The State Department announced that it will will host, GLACIER, “an important conference in Anchorage, Alaska on August 30-31 that will focus the world’s attention on the most urgent issues facing the Arctic today.”
GLACIER stands for Global Leadership in the Arctic: Cooperation, Innovation, Engagement, & Resilience and “will be a global conversation” convened by U.S. Secretary of State John Kerry. It will reportedly include senior U.S. Government officials and representatives from seven other Arctic nations as well as Arctic experts from the global scientific and policy communities, public and private sector representatives, and Alaskan State, local and indigenous leadership. The conference expects delegations from around 20 countries and about 450 participants.
As a prelude to the event starting Sunday, the State Department held a Special Briefing via teleconference with a senior State Department official. It also issued an “important reminder” that this was an “on-background call, so [Senior State Department Official] should be referred to as a senior State Department official going forward” and asked attendees to “appreciate that courtesy professionally.” “On background” usually means that a reporter can use the information you give them, but cannot name or quote you directly.
Excerpt below from the Senior State Department Official.:
The excitement and momentum are building here in Anchorage as we approach the GLACIER conference. I’ve been here, I think, as I said, since Monday, and have been involved with one other conference, the Alaskan Arctic Conference, which was organized by former Lieutenant Governor Mead Treadwell, who is currently the president of Pt Capital, and Alice Rogoff, who owns the Alaska Dispatch News. I spoke at that conference on Tuesday to wrap that up. And over the intervening days, I’ve had an opportunity to meet with the mayor, the governor, and other senior officials here in Alaska. I visited the University of Alaska; I traveled down to Seward, Alaska to the Alaska SeaLife Center; and also took a walk out to, most appropriately, the Exit Glacier since we’re here for the GLACIER conference. It was a special treat to go out there not just to see the glacier and the beauty of the Alaska countryside, but also to see the dramatic changes that have occurred over the years, particularly looking at pictures and the geography out there on how that particular glacier has receded, and particularly over the last couple of decades.
Senior State Department official hikes Exit Glacier in Seward, Alaska, August 2015 (Photo via DipNote)
So it’s a great scene setter for me. I returned to Anchorage yesterday after the seward trip. I met with a series of people, including students at the University of Alaska. Today, I’ll be going out to Alaska Command to talk about our U.S. leadership efforts in the Arctic Council, doing a couple of interviews both on TV and with the press, and most importantly, speaking to all of you today.
GLACIER is going to be a historic event. The media outlets up here have been promoting not just the conference, but in particular, the fact that our final speaker on Monday will be the President of the United States. Even beyond that, he is coming in for the GLACIER conference, but I think as everybody knows now, he’s going to spend some time in Alaska and he will be the first president – the first sitting president to visit the American Arctic, going above the Arctic Circle here in Alaska.
We have a jam-packed day on Monday. There’ll be an opening plenary session with senior officials, leadership from Alaska and Alaska native groups speaking to the entire session. Secretary Kerry, Dr. John Holdren, the science advisor to the President will speak, and then the ministers will be involved in a track for the remainder of the day covering various topics, talking about the challenges in the Arctic. And the other participants – the 300 or so other participants in addition to the delegations will be broken down into two separate tracks which will cover various issues throughout the day as well. Everybody’s brought back together at the end of the day for the final plenary session, at which time we’ll have the President speak to us and we’re all, as I said, very excited about that.
This is obviously a very significant event for Alaska, but I think it’s also a significant event for the world. Whenever the United States gets involved in a project, whenever the United States puts its focus on problems or issues, there is usually action that occurs. And as an individual, as an American, as a retired Coast Guardsman, an employee of the State Department, I could not be more excited that we are now gaining this focus on our Arctic challenges all brought together here in this wonderful conference that’s going to occur on Monday.
According to his brief bio, Adm. Robert J. Papp Jr., USCG (Ret.) became the U.S. State Department’s special representative for the Arctic in July of 2014. Prior to his appointment, Papp served as the 24th Commandant of the U.S. Coast Guard, and led the largest component of the Department of Homeland Security. We are aware of no other Senior State Department official who also previously served as a retired Coast Guardsman.
Why the State Department find it necessary to have a special briefing on background with its special representative for the Arctic is perplexing. We’ve come up with zero bucket for reasons. Anybody out there understand the why here, please share.
For obvious reasons, we are unable to share the name of the retired diplomat here but we have permission to share this with our readers.
Retired FSO: I was planning on blogging about Hillary’s emails. Title: “If I Did What Hillary Did, I’d Be In Jail.”
Me: Great! Looking forward to reading it!
Retired FSO: But I won’t.
Retired FSO: Just read 3 FAM 4170. I’m retired. I can’t believe I really need to clear my blogposts with PA. I mean, I’d use common sense, you know? I wouldn’t be divulging stuff like, say, our nuclear launch codes, or the chronically malfunctioning air conditioning system at Main State. I’d just focus on how when you become a charter member of America’s political elite, the rules don’t apply to you. That’s all.
Me: Only stuff “of department concern” needs clearance. Max timeframe for blogs, five days.
Retired FSO: But they’ve made me jittery. I don’t fancy jail. They’d probably force me to watch re-runs of “Madame Secretary” every day; let me read only the FAM! The eighth amendment doesn’t allow this kind of cruel and unusual punishment, but Mother State can be as vindictive as a Borgia dowager.
Me: Okay. So, does this mean you’ll stop blogging?
Retired FSO: Nah. Maybe I’ll just write about my pets from now on. Think anybody would read Diplo Doggy’s Adventures?
