State Dept’s Wibbly Wobbly Jello Stance on Use of Private Email, Also Gummy Jello on Prostitution

Posted: 1:38 am EDT

 

We’ve added to our timeline of the Clinton Email saga (see Clinton Email Controversy Needs Its Own Cable Channel, For Now, a Timeline).

On August 24, 2015, State Dept. Spokesman John Kirby told CNN:  “At The Time, When She Was Secretary Of State, There Was No Prohibition To Her Use Of A Private Email.” Below is the video clip with Mr. Kirby.

Okay, then. Would somebody please get the State Department to sort something out. If there was no prohibition on then Secretary Clinton’s use of a private email, why, oh, why did the OIG inspectors dinged the then ambassador to Kenya, Scott Gration for using commercial email back in 2012? (See OIG inspection of US Embassy Kenya, 2012).

Screen Shot 2015-08-25

Oh, and here’s a more recent one dated August 25, 2015. The OIG inspection of U.S. Embassy Japan (pdf) says this:

In the course of its inspection, OIG received reports concerning embassy staff use of private email accounts to conduct official business. On the basis of these reports, OIG’s Office of Evaluations and Special Projects conducted a review and confirmed that senior embassy staff, including the Ambassador, used personal email accounts to send and receive messages containing official business. In addition, OIG identified instances where emails labeled Sensitive but Unclassified6 were sent from, or received by, personal email accounts.

OIG has previously reported on the risks associated with using commercial email for official Government business. Such risks include data loss, hacking, phishing, and spoofing of email accounts, as well as inadequate protections for personally identifiable information. Department policy is that employees generally should not use private email accounts (for example, Gmail, AOL, Yahoo, and so forth) for official business.7 Employees are also expected to use approved, secure methods to transmit Sensitive but Unclassified information when available and practical.8

OIG report referenced two cables, we’ve inserted the hyperlinks publicly available online: 11 STATE 65111 and 14 STATE 128030 and 12 FAM 544.3, which has been in the rules book, at least since 2005:

12 FAM 544.3 Electronic Transmission Via the Internet  (updated November 4, 2005)

“It is the Department’s general policy that normal day-to-day operations be conducted on an authorized [Automated Information System], which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information.”

This section of the FAM was put together by the Office of Information Security (DS/SI/IS) under the Bureau of Diplomatic Security, one of the multiple bureaus that report to the Under Secretary for Management.

Either the somebodies were asleep at the switch, as the cliché goes, or somebody at the State Department gave authorization to the Clinton private server as an Automated Information System.

In any case, the State Department’s stance on the application of regulations on the use of private and/or commercial email is, not wobbly jello on just this one subject or on just this instance.

gummy-bears-o

dancing jello gummy bears

On October 16, 2014, State/OIG released its Review of Selected Internal Investigations Conducted by the Bureau of Diplomatic Security. This review arose out of a 2012 OIG inspection of the Department of State (Department) Bureau of Diplomatic Security (DS). At that time, OIG inspectors were informed of allegations of undue influence and favoritism related to the handling of a number of internal investigations by the DS internal investigations unit. The allegations initially related to eight, high-profile, internal investigations. (See State/OIG Releases Investigation on CBS News Allegations: Prostitution as “Management Issues” Unless It’s NotCBS News: Possible State Dept Cover-Ups on Sex, Drugs, Hookers — Why the “Missing Firewall” Was a Big Deal).

One of those eight cases relate to an allegation of soliciting a prostitute.

The Foreign Affairs Manual (FAM) provides that disciplinary action may be taken against persons who engage in behavior, such as soliciting prostitutes, that would cause the U.S. Government to be held in opprobrium were it to become public.1

In May 2011, DS was alerted to suspicions by the security staff at a U.S. embassy that the U.S. Ambassador solicited a prostitute in a public park near the embassy. DS assigned an agent from its internal investigations unit to conduct a preliminary inquiry. However, 2 days later, the agent was directed to stop further inquiry because of a decision by senior Department officials to treat the matter as a “management issue.” The Ambassador was recalled to Washington and, in June 2011, met with the Under Secretary of State for Management and the then Chief of Staff and Counselor to the Secretary of State. At the meeting, the Ambassador denied the allegations and was then permitted to return to post. The Department took no further action affecting the Ambassador.

