable level figures, e.g., leaders of opposition parties. It should be presumed that this type of information should be classified at least CONFIDENTIAL, though the actual level of classification will depend upon the sensitivity of the contained information and classification normally assigned by the U.S. to this category of information. Information from senior officials shall normally be assigned a classification duration of at least ten years. Some subjects, such as cooperation on matters affecting third countries, or negotiation of secret agreements, would merit original classification for up to 25 years.
(a) In the Department of State authority for original classification of information as ‘‘Top Secret’’ may be exercised only by the Secretary of State and those officials delegated this authority in writing, by position or by name, by the Secretary or the DAS/ CDC, as the senior official, on the basis of their frequent need to exercise such authority.
But why would the USG’s classification guide or classification authority even apply to an email server that apparently is not owned nor physically possessed or maintained by the State Department?
No one is coming out of this smelling like roses
The 67th secretary of state exclusively used private email during her entire tenure at the State Department. She left the State Department on February 1, 2013. The official word is that in October 2014 — to improve record-keeping or something — the State Department “reached out to all of the former secretaries of state to ask them to provide any records they had,” Secretary Clinton reportedly sent back “55,000 pages of documents to the State Department very shortly” after the letter was sent to her. “She was the only former Secretary of State who sent documents back in to this request,” said Ms. Harf. This storyline is not even walking quite straight anymore according to the NYT’s follow-up report of March 5.
What appears clear is that the USG cannot possibly know the answer to the endless questions surrounding these emails since it does not have possession of the private email server used in the conduct of official business. But somebody must know how this set-up came to be in 2009. What originated this, what security, if any were put in placed?
As if we don’t have enough disturbing news … have you seen this?
Federal judge rules this week that a group can only #FOIA e-mails held by a gov agency, not director’s private emails http://t.co/mwYKI6iyqk
In related news, the National Security Archive filed suit against the State Department this week under the Freedom of Information Act to force the release of the last 700 transcripts of former Secretary of State Henry Kissinger’s telephone calls (telcons). The Archive’s appeal of State’s withholding dates back to 2007.
The 56th secretary of state had reportedly removed the telcons, along with his memcons and office files, from the State Department when he left office at the end of 1976. According to the FOIA-released declassification guide for the State Department “information that still requires protection beyond 25 years should be classified for only as long as considered necessary to protect the national security.”
But … but …it’s been almost 40 years, heeeellloo!
Where are we again? Oh, utterly distressed by this whole thing.
At that time, the State Department deputy spox, Marie Harf called the allegations “a crazy conspiracy theory about people squirreling away things in some basement office and keeping them secret.” She also said this:
QUESTION: Did people involved in preparing the documents for the ARB separate documents into stuff that was just whatever and then things that they thought were – made people on the seventh floor, including the Secretary, look bad?
MS. HARF: Not to my knowledge, Matt, at all. The ARB had full and unfettered access and direct access to State Department employees and documents. The ARB’s co-chairs, Ambassador Pickering and Admiral Mullen, have both repeated several times that they had unfettered access to all the information they needed. So the ARB had complete authority to reach out independently and directly to people. Employees had complete authority to reach out directly to the ARB. And they’ve said themselves they had unfettered access, so I have no idea what prompted this somewhat interesting accounting of what someone thinks they may have seen or is now saying they saw.
But the ARB has been clear, the ARB’s co-chairs have been clear that they had unfettered access, and I am saying that they did have full and direct access to State Department employees and documents.
“That allegation is totally without merit. It doesn’t remotely reflect the way the ARB actually obtained information,” he said in an email. He explained that an “all-points bulletin”-type request went out department-wide instructing “full and prompt cooperation” for anyone contacted by the ARB, and urging anyone with “relevant information” to contact the board.
“So individuals with information were reaching out proactively to the Board. And, the ARB was also directly engaged with individuals and the Department’s bureaus and offices to request information and pull on whichever threads it chose to. The range of sources that the ARB’s investigation drew on would have made it impossible for anyone outside of the ARB to control its access to information,” Gerlach said. He further noted that the leaders of the ARB have claimed they had unfettered access to information and people.
In both cases, these government officials emphasized one thing: that the Pickering-Mullen Accountability Review Board “had full and unfettered access and direct access to State Department employees and documents.”
In the September 2013 congressional hearing, the Benghazi ARB co-chair also told Congress, “We had unfettered access to State Department personnel and documents. There were no limitations.”
Shouldn’t we now consider the absent clintonemail.com server as one such limitation?
In light of reports that Secretary Clinton exclusively used a personal email account to conduct government business as secretary of state, and that her private emails were never reportedly actual residents of Foggy Bottom, would these current and former government officials now revisit their statements on the ARB’s “unfettered” access to documents?