The Daily Signal picked it up and got an official statement from deputy spox Mark Toner:
State Department Deputy Spokesperson Mark Toner says the reason for the revisions is actually “to underscore that the Department encourages employees to engage with the public on matters related to the nation’s foreign relations.”
“The revised policies and procedures are more protective of employee speech as they establish a higher bar for limiting employees’ writing or speaking in their personal capacity, while also recognizing changing technologies in communication, such as social media,” Toner said in a statement to Daily Signal.
Toner also said the revisions do not change the procedures employees must follow before testifying in court or before Congress but “streamline the review process and also remind employees about existing rules regarding the disclosure of classified and other protected information.”
Streamline-apalooza! Here’s the laugh out loud cry from our favorite Veronica Mars:
“It’s an absolute overreach,” Rep. Jason Chaffetz, chairman of the House Oversight and Government Reform Committee told the Daily Signal:
“They should be able to talk to the media, they should be able to speak to Congress,” the Utah Republican said. “They have an absolute and total right to interact with Congress. There are whistleblower protections. That’s not a balanced approach to current and former employees’ rights.”
No kidding! We imagine that the State Department would say no one is preventing anyone from speaking to the media or Congress, they just want to know what you’re going to say first. Before you say it. And hey, the agency will even help you clean it up, if needed.
When the ACLU defended Mr. Van Buren in 2012, it made the following argument:
The Supreme Court has long made clear that public employees are protected by the First Amendment when they engage in speech about matters of public concern. A public employee’s First Amendment rights can be overcome only if the employee’s interest in the speech is outweighed by the govemment’s interest, as employer, in the orderly operation of the public workplace and the efﬁcient delivery of public services by public employees. Pickering v. Bd. of Educ, 391 U.S. 563, 568 (1968). The government bears an even greater burden of justiﬁcation when it prospectively restricts employees’ expression through a generally applicable statute or regulation. United States v. National Treasury Employees Union, 513 U.S. 454, 468 (1995) (“NTEU”).
The Supreme Court has repeatedly held that public employees retain their First Amendment rights even when speaking about issues directly related to their employment, as long as they are speaking as private citizens. Garcetti
v. Ceballos, 547 U.S. 430, 421 (2006).
Further, the State Department’s pre-publication review policy, as applied to blog posts and articles, raises serious constitutional questions. Through its policy, the State Department is prospectively restricting the speech of Mr. Van Buren as well as all present and future State Department employees. Where, as here, the restriction limits speech before it occurs, the Supreme Court has made clear that the government’s burden is especially heightened. NTE U, 513 U.S. at 468. The State Department must show that the interests of potential audiences and a vast group of present and future employees are outweighed by that expression’s necessary impact on the actual operation of government. Id. Courts have also required careful tailoring of prospective restrictions to ensure they do not sweep too broadly and that they actually address the identiﬁed harm. Id. at 475. Given this heightened standard, it is highly unlikely that the State Department could sustain its burden of demonstrating that its policy is constitutional.
In 2012, the ACLU presumably, used the 2009 version of 3 FAM 4170. The updated version of 3 FAM 4170 issued July 27, 2015 is much tighter and has a much wider reach. We don’t know how one could argue that this enhanced policy could better sustain constitutional challenge. But then, perhaps, State has a stable of constitutional lawyers at a ready. Besides, those folks outside the building do not have legal standing to challenge these rules. So.
Oh, wait, perhaps, the State Department is also counting that no one will cross the fine line after Mr. Van Buren, and this policy functions, at its core, as a simple deterrent.
We acknowledge the reports. While we will not comment on or confirm the specifics of this particular assertion, we know that malicious actors often target email accounts of government and business leaders across the United States.
We’ve also inquired about its response, or guidance to personnel , if any, and the State Department, still on background, would only say this:
We believe it is important for not only government and private sector companies but also individuals to improve their cybersecurity practices. That is why this Administration is working hard to raise our cyber defenses across the board.
Well, we hope they’re talking to employees behind the firewall with more substance than this two-sentence practically useless response.
We have not been able to find anything State Department related-response/guidance on this on the public net, but DOD has some useful reminders posted on the wide-web, no logons required. The first set of slides below is actually a social networking cybersecurity awareness briefing by Diplomatic Security. The slide set appears dated a few years back (uses 2009 examples) and is not available, as far as we can tell, from state.gov. We found this set posted on the slideshare site maintained by the Defense Department. The other two set of slides are on opsec for families and one on geotagging safety for those who posts photos online. both from the DOD site.
Social Networking Cybersecurity Awareness
Social Media Cyber Security Awareness Briefing | OPSEC For Families
On July 27, 2015, two months short of Year 3 since Mr. Van Buren retired, the State Department without much fanfare released its new 3 FAM 4170 rules in 19 pages. For the “FAM is not a regulation; it’s recommendations” crowd, we hope you folks have great lawyers.
My! Look who’s covered!
The updated FAM, same as the old FAM, is divided into two meaty parts — official capacity public communication and personal capacity public appearances and communications. The new version of 3 FAM 4170 is all encompassing, covering the following (not exhaustive list):
— all personnel in the United States and abroad who are currently employed (even if in Leave Without Pay status) by the Department of State and the United States Agency for International Development (USAID), including but not limited to Foreign Service (FS) employees, Civil Service (CS) employees (including schedule C appointees and annuitants returning to work on temporary appointments on an intermittent basis, commonly referred to as “While Actually Employed (WAE)” personnel), locally employed staff (LE Staff), personal service contractors (PSCs), employees assigned to fellowships or details elsewhere and detailees or fellows from other entities assigned to the Department, externs/interns, and special government employees (SGEs).