OIG found that, based on the limited evidence collected by DS, the suspected misconduct by the Ambassador was not substantiated. DS management told OIG, in 2013, that the preliminary inquiry was appropriately halted because no further investigation was possible. OIG concluded, however, that additional evidence, confirming or refuting the suspected misconduct, could have been collected. For example, before the preliminary inquiry was halted, only one of multiple potential witnesses on the embassy’s security staff had been interviewed. Additionally, DS never interviewed the Ambassador and did not follow its usual investigative protocol of assigning an investigative case number to the matter or opening and keeping investigative case files.

Department officials offered different justifications for handling the matter as a “management issue,” and they did not create or retain any record to justify their handling of it in that manner. In addition, OIG did not discover any guidance on what factors should be considered, or processes should be followed, in making a “management issue” determination, nor did OIG discover any records documenting management’s handling of the matter once the determination was made.

The Under Secretary of State for Management told OIG that he decided to handle the suspected incident as a “management issue” based on a disciplinary provision in the FAM that he had employed on prior occasions to address allegations of misconduct by Chiefs of Mission. The provision, applicable to Chiefs of Mission and other senior officials, states that when “exceptional circumstances” exist, the Under Secretary need not refer the suspected misconduct to OIG or DS for further investigation (as is otherwise required).2 In this instance, the Under Secretary cited as “exceptional circumstances” the fact that the Ambassador worked overseas.3

DS managers told OIG that they viewed the Ambassador’s suspected misconduct as a “management issue” based on another FAM disciplinary provision applicable to lower-ranking employees. The provision permits treating misconduct allegations as a “management issue” when they are “relatively minor.”4 DS managers told OIG that they considered the allegations “relatively minor” and not involving criminal violations.

Office of the Legal Adviser staff told OIG that the FAM’s disciplinary provisions do not apply to Ambassadors who, as in this instance, are political appointees and are not members of the Foreign Service or the Civil Service.5

OIG questions the differing justifications offered and recommends that the Department promulgate clear and consistent protocols and procedures for the handling of allegations involving misconduct by Chiefs of Mission and other senior officials. Doing so should minimize the risk of (1) actual or perceived undue influence and favoritism and (2) disparate treatment between higher and lower-ranking officials suspected of misconduct.6 In addition, OIG concludes that the Under Secretary’s application of the “exceptional circumstances” provision to remove matters from DS and OIG review could impair OIG’s independence and unduly limit DS’s and OIG’s abilities to investigate alleged misconduct by Chiefs of Mission and other senior Department officials.

In the SBU report provided to Congress and the Department, OIG cited an additional factor considered by the Under Secretary—namely, that the Ambassador’s suspected misconduct (solicitation of prostitution) was not a crime in the host country. However, after the SBU report was issued, the Under Secretary advised OIG that that factor did not affect his decision to treat the matter as a “management issue” and that he cited it in a different context. This does not change any of OIG’s findings or conclusions in this matter. 

After the SBU report was issued, the Under Secretary of State for Management advised OIG that he disagrees with the Office of the Legal Adviser interpretation, citing the provisions in the Foreign Service Act of 1980 which designate Chiefs of Mission appointed by the President as members of the Foreign Service. See Foreign Service Act of 1980, §§ 103(1) & 302(a)(1) (22 USC §§ 3903(1) & 3942(a)(1)). 

During the course of that review, State/OIG said it discovered some evidence of disparity in DS’s handling of allegations involving prostitution. Between 2009 and 2011, DS investigated 13 prostitution-related cases involving lower-ranking officials.

The OIG apparently, found no evidence that any of those inquiries were halted and treated as “management issues.”

.

Also, have you heard?  Apparently, DEA now has an updated “etiquette” training for its agents overseas.

That’s all.

Is there a diplomatic way to request that the responsible folks at the State Department culture some real backbone in a petri-dish?

No, no, not jello backbone, please!

#

Foggy Bottom’s Big Chill Freezes Even Retired Diplomat … Diplo Doggy Wins!