Congress annually appropriates funds for the security of diplomatic personnel and facilities within the Department of State, Foreign Operations and Related Programs appropriation, which is about 1% of the total federal budget. Security funding amounts to about 9% of that appropriation.
Congress has not enacted a stand-alone State Department appropriation prior to the start of the fiscal year since 1995 and has not passed a stand-alone Foreign Relations Authorization law since 2002.6 Both could have been legislative vehicles for debate regarding Administration of Foreign Affairs, including diplomatic/embassy security funding and priorities. Instead, Congress has provided ongoing security funding within Continuing Resolutions (CRs) that have delayed by several months the full-year appropriation eventually provided. Funding within a CR is usually based on the previous year’s funding levels. Furthermore, if spending was not in the previous year’s appropriation (as was the case with Benghazi in 2012), it would not be funded by a CR. Only after the final appropriation is passed by Congress and signed into law by the President would State Department officials know what level of funding they can allocate on a daily/weekly/monthly basis over the 275 worldwide diplomatic posts (or 1600 work facilities)7 and over the remainder of the fiscal year.
International affairs is important but apparently not important enough to merit the right interest in Congress in the last two decades when it comes to appropriating funds. There’s enough blame to go around going back to 1995, spanning three administrations, all the way back to the 104th Congress and every congressional session thereafter.
Remember that the next time you see an elected representative shed tears on teevee or blow fire from his ass about somebody or another not doing enough for the diplomats our country send overseas.
The first announcement about the troubled Consular Consolidated Database (CCD) went out on Wednesday, July 23:
The Department of State Bureau of Consular Affairs is currently experiencing technical problems with our passport/visa system. This issue is worldwide and is not specific to any particular country, citizenship document, or visa category. We apologize to applicants who are experiencing delays or are unable to obtain a passport, Consular Report of Birth Abroad, or visa at this time. We are working urgently to correct the problem and expect our system to be fully operational again soon.
The AP reported on July 23 that unspecified glitches have resulted in performance issues since Saturday, which would be July 19.
On July 25, CA announced:” Our visa and passport processing systems are now operational, however they are working at limited capacity. We are still working to correct the problem and expect to be fully operational soon.”
A State Department official speaking on background told us the same day that this issue was not/not caused by hackers. We were told that the CCD crashed shortly after maintenance was performed and that the root cause of the problem is not yet known.
As of July 27, the Department of State has made continued progress on restoring our system to full functionality. As we restore our ability to print visas, we are prioritizing immigrant cases, including adoptions visas. System engineers are performing maintenance to address the problems we encountered. As system performance improves, we will continue to process visas at U.S. Embassies and Consulates worldwide. We are committed to resolving the problem as soon as possible. Additional updates will be posted to travel.state.gov as more information becomes available.
The Department of State Bureau of Consular Affairs continues to make progress restoring our nonimmigrant visa system to full functionality. Over the weekend, the Department of State implemented system changes aimed at optimizing performance and addressing the challenges we have faced. We are now testing our system capacity to ensure stability. Processing of immigrant visas cases, including adoptions, remains a high priority. Some Embassies and Consulates may temporarily limit or reschedule nonimmigrant visa interview appointments until more system resources become available to process these new applications. We sincerely regret the inconvenience to travelers, and are committed to resolving the problem as soon as possible. Additional updates will be posted to travel.state.gov as more information becomes available.
The CA Bureau’s Facebook page has been inundated with comments. There were complaints that at one post the visas were printing fine and then they were not. There were complains from people waiting for visas for adopted kids, for fiancees, for family members, for family waiting at the border, for students anxious to get to their schools, people worried about time running out for diversity visas, applicants with flights already booked, and many more. One FB commenter writes, “I feel that the problem most people have is not that the system broke, but the lack of clear, meaningful information so people can make appropriate plans.”
Other than what the CA Bureau chose to tell us, we cannot pry any substantial detail from official sources. We, however, understand from sources familiar with the system but not authorized to speak for the bureau that the CCD has been having problems for sometime but it got worse in the last couple weeks. If you’re familiar with the highs and lows of visa operation, this will not be altogether surprising. Whatever problems already existed in the system prior to this “glitch” could have easily been exacerbated in July, which is the middle of the peak travel season worldwide. A source working in one of our consular posts confirmed to us that the system is back running, but not at the normal level and that the backlogs are building up. Another source told us that Beijing already had a 15k NIV backlog over the weekend. We haven’t yet heard what are the backlogs like in mega visa-issuing posts like Brazil, Mexico and India.
We understand that everyone is currently doing all they can to get the process moving, but that some cases are getting through the system, while some are not. No one seems to know why this is happening. These machine readable visas are tied to the system and there are no manual back-ups for processing these cases (more of that below).