— Former Department of State employees (including former interns and externs) must seek guidance from A/GIS/IPS for applicable review process information. Former USAID employees (including former interns and externs) must consult the Bureau for Legislative and Public Affairs for applicable review process information.
— Employee testimony, whether in an official capacity or in a personal capacity on a matter of Departmental concern, may be subject to the review requirements of this subchapter. Employees should consult with the Department of State’s Office of the Legal Adviser or USAID’s Office of the General Counsel, as appropriate, to determine applicable procedures.
In practical terms, we think this means that if you get summoned to appear before the House Select Benghazi Committee and is testifying in your personal capacity as a former or retired employee of the State Department, these new regulations may still apply to you, and you may still need clearance before your testimony.
Convince us that we’re reading this wrong, otherwise, somebody poke Congress, please.
Also, does this mean that all retired FSOs who contribute to ADST’s Oral History project are similarly required to obtain clearance since by its definition, “online forums such as blogs” and “a person or entity engaged in disseminating information to the general public” are considered media organizations under these new rules?
Institutional interest vs. public interest
We are particularly interested in the personal capacity publication/communication rules because that’s the one that can get people in big trouble, as shown in the Van Buren case. Here’s the equivalent of our bold Sharpie.
3 FAM 4176.4 says: “A principal goal of the review process for personal capacity public communications is to ensure that no classified or other protected information will be disclosed without authorization. In addition, the Final Review Office will evaluate whether the employee’s public communication is highly likely to result in serious adverse consequences to the efficiency or mission of the Department, such that preventing those consequences outweighs the employee’s presumptively high interest in communicating and the public’s interest in receiving the communication.”
Institutional interest trumps public interest? Where do you draw the line? You can still write a dissent cable as the “3 FAM 4172.1-3(D). No Review of Dissent Channel Communications” included in the 2009 version of the FAM survives as 3 FAM 4171 (e) in the current rules:
Views on matters of Departmental concern communicated through methods of internal communication (including, for example, the Department’s internal dissent channel) or disclosures made pursuant to 5 U.S.C. 2302(b)(8)(B) are not subject to the review requirements of this subchapter.
Which is fine and all, except — who the heck gets to read your dissent cable except the folks at Policy Planning? The State Department is not obligated to share with Congress or with the American public any dissenting opinions from its diplomats. One might argue that this is appropriate, after all, you can’t have diplomats second guessing in public every foreign policy decision of every administration. So, the American public typically only hears about it when a diplomat quits. But given the two long wars in Iraq and Afghanistan, is the American public best served by this policy? And by the way, candid opinion like the case of the six-page memo, entitled “The Perfect Storm,” in the lead up to the Iraq War, is still classified. Why is that?
The new regs also say this:
“To the extent time and resources allow, reviewers may assist the employee in identifying possible modifications or other adjustments to avoid the inclusion of non-classified but otherwise protected information, or the potential for adverse consequences to the Department’s mission or efficiency (including the employee’s ability to perform his or her duties effectively in the future).”
If we weigh the Van Buren book against these parameters, how much of the book’s 288 pages would survive such “modifications” or “adjustments.”
There goes the book, We Meant Well in Afghanistan, Also.
The Peter Van Buren Clause
We’ve come to call “3 FAM 4172.1-7 Use or Publication of Materials Prepared in an Employee’s Private Capacity That Have Been Submitted for Review“ as the Peter Van Buren clause. Below is the original language from the 2009 version of the FAM:
An employee may use, issue, or publish materials on matters of official concern that have been submitted for review, and for which the presumption of private capacity has not been overcome, upon expiration of the designated period of comment and review regardless of the final content of such materials so long as they do not contain information that is classified or otherwise exempt from disclosure as described in 3 FAM 4172.1-6(A).
That section of the FAM appears to survive under the current 3 FAM 4174.3 Final Review Offices, underlined for emphasis below.
c. To ensure that no classified information is improperly disclosed, an employee must not take any steps to proceed with a public communication (including making commitments to publishers or other parties) until he or she receives written notice to proceed from the Final Review Office, except as described below. If, upon expiration of the relevant timeframes below, the Final Review Office has not provided an employee with either a final response or an indication that a public communication involves equities of another U.S. Government entity (including a list of the entity or entities with equities), the employee may use, issue, or publish materials on matters of Departmental concern that have been submitted for review so long as such materials do not contain information described in 3FAM 4176.2(a) and taking into account the principles in 4176.2(b). When an employee has been informed by the Final Review Office that his or her public communication involves equities of another U.S. Government entity or entities, the employee should not proceed without written notice to proceed from the Final Review Office. Upon the employee’s request, the Final Review Office will provide the employee with an update on the status of the review of his or her public communication, including, if applicable, the date(s) on which the Department submitted the employee’s communication to another entity or entities for review. Ultimately, employees remain responsible for their personal capacity public communications whether or not such communications are on topics of Departmental concern.
The Van Buren clause appears to survive, until you take a closer look; italicized below for emphasis:
3 FAM 4176.2 (a) Content of Personal Capacity Public Communications
a. When engaging in personal capacity public communications, employees must not:
(1) Claim to represent the Department or its policies, or those of the U.S. Government, or use Department or other U.S. Government seals or logos; or
(2) Disclose, or in any way allow the public to access, classified information, even if it is already publicly available due to a previous unauthorized disclosure.