Posted: 1:01 am EDT

 

For obvious reasons, we are unable to share the name of the retired diplomat here but we have permission to share this with our readers.

Retired FSO: I was planning on blogging about Hillary’s emails. Title: “If I Did What Hillary Did, I’d Be In Jail.”

Me: Great! Looking forward to reading it!

Retired FSO: But I won’t.

Me: Oh?

Retired FSO: Just read 3 FAM 4170. I’m retired. I can’t believe I really need to clear my blogposts with PA. I mean, I’d use common sense, you know? I wouldn’t be divulging stuff like, say, our nuclear launch codes, or the chronically malfunctioning air conditioning system at Main State. I’d just focus on how when you become a charter member of America’s political elite, the rules don’t apply to you. That’s all. 

Me:  Only stuff “of department concern” needs clearance. Max timeframe for blogs, five days.

Retired FSO: But they’ve made me jittery. I don’t fancy jail. They’d probably force me to watch re-runs of “Madame Secretary” every day; let me read only the FAM! The eighth amendment  doesn’t allow this kind of cruel and unusual punishment, but Mother State can be as vindictive as a Borgia dowager.

Me: Okay. So, does this mean you’ll stop blogging?

Retired FSO: Nah. Maybe I’ll just write about my pets from now on. Think anybody would read Diplo Doggy’s Adventures?

Me: I will. 

Retired FSO: We live in difficult times.

Via Giphy Commons

Via Giphy Commons

#

Related posts:

What’s Next For Former FSO Michael Sestak, Plus Some Unanswered Questions

Posted: 2:05 pm EDT

 

On August 14, 2015, former FSO Michael T. Sestak was sentenced to 64 months imprisonment for receiving over $3 million in bribes in exchange for visas at the U.S. Consulate General in Ho Chi Minh City, Vietnam.

The Preliminary Consent Order of Forfeiture filed in the District Court of Columbia includes forfeiture of a) “any property, real or personal, which constitutes or is derived from proceeds traceable to the offense;” and  b) “a money judgment equal to the value of any property, real or personal, which constitutes or is derived from proceeds traceable to the offense.”

The consent order identifies 1) any and all funds and securities seized from Scottrade Account #XXXX001S, held in the name of Anhdao Thuy Nguyen (“Scottrade Account”); and 2) $198,199.13 seized from the Department of Treasury from the Treasury Suspense Account under Seizure Number 38l30010—O1 (“Treasury Account”); and 3) a money judgment in the amount of at least $6,021,440.58, for which the defendant (Sestak) is jointly and severally liable with any co-conspirators ordered to pay a forfeiture money judgment as a result of a conviction for either offense.

In the plea agreement, Sestak agreed to sell nine properties in Thailand and that the proceeds would be paid to the United
States to satisfy a portion of the money judgment entered against him. The consent order also notes that “upon entry of a forfeiture order, Fed. R. Crim. P. 32.2(b)(3) authorizes the Attorney General or a designee to conduct any discovery the Court considers proper in identifying, locating, or disposing of property subject to forfeiture.”

In a pre-sentencing filing,  Mr. Sestak requested that any term of incarceration occur in a Camp-level facility. Specifically, at FCI Miami or if that’s not available, FCI Pensacola.  Defense justification is based on Sestak’s “lack of criminal history, the non-violent nature of the crimes, his cooperation with the Government, his lifetime of public service, his age, education, and status as a trustee during his pretrial confinement at Northern Neck Regional Jail.”‘

We had a chance to ask a few questions from his lawyer, Gray Broughton; we wanted to know where will be the location of his incarceration.

“The Bureau of Prisons will ultimately make a determination as to where Mr. Sestak is incarcerated,” said Mr. Broughton.  The defense lawyer again cited the nonviolent nature of the crimes and Mr. Sestak’s “clean criminal history.”  Mr. Sestak should be housed in a lower security level facility, according to his lawyer and that his prior employment with the U.S. Marshal will be taken into consideration by the Bureau of Prison.
We asked about the plea deals received by Sestak and main co-conspirator Bihn Vo.   Sestak’s lawyer believed the government made the best deal it could:

Mr. Sestak received a sentence of 64 months – 32 months less than codefendant Binh Vo, who received a sentence of 96 months. The Government will end up getting roughly $5M from Binh Vo – the $3M it already seized and the $2M he has agreed to pay in the next year. Binh Vo’s money (and his wife) are all currently outside of the U.S., so the U.S. doesn’t have any control over either. It made the best deal it felt it could with Binh Vo.