So who owns CCD?
The Consular Systems and Technology (CA/CST) manages the CCD. We have previously blogged about its troubled past:
CST is currently headed by a new Director, Greg D Ambrose who reports to the CA Bureau’s Assistant Secretary. It looks like despite the 2011 OIG recommendation, the CST deputy position remains vacant. We should also note that the Asst Secretary for Consular Affairs Janice Jacobs retired this past April. No replacement has been nominated to-date and Michele T. Bond has been Acting Assistant Secretary since Ms. Jacobs’ departure.
Last September, Mr. Ambrose was with FedScoopTV and talked about Consular One, the future of consular IT.
CST Just Got a New Data Engineering Contract
In Many 2014, ActioNet, Inc., headquartered in Vienna, Virginia,announced a 5-year task order for data engineering, supporting CST.
ActioNet, Inc. announced today the award of a five (5)-year task order entitled Data Engineering (DE) in support of Department of State (DOS). This task order will provide data engineering and database infrastructure support services necessary for planning, analysis, design, and implementation services for the Bureau of Consular Affairs. These service also include contract and program management support to ensure that innovation, efficiency, and cost control practices are built into the program. […] The Office of Consular Systems and Technology (CST) within the Bureau develops, deploys and maintains the unclassified and classified IT infrastructures that help execute these missions. The Bureau currently manages over 800 servers worldwide, in order to comply with the fast paced changes inherent to data processing and telecommunications, CST requires that contractor services provide for rapid provisioning of highly experienced and trained individuals with the IT (information technology) backgrounds and the security clearances required of CA’s environment of workstation-based local and wide-area network infrastructures.
Due to limited information available, we don’t know if the new Consular One and/or the new DE contract are related to ongoing issues or if there are hardware issues, given the multiple legacy systems, but we do know that CST has both an impressive and troubled history. Let’s take a look.
Records Growing by the Day
The 2010 Consular Consolidated Database (CCD) Privacy Impact Assessment (PIA) describes (pdf) the CCD as “one of the largest Oracle based data warehouses in the world that holds current and archived data from the Consular Affairs (CA) domestic and post databases around the world.” According to the PIA, in December 2009, the CCD contained over 100 million visa cases and 75 million photographs, utilizing billions of rows of data, and has a current growth rate of approximately 35 thousand visa cases every day. The 2011 OIG report says that in 2010, the CCD contained over 137 million American and foreign case records and over 130 million photographs and is growing at approximately 40,000 visa and passport cases every day.
That was almost four years ago.
A Critical Operational and National Security Database with No Back-Up System?
According to publicly available information, the CCD’s chief functions are 1) to support data delivery to approved applications via industry-standard Web Service queries, 2) provide users with easy-to-use data entry interfaces to CCD, and 3) allow emergency recovery of post databases. The CCD also serves as a gateway to IDENT and IAFIS fingerprint checking databases, the Department of State Facial Recognition system, and the NameCheck system. It provides access to passport data in Travel Document Issuance System (TDIS), Passport Lookout Tracking System (PLOTS), and Passport Information Electronic Records System (PIERS). The OIG says that the CCD serves 11,000 users in the Department and more than 19,000 users in other agencies, primarily the Department of Homeland Security (DHS) and various law enforcement elements, and is accessed more than 120 million times every month.
Given that the CCD is considered “a critical operational and national security database,” there is surprisingly no redundancies or any back-up system.
Resurrect the Standard Register protectograph aka: `Burroughs visas’?
No one is actually suggesting that but when the CCD system is down, there is no manual way to issue a visa. No post can handprint visas because security measures prevent consular officers from printing a visa unless it is approved through the database system. Here is a quick history of the handprinted ‘Burroughs visas’ and the machine readable visas via the GPO:
November 18, 1988, mandated the development of a machine-readable travel and identity document to improve border entry and departure control using an automated data-capture system. As a result, the Department developed the Machine Readable Visa, a durable, long-lasting adhesive foil made out of Teslin.
Before MRVs, nonimmigrant visas were issued using a device called a Standard Register protectograph, otherwise known as a Burroughs certifier machine. It produced what was colloquially known as a “Burroughs visa,” an indelible ink impression mechanically stamped directly onto a page in the alien’s passport. Over time, Burroughs machines were gradually replaced by MRV technology, which is now used exclusively by all nonimmigrant visa issuing posts throughout the world.