3 FAM 4176.2 (b) Content of Personal Capacity Public Communications
b. As stated in 3 FAM 4174.2(c)(1), a purpose of this review process is to determine whether the communication would disclose classified or other protected information without authorization. Other protected information that is or may be subject to public disclosure restrictions includes, but is not limited to:
(1) Material that meets one or more of the criteria for exemption from public disclosure under the Freedom of Information Act (FOIA), 5 U.S.C. 552(b), including internal pre-decisional deliberative material;
(2) Information that reasonably could be expected to interfere with law enforcement proceedings or operations;
(3) Information pertaining to procurement in violation of 41 U.S.C. 2101-2107;
(4) Sensitive personally identifiable information as defined in 5 FAM 795.1(f); or
(5) Other nonpublic information, when used in a manner as prohibited by 5 CFR 2635.703.
Can one make the case that the conversations between the writer and his boss in the Van Buren book are “internal pre-decisional deliberative material?” Or that any conversation between two FSOs are deliberative? Of course. State can make a case about anything and everything. Remember, it did try to make the case that the book contained classified information. (see “Classified” Information Contained in We Meant Well – It’s a Slam Dunk, Baby!). Also, we should note that documents marked SBU or sensitive but unclassified are typically considered nonpublic information. Under these new rules, it’s not just classified information anymore, anything the agency considers deliberative material or any nonpublic material may be subject to disclosure restrictions.
3 FAM 4174.2 Overview (2015): Waving the ‘suitability for continued employment’ flag
c. Employees’ personal capacity public communications must be reviewed if they are on a topic “of Departmental concern” (see 3 FAM 4173). Personal capacity public communications that clearly do not address matters of Departmental concern need not be submitted for review.
(1) The personal capacity public communications review requirement is intended to serve three purposes: to determine whether the communication would disclose classified or other protected information without authorization; to allow the Department to prepare to handle any potential ramifications for its mission or employees that could result from the proposed public communication; or, in rare cases, to identify public communications that are highly likely to result in serious adverse consequences to the mission or efficiency of the Department, such that the Secretary or Deputy Secretary must be afforded the opportunity to decide whether it is necessary to prohibit the communication (see 3 FAM 4176.4).
(2) The purposes of the review are limited to those described in paragraph (1); the review is not meant to insulate employees from discipline or other administrative action related to their communications, or otherwise provide assurances to employees on matters such as suitability for continued employment (see, e.g., 3 FAM 4130 for foreign service personnel and 5 CFR 731 for civil service personnel). Ultimately, employees remain responsible for their personal capacity public communications whether or not such communications are on topics of Departmental concern.
More 3 FAM 4170 Fun: Not meant to insulate employees from discipline or other administrative action
3 FAM 4176.1(e) General
e. As stated in 3 FAM 4174.2(c)(1), the review process is limited to three purposes. (See also 3 FAM 4176.4.) Therefore, completion of the review process is not a Department “clearance” or “approval” of the planned communication, and is not meant to insulate employees from discipline or other administrative action related to their communications, including for conducting personal capacity public communications that interfere with the Department’s ability to effectively and efficiently carry out its mission and responsibilities, by, for example, disrupting operations, impairing working relationships, or impeding the employee from carrying out his or her duties. Ultimately, employees remain responsible for their personal communications whether or not the communications are on topics of Departmental concern.
3 FAM 4176.3 Employee must disclose his/her identity to Department reviewers
a. PA reviews all personal capacity public communications on matters of Departmental concern by senior officials at the Assistant Secretary level and above, including Chiefs of Mission. For all other employees wishing to communicate publicly in their personal capacity on matters of Departmental concern, there are two review processes available:
(1) Individuals may, as a first step, submit their requests for review to the Final Review Office (as described in 3 FAM 4174.3(a)). For employees submitting a request to PA, such requests should be submitted via PAReviews@state.gov. The Final Review Office will then consult with the employee’s immediate supervisor(s) and any other offices concerned with the subject matter in accordance with 3 FAM 4176.4(c). The Final Review Office will then make the final determination; and
(2) Alternatively, employees may initially submit their requests for review to their immediate supervisor(s), the Public Affairs Office in their bureaus or posts, and any other Department offices concerned with the subject matter. The materials must then be submitted to the Final Review Office, noting all such reviewers and any comments received. The Final Review Office will then verify those reviews, assess whether other reviews are needed, and make the final determination.
b. Supervisors, Public Affairs Offices, or any other offices involved in the review process must flag for the Final Review Office any view that the proposed public communication may:
(1) Contain classified or other protected information;
(2) Result in serious adverse consequences to the efficiency or mission of the Department; or
(3) Be or become high impact or high profile, for example communication that is controversial, or otherwise involves a sensitive Department priority; and
(4) The Final Review Office will then apply the standard described in 3 FAM 4176.4(a).
c. In all cases, an employee must disclose his or her identity to the relevant Department reviewers.
d. If another U.S. Government entity seeks Department review of a personal capacity public communication by that entity’s employee, the Department office in receipt of such request must coordinate with PA.
3 FAM 4177 Noncompliance may result in disciplinary action, criminal prosecution and/or civil liability.
a. Failure to follow the provisions of this subchapter, including failure to seek advance reviews where required, may result in disciplinary or other administrative action up to and including separation. Violations by USAID employees may be referred to the Deputy Administrator for Human Resources or USAID’s Office of the Inspector General (see 3 FAM 4320). Disciplinary action will be pursued consistent with applicable law, including 5 U.S.C. 2302
b. Publication or dissemination of classified or other protected information may result in disciplinary action, criminal prosecution and/or civil liability.