We were also interested in the duration of the sentence. By our calculation, Mr. Sestak would be almost 50 by the time he completes his sentence.  Mr. Broughton, however, told us that “assuming good behavior, Mr. Sestak would serve 85% of the sentence.” He will reportedly also get credit for the 27 months he has been in jail since his arrest, towards his sentence. We’re not sure if he’ll get credit for the full 27 months. But if that’s the case, and if our math is correct, he’d be out between 2-3 years.

We asked what happened to the 500 visa applicants that Mr. Sestak had issued visas to in Vietnam. And if Mr. Sestak was asked to help track or account for the applicants who paid bribes for their visas. Mr. Broughton said, “I don’t know what happened to the visa applicants. I am not aware of any efforts by the US Government in that regard.”

Mr. Broughton also released the following statement after the sentencing:

**
Michael Sestak received a fair, well-reasoned sentence today. The Court had the unenviable task of taking a multitude of opposing factors into consideration in devising Mr. Sestak’s sentence. 

As counsel for the U.S. Government readily admitted during Mr. Sestak’s sentencing hearing, Binh Vo was the mastermind of the visa fraud conspiracy. Binh Vo also had the largest pecuniary gain and will likely have millions of dollars waiting for him upon his release – along with his wife Alice Nguyen, who was able to avoid prosecution as a result of Binh Vo’s plea agreement. The Court appeared to appreciate that a sentence greater than or equal to Binh Vo’s sentence of 8 years would be fundamentally unjust for Michael Sestak, even though the U.S. Sentencing Guidelines recommended a sentence of approximately 20 years.
 
What made things difficult for the Court in determining an appropriate sentence is that Mr. Sestak was an essential component to the conspiracy and a public servant who had taken an oath of loyalty to his Country. It was Mr. Sestak’s status as a public official and the theory that would-be criminals will think twice before committing similar crimes that caused the Court to sentence Michael Sestak to something greater than time served.
 
Ultimately, the Court balanced these countervailing factors by issuing a sentence of 64 months – 32 months less than codefendant Binh Vo, who received a sentence of 96 months.
 
Michael Sestak is a good man who made made a huge mistake. Even after his release from prison, Mr. Sestak’s actions – and the shame that follows – will haunt him forever.
**

 

With the case concluded for all charged co-conspirators, we thought we’d asked the State Department what systemic changes had Consular Affairs instituted at USCG Ho Chi Minh City and worldwide following the Sestak incident.

The State Department, on background says this:

The Bureau of Consular Affairs takes all allegations of malfeasance seriously and continually works to improve its operations. Following any detection of vulnerabilities, CA works to improve management controls and guidance to the field. After the incident in Ho Chi Minh City, the management controls at post were comprehensively reviewed to determine what improvements could be made to their processes. As a matter of policy, we do not discuss the specifics of internal management controls.

Most of the Sestak visa cases were allegedly previous refusals. If true, we don’t quite understand how one officer could overturn so many visa refusals and issue close to 500 visas without red flags, if consular management controls worked as they should.  We wanted to know what consequences will there be for supervisors, embassy senior officials and principal officers who fail to do their required oversight on visas. And by the way, what about those who also do not follow the worldwide visa referral policy, particularly, Front Office occupants? The State Department would only say this:

As a matter of policy we do not discuss specific internal personnel actions. Protecting the integrity of the U.S. visa is a top priority of the U.S. government. We have zero tolerance for malfeasance. We work closely with our law enforcement partners to vigorously investigate all allegations of visa fraud. When substantiated, we seek to prosecute and punish those involved to the fullest extent of the law.