Burroughs visas contained a space in which a consular employee was required to write the name of the alien to whom the visa was being issued. An alien’s passport might also include family members, such as a spouse, or children, who also had to be listed on the visa. In March 1983, in order to expedite the issuance of nonimmigrant visas and to improve operational efficiency, the Department authorized the use of a “bearer(s)” stamp for certain countries so that consular officers would not have to spend time writing in the applicant’s name (and those of accompanying family members). MRVs, however, must be issued individually to qualified aliens. Consequently, the “bearer”annotation has become obsolete.
The problem with the old Burroughs machine, besides the obvious, was maybe — you run out of ink, the plates are ruined/broken or you need it oiled. We could not remember those breaking down. With the MRV technology, all posts are connected to a central database, and the new machines by themselves cannot issue visas. Which brings us to the security of that system.
Management Alert on Information System Security Program
The State Department PIA says that “To appropriately safeguard the information, numerous management, operational, and technical security controls are in place in accordance with the Federal Information Security Management Act (FISMA) of 2002 and information assurance standards published by the National Institute of Standards and Technology (NIST).” Must be why in November 2013, the Office of the Inspector General issued a Management Alert for significant and recurring weaknesses found in the State Department’s Information System Security Program over the past three fiscal years (FY 2011-2013).
In 2011, State/OIG also issued a report on CA’s CST division and has, what appears to be a lengthy discussion of the CCD, but almost all of it but a paragraph had been redacted:
That OIG report also includes a discussion of the Systems Development Life Cycle Process and notes that decision control gates within CST’s SDLC process are weak. It cites a couple of examples where this manifested: 1) the development of the Consular report of Birth Abroad (CRBA) system. “The ownership of development and deployment shifted throughout the process, and the business unit’s requirements were not clearly communicated to the development team. As a result, CST designed and tested the CRBA for a printer that did not match the printer model identified and procured by the business unit;” 2) the Crisis Task Force application, for which CST was tasked to enhance its Web-facing interaction. “The deployment of this application has been challenged by the lack of project ownership and decision controls, as well as by the incomplete requirements definition. The use of incorrect scripts that were provided by the CM group has further delayed the Crisis Task Force application’s deployment.”
If there’s somethin’ strange in your CCD, who ya gonna call? (Glitchbusters!)
The Consular Consolidated Database (CCD) is central to all consular operations. It is run by CST where according to the OIG, “the smooth functioning of every part of the office depends on its contractors.” And because it runs such an important element of U.S. national security systems, if all CST’s contractors, all 850 of them quit, this critical consular data delivery to the State Department and other Federal agencies would screech to a a halt.
To carry out its mandate, CST must provide uninterrupted support to 233 overseas posts, 21 passport agencies, 2 passport processing centers, and other domestic facilities, for a total of 30,000 end users across 16 Federal agencies and in nearly every country. CST faces 24/7/365 service requirements, as any disruption in automated support brings operations to an immediate halt, with very serious implications for travelers and the U.S. image. […] CST is led by a director and is staffed by 68 full-time equivalent (FTE) employees (62 Civil Service and 6 Foreign Service). There are 12 positions (3 Foreign Service and 9 Civil Service) currently vacant. CA recently authorized CST 19 additional FTE positions. There are also more than 850 contractors operating under nearly 30 different contracts. In FY 2010, CST’s annual operating budget was approximately $266 million.
If CCD is compromised for a lengthy period such as the last couple of weeks, what is the back up plan to keep the operation going? Obviously, none. It’s either down or running under limited or full capacity. No one we know remember CCD problems persist this long. Right now, we know from a reliable source that the system is not down, and some cases and going through but — what if the CCD is completely down for two weeks … four weeks … wouldn’t international travel come to a slow stop?
What if CCD goes down indefinitely whether by hardware or software glitch or through malicious penetration by foreign hackers, what happens then?
Currently, it appears nothing can be done but for folks to be patient and wait until the fixes are in. We know they’re working hard at it but there’s got to be a better way. Perhaps we can also agree that this has very serious national security implications on top of disgruntled travelers and a grave impact on the U.S. image overseas.
The State Department spokesman said, “We hold all employees to the highest standards.” Her top boss also said, “all employees of this department are held to the highest standards, now and always.” Of course, they are held to the highest standards. They are all public servants representing the United States overseas, we hold them to the highest expectation. But what we want to hear from the Secretary of State is what is he going to do if these allegations of manipulation and interference of DSS investigations are proven true?
Since we haven’t heard anything about that, we’re just going to borrow this guy talking about standing up for others, morale moral courage and legacy.
This is the Chief of Army, Lieutenant General David Morrison, AO, to the Australian Army following the announcement on Thursday, 13 June 2013 of civilian police and Defence investigations into allegations of unacceptable behaviour by Army members.
“If we are a great national institution – if we care about the legacy left to us by those who have served before us, if we care about the legacy we leave to those who, in turn, will protect and secure Australia – then it is up to us to make a difference.