This is the part where we must remind you that what the former State Department spokesperson said about the FAM being recommendations is a serious bunch of hooey!
Oh, hey, remember the 2-day clearance for tweets …’er scandal?
We wrote about it here and here, and the “ain’t gonna happen 2-day clearance” for social media posting is now part of the Foreign Affairs Manual. Apologies if the 2-working day review timeframe below for social media postings is too shocking for 21st century statecraft innovation purists. These are the rules, unless you can get the current State Department spokesperson to say from the podium that these are merely recommendations that employees/retirees/interns/charforce are free to ignore. We must add that the 2009 version of these rules, required that materials of official concern submitted in the employee’s private capacity must “be submitted for a reasonable period of review, not to exceed thirty days.” The old rules made no distinction whether the submitted material is a book manuscript, an article, a blogpost or a tweet.
screen grab from 3 FAM 4170
Yo! What’s Missing?
The new regs emphasized the need for official clearance for official and private communication “to ensure that no classified information is improperly disclosed.” It however, does not include any guidance on the use of a private server for emails and social media postings where classified information could be improperly disclosed.
A Much Better FAM Version, Hey?
From the organizational perspective, some folks would say that this is a “much better” version of the FAM. We’d call this a much better plug. An insider could argue that this is a “very fine sieve.”
Okeedokee, but what do you think will be its consequences for the rank and file? No one will officially admit this as the intent, but after reading this new version of 3 FAM 4170, this is what we think it really says:
The updated regs also says that “In light of the rapid pace with which many social media platforms are used, all offices, sections, or employees who routinely post to such platforms in their official capacity are encouraged to seek advance blanket authorization to engage for their social media communications, in accordance with 3 FAM 4175.1(c).”
The blanket authorization as far as we can tell only applies to those who are engaged in social media platforms in their official capacities, it makes no similar provision for employees in social media platforms in their private capacities.
Fun With Fido or Grumpy Cat
The new regs helpfully notes that “Employees who, in their personal capacity, wish to communicate publicly on matters that are clearly not “of Departmental concern” (see 3 FAM 4173) need not seek Department review under the procedures outlined herein, and need not use the personal capacity disclaimer discussed below in paragraph (b).”
So, basically, if you blog, tweet or write a book about Kitty Kat or Fidodog, or about their travels and adventures in Baghdad, Kabul, Sanaa, and all the garden spots, you don’t need to seek Department review. That is, as long as Kitty Kat is not secretly arming the rodent insurgents and tweeting about it and Fidodog is not flushing government money down the toilet and blogging about it.
According to CNN, a group calling itself the Islamic State Hacking Division recently posted online a purported list of names and contacts for Americans it refers to as “targets,” according to officials.
Though the legitimacy of the list is questionable, and much of the information it contains is outdated, the message claims to provide the phone numbers, locations, and “passwords” for 1400 American government and military personnel as well as purported credit card numbers, and excerpts of some Facebook chats.
The Guardian describes the list as a spreadsheet, published online last week which exposes names, email addresses, phone numbers and passwords. The 1,482 names include members of the U.S. Marine Corps, NASA, the State Department, the U.S. Air Force, and the FBI.
The Daily Mail reports that the list includes an accompanying message that reads: ‘Know that we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts.’
The list apparently also includes the names of eight Australians and UK government personnel. In Australia where there this is huge news, Prime Minister Tony Abbott told the press, “We’ve just discovered that it’s actually able to launch cyber attacks in this country so this is a very sophisticated and deadly threat to us even here in Australia.” A chief executive of a forensic data firm in the country went so far as to advise that Canberra’s public servants get off social media. He also recommended that “on the day [ADFA] cadets enlist, their entire electronic lives be erased” and that “they should not exist on digital networks until they retire from Defence.”
The reaction here is a little less ZOMG! Last week, then Army Chief of Staff Gen. Ray Odierno said in a press conference that “this is the second or third time they’ve claimed that and the first two times I’ll tell you, whatever lists they got were not taken by any cyber attack.”
“This is no different than the other two,” Odierno said. “But I take it seriously because it’s clear what they’re trying to do … even though I believe they have not been successful with their plan.”
CNN reports that Pentagon spokesman Lt. Col. Jeffrey Pool also cautioned that many of the military email addresses looked at least several years old, based on their suffixes. He said that shortly after this list was posted, a reminder went out to service personnel that they should limit the personal information they put on social media. “If any of your information on it is accurate, you’re very concerned,” former Homeland Security adviser Fran Townsend told CNN, “as are government officials.”
According to the Washington Examiner, State Department employees comprise about a quarter of the alleged personal information on the list. That would be about 370 names. It also says that at the bottom of the leaked document, originally posted on zonehmirrors.org, are receipts from State Department employees along with their credit card numbers. The report notes that Islamic State supporters tweeted a link to the document and also tweeted, in one instance, information claiming to be the personal details of a staff member from the U.S. embassy in Cairo that said: “To the lone wolves of Egypt.”