We imagined that the Bureau of Consular Affair’s Consular Integrity Division would be tasked with reviewing procedures and lessons learned on what went wrong in the Sestak case. We wanted to know if that’s the case and wanted to ask questions from the office tasked with the responsibility of minimizing a repeat of the Sestak case. Here is the official response:

The Consular Integrity Division regularly reviews incidents of malfeasance or impropriety and makes recommendations for procedural changes to reduce vulnerabilities and updates training materials for adjudicators and managers based on the lessons learned, including the case in Ho Chi Minh City. The Consular Integrity Division also does reports on the management controls at overseas posts, as well as reports that review global management controls issues, which inform CA leadership about any issues of concern.

No can do.  So far, we’ve only learned that the CID reviewed incidents of malfeasance including the Sestak case but it doesn’t tell us if it did a specific report on HCMC and what systemic changes, if any, were actually made.

We tried again. With a different question: According to in country reports, USCG Ho Chi Minh City received a letter from a jilted man in central Vietnam that helped DS crack the Sestak case. ConGen Ho Chi Minh City is one of the few consular posts that actually has a Regional Security Officer-Investigator, dedicated to visa investigations. If this case started with this reportedly jilted lover, the question then becomes how come neither the RSO-I or the internal consular management controls did not trip up the FSO accused in this case? If there was no anonymous source, would the authorities have discovered what was right under their noses?

As a matter of policy, we do not discuss the details of investigations. Protecting the integrity of the U.S. visa is a top priority of the U.S. government. We continually work to improve its operations, both in the field and here in Washington DC.

Ugh! Sestak was charged in May 2013. In July that year, the State Department told Fox News it was reviewing thoroughly alleged “improprieties” regarding a consular official in Guyana allegedly trading visas for money and possibly sex. In another article in 2014,  former Peace Corps, Dan Lavin,  said, “The State Department makes millions off of the poorest people in the world just by selling them the opportunity to fill out the application.” He also made the following allegation: “There are people at the embassy who can get you a visa,” Lavin said. “If you’re a Sierra Leonean, you go to a man called a ‘broker’; you then pay that ‘broker’ $10,000 and he personally gives that money to someone at the embassy who in turn gets you a visa.”  Apparently,  when asked about the accusations, a spokesperson at the U.S. embassy in Freetown declined to comment.

In any case, we also wanted to know if there were systemic changes with the State Department’s RSO-I program and how they support consular sections worldwide? Or to put it another way, we were interested on any changes Diplomatic Security had implemented in the aftermath of the Sestak case. Here is the amazing grace response, still on background:

It is the mission of DS special agents assigned as Assistant Regional Security Officer-Investigators (ARSO-I) to find fraud in the countries where they serve.

Sigh, we know that already. We thought we’d also ask about those 489 Vietnamese who got their visas under this scheme. What happened to them? Did Diplomatic Security, DHS or some other agency tracked them down?

The Bureau of Consular Affairs conducted a review of visas issued by Mr. Sestak. The Department revoked those visas that were improperly issued. If the visa holder had already travelled to the United States on the improperly issued visa, the Department of State notified the Department of Homeland Security so that agency could take action as appropriate.

We don’t know how many “improperly issued” visas were revoked. All 489?

We don’t know how many of those able to travel to the U.S. were apprehended and/or deported to Vietnam.

Frankly, we don’t really know what happened to the 489 Vietnamese nationals who paid money to get visas.

Calvin Godfrey who covered this case from Vietnam writes:

State Department investigators managed to track down and interrogate a few, though they wouldn’t say how many. The Washington DC office of the US Immigration and Customs Enforcement Agency didn’t respond to a list of questions about their efforts to track them down.

We also don’t know how much was the total proceed from this illegal enterprise. The USG talks about $9.7 million but one of the co-conspirators in an email, talked $20 million. Below via Thanh Nien News:

Prosecutors only put the gang on the hook for a $9.7 million — a “conservative estimate” they came up with by multiplying $20,000 by 489. Statement written by Hong Vo the middle of the illicit ten-month visa auction:

“I can’t believe Binh has pretty much made over $20m with this business,” she wrote to her sister, identified only as Conspirator A.V. “Slow days… are like 3 clients… and that’s like 160k-180.”

 

Then there’s the individual who purportedly started this ball rolling in Vietnam. Below excerpted from Thanh Nien News:

The State Department was quick to crow over Vo’s sentencing, but it remains deeply disingenuous about how this case came about and what it means.