Technology security expert, Troy Hunt, writes that “nothing makes headlines like a combination of ISIS / hackers / terrorism!” and has taken a closer look with an analysis here. Mr. Hunt’s conclusion — drawn merely from looking at the leaked list and applying what he observed from experience with previous data dumps leaked list — is that “the data is almost certainly from multiple locations and very unlikely to be from a single data breach.” Also that “most of the data is easily discoverable via either existing data breaches or information intentionally made public.” He writes, “Even the source of the amalgamated data is unverifiable – it could be someone who does indeed wish harm on the individuals named, it could be a kid in his pyjamas, there’s just not enough information to draw a conclusion either way.”
In his analysis of the ISIS list, Mr. Hunt says that “there are many sources from which attributes in this list can be compiled.” As an example, he cited the Adobe breach of 2013 in which 152M records were leaked, which includes 257k .gov email addresses. He writes:
The ISIS list has a lot of state.gov email addresses – Adobe leaked 1,657 of those and they look just like this:
state.gov email addresses in the Adobe data breach via Troy Hunt (used with permission)
“Adobe also leaked password hints so you can begin to quite easily build a profile around people working in the US State Department,” he said.
Would be good to know if any of the names in the Adobe breach are showing up in the ISIS list. We have not seen the purported ISIS list or the names from the Adobe hack but we hope somebody at State is looking at those names. Folks probably need to work on their password hints, too.
In a separate post, Mr. Hunt also notes this:
“The hyperbole and the fear, uncertainty and doubt that spread over this was just off the scale compared to the significance of the actual data. Here we have what amounts to little more than easily discoverable information mostly already in the public domain and suddenly it’s become a huge terror hack. [….] However, the legitimacy of the claims that this was an “ISIS hack” appear to have gotten in the way of a good story and the news has simply run with it.
A couple more reading clips below from Troy Hunt:
Just did a (very late) interview with CNN on this ISIS hack, story seems to be spreading a bit: http://t.co/pQkxHIJxFN
There’s not much one can do with the Adobe, Target, Home Depot, OPM hack except to sign up for credit monitoring service or put a credit freeze on one’s account. That is, if we’re concerned about identity thief. But those services will not work against potential blackmails related to a foreign government hack, or online threats related to potentially scraped data, collected from websites and social media accounts.
We are persuaded by Mr. Hunt’s analysis that this was not a real hack. But real or not, the information is out there and thinking about ‘lone wolf’ offenders seduced by ISIS’ call, in the U.S. or elsewhere is not paranoid. Folks might consider this a good excuse to review their digital footprint.
The threats online — whether real or part of propaganda — is not going to abate anytime soon. This is the world as it is, and not an attempt at hyperbole. Employees overseas can report these threats to RSOs but hey, have you seen the rundown of the RSO’s managed programs? We don’t even know what specific office at State tracks these breaches or who has responsibility for online threats. Was anyone notified by State when the Adobe breach occurred in 2013 and leaked hundreds of official emails? Were those emails changed? A talkinghead writinghead would like to know.
Also some of USG’s overseas posts still display the official email addresses of personnel in public affairs, and those dealing with contracts, solicitations, and acquisitions on their websites. Those should be generic e-mail accounts not linked to an individual’s name but linked instead to the section, function or office, e.g. Sanaacontracts@state.gov. Makes better sense as people rotate jobs anyway.
We’re trying to find if Diplomatic Security has any response, guidance, reminder for State Department personnel given this report and the Burn Bag received earlier. Would be a good time as any to issue an opsec reminder. We will have a follow-up post if/when we get an official response.
Maine poet Richard Blanco who was born to a Cuban exile family and read at President Obama’s second inauguration will read a poem commemorating the reopening of the US Embassy in Havana on August 14. Its title is “Matters Of The Sea” or “Cosas Del Mar,” and its first line goes, “The sea doesn’t matter. What matters is this – that we all belong to the sea between us.” Looking forward to reading it in Spanish!
VIDEO: US Marines raise the US flag over the newly opened American Embassy in Havana, Cuba: http://t.co/Fbu7jZkqem
“The driving quest of diplomacy is for imperfect ways to help people not kill each other.” -Tom Fletcher
The Naked Diplomat is done for now. Tom Fletcher, the British Ambassador to Lebanon signed off from his diplomatic assignment recently. Quite a valedictory address blogpost. Excerpt below:
Sorry to write again. But I’m leaving your extraordinary country after four years. Unlike your politicians, I can’t extend my own term.
When I arrived, my first email said ‘welcome to Lebanon, your files have been corrupted’. It should have continued: never think you understand it, never think you can fix it, never think you can leave unscathed. I dreamt of Beirutopia and Leb 2020 , but lived the grim reality of the Syria war.
Bullets and botox. Dictators and divas. Warlords and wasta. Machiavellis and mafia. Guns, greed and God. Game of Thrones with RPGs. Human rights and hummus rights. Four marathons, 100 blogs, 10,000 tweets, 59 calls on Prime Ministers, 600+ long dinners, 52 graduation speeches, two #OneLebanon rock concerts, 43 grey hairs, a job swap with a domestic worker, a walk the length of the coast (Video). I got to fly a Red Arrow upside down, and a fly over Lebanon’s northern border to see how LAF is enforcing Lebanese sovereignty. I was even offered a free buttock lift – its value exceeded our £140 gift limit, so that daunting task is left undone.
Your politics are also daunting, for ambassadors as well as Lebanese citizens. When we think we’ve hit bottom, we hear a faint knocking sound below. Some oligarchs tell us they agree on change but can’t. They flatter and feed us. They needlessly overcomplicate issues with layers of conspiracy, creative fixes, intrigue. They undermine leaders working in the national interest. Then do nothing, and blame opponents/another sect/Sykes-Picot/Israel/Iran/Saudi (delete as applicable). They then ask us to move their cousin’s friend in front of people applying for a visa. It is Orwellian, infuriating and destructive of the Lebanese citizens they’re supposed to serve. But this frustration beats the alternative – given potential for mishap, terror or invasion, there is no substitute for unrelenting, maddening, political process.
Continue reading, So…Yalla, Bye, running on over 300 comments right now.
When I wrote that Rawr piece in 2011, I wrote this:
I have not seen or heard of Tigers actually yanking anybody’s clearance due to an offending blog. I am aware of private sessions of discouragements, issues with onward assignments, and of course, threats of various colors and stripes among directed at FS bloggers. And as far as I know, they have not technically kicked out anyone who blogs either — unless you call the “push” to retirement a payback kick.
Well, State did yank Peter Van Buren‘s clearance afterwards, but it was for more than just a blog. Occasionally, I get a request to cite a case where identified individuals got into real trouble due to blogging in the Foreign Service. Except for a small number of cases (PVB, ADA and MLC), I’ve refrained from writing about the blog troubles out of concern that writing about them makes it worse for the individual bloggers. In many cases, the bloggers themselves quietly remove their blogs online without official prompting. Out of the abundance of caution.
A recent FSGB case decided in January 2015 shows a charge of “Poor Judgment” against an FSO based on a post in her personal blog written in October 2008. That’s right. The blog post was online for barely a day and was taken down in 2008. To be clear, the poor judgment charge related to the blog is just half the charges filed against this employee. But in January 2013, State proposed a five day suspension for the FSO. Excerpt from the FSGB record of proceeding available online:
The Improper Personal Conduct charges are based on grievant’s personal relationships in the summer of 2008 with two individuals to whom she had previously issued non-immigrant visas, and the Poor Judgment charge is based on a post in her personal Internet blog in October of 2008.
During a flight to the United States during the spring of 2008, grievant unexpectedly encountered another citizen of Country X (Citizen B) for whom she had issued a visa, fell into conversation with him, and exchanged contact information. Upon her return to Country X, grievant was hospitalized in June 2008. While in the hospital, she received a call from Citizen B, who said he would ask his family members to visit her. They did so. Soon after Citizen B returned to Country X, grievant invited him to lunch. Thereafter, the two conducted an intimate relationship for about three weeks.
Later, Citizen A contacted grievant requesting her assistance in issuing a visa to his new wife. Grievant told him she could not be involved in his wife’s visa application process because she knew him. Consequently, another Consular Officer adjudicated and issued the visa for Citizen A’s new wife. Shortly thereafter, grievant posted on her personal blog (using Citizen A’s initials) a comment saying, in effect, that sharing a bottle of wine with someone could be disastrous, especially when that person shows up at your workplace seeking a visa for his new bride. Within a day of this blog posting, grievant was warned by a colleague to take it down, and grievant did so.
In a letter issued on January 31, 2013, the Department of State proposed to suspend grievant for five workdays, based on three charges that arose from conduct occurring in 2008. Ultimately, the suspension was reduced to three workdays. Grievant’s appeal raised issues of timeliness as well as challenges to the substance of the charges. Grievant is a class FS- 04 Consular Officer who was serving abroad in 2008. In May 2009, a co-worker at her Embassy complained to the RSO that grievant had become too close to some visa applicants and their attorneys and was maintaining improper personal relationships with them. The Office of the RSO investigated the allegations and eventually referred the matter to the Consular Integrity Division (CID). In its report of October 2009, CID found no wrongdoing and returned the matter to post. Nonetheless, the RSO referred the complaint of the co-worker to DS for investigation, but did not do so until January 2011. DS, for no articulated reason, did not assign the case to a field agent until September 28, 2011. DS then did not complete its investigation and forward the matter to HR until late October or early November 2012.
The Board concluded that there was no fact-based excuse for the delay at the RSO level and that there was no evidence of necessity for the length of time engulfed in the DS investigation. The Board found that the grievant had been harmed by the overall delay, caused by two different bureaucracies in the Department. The Board identified the harm as the statistically diminished promotability of this particular officer, given her combination of time-in-service and time-in- class.
The FSGB explains in the footnotes that 1) “She [grievant] was unmarried and remained unmarried through at least the date of her suspension. We mention her marital status only because in other disciplinary cases, an officer’s married status has been deemed a risk for coercion if someone knowing of the sexual misconduct threatened to reveal it to the officer’s spouse. Here, however, it does not appear that the grievant’s marital status was relevant to the selection of penalty or the choice of the charges. Noting grievant’s marital status may obviate confusion, if anyone examining other grievances or appeals should consider this case for comparison purposes.” 2) “Because of sensitivity surrounding the country in which grievant served her first tour, both parties refer to it as “Country X…”
In its decision last January, the FSGB held (pdf) that “grievant had shown by a preponderance of the evidence that the Department’s delay of over three years in proposing grievant’s suspension was unexcused and unreasonable and that grievant’s promotional opportunities had been harmed as a result of the delay. Grievant is entitled to reversal of the three-day suspension for charges of Improper Personal Conduct and Poor Judgment, as well as removal of the suspension letter from her OPF. Grievant is entitled to promotion to the FS-03 level, as recommended by the 2013 Selection Boards, retroactive to 2013.”