“This case demonstrates Diplomatic Security’s unwavering commitment to investigating visa fraud and ensuring that those who commit this crime are brought to justice,” crowed Bill Miller, the head of the Diplomatic Security Service (DSS) in a press release generated to mark Vo’s sentencing.

The problem there is that the whole case didn’t come about through careful oversight; it came about because a sad sack from Central Vietnam loaned his pregnant wife $20,000 to buy a US visa from Sestak and the Vos. Instead of coming home with their baby boy, she disappeared, married another man and blabbed about it on Facebook. The sad sack wrote rambling letters to the President and the State Department’s OIG trying to get his wife and money back.

That Vietnamese informant reportedly is a recipient of threats from some of the Sestak visa applicants. Poor sod. So, now, one of the co-conspirators got 7 months, another 16 months, Sestak got 5 years, Vo got 8 years,  one alleged co-conspirator was never charged, and we don’t know what happened to close to 500 visa applicants. Also, the USG gets less than half the $20 million alleged gains. It looks like, at least Vo, will not be flipping burgers when he gets out of prison.

Now life goes on.
 #

Clinton Email Controversy Needs Its Own Cable Channel, For Now, a Timeline

Posted: 1:42 am EDT

 

“[T]he system we used was set up for President Clinton’s office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.”
Hillary Clinton, March 10, 2015

It’s hard trying to keep track of the highs and lows of the Clinton email debacle. Since this is not going away anytime soon, or going away quietly, we thought we’d build a timeline, to keep the details we find relevant for our reference. Feel free to scroll.  We’ve written previously —  in this whole email mess at the State Department —  it must be said that this might not have happened if not enabled by senior bureaucrats in the agency. We do not believe for a moment that senior officials were not aware about the email practices of then Secretary Clinton or the record retention requirement. But hey, if the practice was done for four years over the protests and dissent of officials at “M”, “A”, the Legal Adviser or the CIO, we’d like to see that email trail. We will update the timeline, as needed.

2008

November 21, 2008: NY Times says Hillary Clinton accepts US Secretary of State position

December 1, 2008: President-Elect Barack Obama announces Hillary Clinton as Secretary of State (video)

2009

January 13, 2009:  Internet records show that the domain ‘clintonemail.com’ was created and had Network Solutions LLC as registrar. http://www.whois.com/whois/clintonemail.com

January 13, 2009:  Senate Confirmation Hearing for Secretary of State Nominee Hillary Clinton

January 15, 2009: Senate Foreign Relations Committee votes 16–1 to approve Clinton.

January 21, 2009:  Clinton is confirmed by the U.S. Senate as President Obama’s secretary of state by a roll call vote of 94–2.

January 21, 2009Clinton takes the oath of office of Secretary of State administered by Associate Judge Kathryn Oberly with Bill Clinton in attendance.  She resigned from the Senate the same day. (Hillary Clinton, the 67th Secretary of State)

July 31, 2009: State/OIG issues Review of the Information Security Program for Sensitive Compartmented Information Systems at the Department of State (CLASSIFIED) aud-it-09-21.pdf

November 2, 1009: NARA Notes on State Department State Messaging and Archive Retrieval Toolset (SMART) system rollout. Per IPS, people are “using the record email function” but huge issues with memos. Appears that the Executive Secretariat (S/ES) will be establishing its own recordkeeping system as the follow on to STARS. (view in pdf).

2010

January 21, 2010: Clinton give remarks on Internet Freedom, launches 21st Century Statecraft.

April 19, 2010:  Computer World reports that Network Solutions LLC is hacked, injected with malicious JavaScript and the affected sites redirecting unsuspecting users to a Ukrainian attack server.

December 22, 2010NARA Bulletin 2011-03 | December 22, 2010 – Guidance Concerning the use of E-mail Archiving Applications to Store E-mail

2011

June 28, 2011:  State Department releases cable on Securing Personal Email Accounts (Via FoxNews)

October 19, 2011“Classified” Information Contained in We Meant Well – It’s a Slam Dunk, Baby!

2012

March 12, 2012State Department Chief Freedom of Information Act Officer Annual Report | March 12, 2012

August 10, 2012: State OIG issues review of US Embassy Kenya, dings Ambassador Scott Gration, among other things, for use of commercial email (see State/OIG Releases Ambassador Scott Gration’s Embassy Report Card – And Look, No Redactions!)

August 24, 2012: OMB/NARA issues Managing Government Records Directive, OMB M-12-18 (pdf)

September 11, 2012: Ambassador Chris Stevens and three others killed in Benghazi, Libya

September 2012: State/OIG Inspection of the Bureau of Administration, Global Information Services, Office of Information Programs and Services Report Number ISP-I-12-54

October 2, 2012After a Year of Serious Roars and Growls, State Dept Officially Retires FSO-Non Grata Peter Van Buren (despite allegation that “two pages of the book manuscript we have seen contain unauthorized disclosures of classified information.”)

November 20, 2012State Dept FOIA Requests: Agency Ranks Second in Highest Backlog and Here’s Why

December 11, 2012: NARA Chief Records Officer Paul M. Wester Jr. Email to NARA’s Margaret Hawkins and Lisa Clavelli on how they “should delicately go about learning more” about the transition plans for Secretary Clinton’s departure from State. Concerns that “there are or maybe plans afoot to taking her records from State to Little Rock.” Invokes the specter of the Henry Kissinger experience vis-a-vis Hillary Clinton (view email in pdf)

December 19, 2012: Accountability Review Board (ARB) Singles Out DS/NEA Bureaus But Cites No Breach of Duty

2013

February 1, 2013:  Clinton leaves the State Department (Photo of the Day: 67 Says Goodbye to Foggy Bottom)

Early 2013:  After HRC left government service in early 2013, the Clintons decided to upgrade the system, hiring Platte River as the new manager of a privately managed e-mail network. The old server was removed from the Clinton home by Platte River and stored in a third party data center.[…] “The information had been migrated over to a different server for purposes of transition,” from the old system to one run by Platte River, said Barbara J. Wells, a Denver lawyer who represents Platte River Networks Inc., recalling the transfer that occurred in June 2013. (Via WaPo)

March 5, 2013: State Department publishes Foreign Affairs Manual updates on 12 FAM 540 Sensitive But Unclassified Information (SBU) View pdf file here.

March 20, 2013: Clinton’s private email address, hdr22@clintonemail.com, is made public by Romanian hacker named ‘Guccifer’  (real name is Marcel Lazăr Lehel) after hacking into Clinton adviser Sidney Blumenthal’s AOL email account. (via Gawker; emails published in full here via RT).

May 28, 2013:  House Oversight and Government Reform Committee Chairman Darrell Issa (R-Calif.) announced the issuance of a subpoena for  “documents and communications referring or relating to the Benghazi from ten current and former State Department officials. See House Oversight Committee Subpoenas Benghazi-Related Documents To/From Ten State Dept Officials.

June 2013  Hillary’s team shifts control of the email network to an outside IT contractor in Denver called Platte River Networks, and sends the original server hardware to a data center facility in New Jersey, where it is erased. (Via Daily MailVia WaPo)

June 27, 2013After 1,989 Day-Vacancy — President Obama Nominates Steve Linick as State Dept Inspector General

August 1, 2013: House Oversight Committee issues two subpoenas, 1) State Department documents that had been covered but not produced after earlier requests, and 2) documents related to the Benghazi Accountability Review Board.

August 19, 2013The Other Benghazi Four: Lengthy Administrative Circus Ended Today; Another Circus Heats Up

August 29, 2013: NARA Bulletin 2013-02 |  All Agencies, Guidance on a New Approach to Managing Email Records

September 9, 2013: NARA Bulletin 2013-03 | Guidance for agency employees on the management of Federal records, including email accounts, and the protection of Federal records from unauthorized removal

September 30, 2013Senate Confirms Steve Linick; State Dept Finally Gets an Inspector General After 2,066 Days

2014

January 16, 2014: State/OIG issues Management Alert – OIG Findings of Significant, Recurring Weaknesses in Dept of State Info System Security Program 220066.pdf

May 8, 2014: The House of Representatives adopted H. Res. 567, Providing for the Establishment of the Select Committee on the Events Surrounding the 2012 Terrorist Attack in Benghazi, Libya. Rep. Trey Gowdy, R-S.C., is named chairman.