While this case was resolved on the FSO’s favor, I’m taking note of this case here for several reasons:
1) According to the redacted report published online, the misconduct was reported to the agency by one of grievant’s co-workers on May 20, 2009. An embassy is a fishbowl. Anyone at post familiar with one’s activities, in real life or online can file an allegation. If you write a blog specific to your post, people at post inevitably will connect you to it. A single blogpost, even if taken down, can reach back and bite. Across many years. State’s position is that grievant’s argument that the Department had no regulations or guidelines about personal blogs in 2008 “does not make her posting any less wrong.” Interestingly, that official line doesn’t seem to apply when it comes to the former secretary of state’s use of private email.
2) Even if an allegation is dismissed by the Consular Integrity Division (CID), it does not mean the end of it, as this case clearly shows. After the case was dismissed by CID, the case was forwarded to Diplomatic Security for another investigation. “Counting from the date on which the behavior was reported (as specific misconduct) to the agency to the date of proposal of the five-day suspension, the period of delay in dispute is three (3) years and eight months.” While I can understand what might have prompted the initial complaint, I’m curious about the second referral. I’d be interested to see comparable cases to this. I’m wondering if this case would have been referred to a second investigation if she were a male officer? Absolutely, yes, no? But why a duplicate investigation?
3) When grievant departed Country X for a new post, her continued blogging activity prompted other Consular (CID) investigations. Since there are no public records of these incidents until the cases end up in the FSGB, it is impossible to tell how many FS employees have been referred to CID or DS for their blogging activities. Or for that matter, what kind of topics got them in trouble. I am aware of cases where FS bloggers had difficulties with onward assignment, but those were never officially tied to their blogging activities; that is, there were no paper trail pointing directly at their blogs. This is the first case where we’re seeing on paper what happens:
Grievant states in the ROP that “while in [REDACTED] she did not receive any of the initial positions she bid on. Eventually, she was told that even though she had a good reputation for her work, “there was the blog thing.” Also, she recalls that a “handshake” offer of a Consular Chief position in [REDACTED] was rescinded. She attributes this to an unnamed official’s claim that “Embassy decided they did not want me after CID told them about my history (presumably the blog, and my time in Country X).”
4) Beyond the consequences of not getting onward assignments, here’s the larger impact: “In 2015, the first year her file would be reviewed without any discipline letter, grievant would have been in the Foreign Service for nine years and in class FS-04 for seven years. In point of fact, these lengths of time in service and time in class fall far above the average promotion times for officers moving from grade FS-04 to FS-03.[…] We conclude, under the totality of circumstances, that the untimely suspension prejudiced her chances for promotion to FS-03 in the years 2015-2018.”
5) Beyond the blog thing — the FSO in this grievance case was an untenured officer serving her first tour at a “sensitive” country the FSGB would only refer to as Country X. When the FSO argue that she was never counseled at post regarding these relationships (other half of charges is for Improper Personal Conduct), the State Department contends that “any lack of counseling “does not erase the perception of impropriety [grievant’s] actions could create if made public, nor does it serve as an implicit concession that [grievant’s] actions were somehow appropriate.” \
Well, okay, but ….. 3 FAM 4100 is the rules for the road when it comes to employee responsibility and conduct. Which part of the current A100 or leadership and management classes are these FAM sections incorporated? While I can understand the department’s contention above, it also does not absolve the agency from its responsibility to provide appropriate counsel and training, most especially for entry level officers. Or is this a gap in the training of new employees? When a new, inexperienced officer is first posted overseas, who can he/she ask about delicate issues like this? Is there a Dear Abby newbies can write to or call for counsel at the State Department without the question trailing the employee down every corridor?
OPM announced the results of the interagency forensic investigation into the second incident. As previously announced, in late-May 2015, as a result of ongoing efforts to secure its systems, OPM discovered an incident affecting background investigation records of current, former, and prospective Federal employees and contractors. Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.
While background investigation records do contain some information regarding mental health and financial history provided by those that have applied for a security clearance and by individuals contacted during the background investigation, there is no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of Federal personnel were impacted by this incident (for example, annuity rolls, retirement records, USA JOBS, Employee Express).
This incident is separate but related to a previous incident, discovered in April 2015, affecting personnel data for current and former Federal employees. OPM and its interagency partners concluded with a high degree of confidence that personnel data for 4.2 million individuals had been stolen. This number has not changed since it was announced by OPM in early June, and OPM has worked to notify all of these individuals and ensure that they are provided with the appropriate support and tools to protect their personal information.
Analysis of background investigation incident. Since learning of the incident affecting background investigation records, OPM and the interagency incident response team have moved swiftly and thoroughly to assess the breach, analyze what data may have been stolen, and identify those individuals who may be affected. The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants. As noted above, some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems.
If an individual underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it is highly likely that the individual is impacted by this cyber breach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely.
So, are we supposed to wait for another credit monitoring offer from OPM’s partners for this BI hack, after already being offered credit monitoring for the personnel data compromised in an earlier breach?
Ms. Archuleta should do the right thing and resign.
Part of OPM’s public response to these breaches has been to protect the director’s record at the agency. While she remains in charge, I suspect that the fixes at OPM will also include shielding the director from further damage. News reports already talk about OPM’s push back. Next thing you know we’ll have “setting the record straight” newsbots all over the place.
While it is true that Ms. Archuleta arrived at OPM with legacy systems still in operation, these breaches happened under her watch. Despite her protestation that no one is personally responsible (except the hackers), she is the highest accountable official at OPM. Part and parcel of being in a leadership position is to own up to the disasters under your wings. Ms. Archuleta should resign and give somebody else a chance to lead the fixes at OPM.