August 5, 2014: State Department updates 12 FAM 530 STORING AND SAFEGUARDING CLASSIFIED MATERIAL.  Officers are reminded that Department-issued materials not codified in the Foreign Affairs Manual or its supplemental Foreign Affairs Handbook series generally have no regulatory validity (see 2 FAM 1115.2)

August 11, 2014: The State Department sends its first group of documents to the new Select Benghazi committee, a partial response to a previous subpoena. The production contains a few — less than 10 — emails either to or from Clinton. Committee staffers notice immediately that the emails are from a previously unseen address, hdr22@clintonemail.com. Meanwhile, the committee presses State to meet its legal obligation to fully respond to the pair of subpoenas originally issued in August 2013. (Via Washington Examiner)

August 28, 2014: State Department U/S for Management sends memo to department principals on Senior Officials’ Records Management Responsibilities (view memo pdf). See State Department issued instructions for Preserving Email of Departing Senior Officials (view memo p.13 pdf)

September 15, 2014: Former State Dept DAS Raymond Maxwell Alleges Benghazi Document Scrub Pre-ARB Investigation

September 15, 2014: NARA Bulletin 2014-06 | All Agencies, Guidance on Managing Email

September 16, 2014:  State Department Denies Raymond Maxwell’s Document Scrub Allegations. Peeeeriod!!!!

September 19, 2014:  State Dept on Former DAS Raymond Maxwell’s Allegations: Crazy. Conspiracy Theory. What Else?

September 30, 2014: State/OIG Audit of the Information Security Program for Sensitive Compartmented Information Systems at the Department of State for FY 2014 (CLASSIFIED) aud-it-14-36.pdf

October 10, 2014:  William Fischer, the Department of State agency records officer, sends message to NARA with a draft email policy to update State’s Foreign Affairs Manual (5 FAM 447). Requests for limited distribution within NARA to those “with equities in this issue.” (View email in pdf)

October 30, 2014: Memo to the Field (All Diplomatic and Consular Posts) from Under Secretary for Management, Patrick F. Kennedy re: State Department Records Responsibilities and Policy, October 30, 2014

November 4, 2014:  Jason Leopold submits a FOIA request for “any and all records that were prepared, received, transmitted, collected and/or maintained by the Department of State (DOS) mentioning or referring to or prepared by Secretary of State Hillary Clinton or any member of the Office of the Secretary (S) from January 21, 2009 to February 1, 2013.”  (source here- pdf).

November 07, 2014: State/OIG posts online Audit of Department of State Information Security Program | aud-it-15-17.pdf

November 12, 2014: Letter to Hilary Clinton’s representative, Cheryl Mills re: the Federal Records Act of 1950, November 12, 2014; to Colin Powell, to Condoleezza Rice; to Madeleine Albright;

November 2014: The Benghazi committee asks the State Department for a larger batch of Clinton’s emails and receives about 300 that relate to the Libya saga, amounting to 850 printed pages  (Source: Washington Examiner)

December 5, 2014:  Clinton’s aide Cheryl Mills says that in response to a request from the State Department, they have handed over (about 55,000 pages) her work-related emails (comprising 30,490 messages); Response to Under Secretary of State for Management, Patrick F. Kennedy from Hilary Clinton’s representative, Cheryl Mills re: the Federal Records Act of 1950, December 5, 2014

December 29, 2014: Updates to Foreign Affairs Manual 5 FAM 440 Electronic Records, Facsimile Records, and Electronic Mail Records published with the following notation:  “In October, 2014, the Department issued an interim directive superseding some text in this section. This subchapter will be revised to reflect the new guidance – Refer to Department Notice 2014_10_115 for more information.” (View pdf, department notice available here.)

2015

January 25, 2015: Leopold v. State Department (view lawsuit here- pdf).

February 13, 2015 The State Department sends the Benghazi committee another 850 pages of Clinton’s emails, including some from two different accounts on the private ‘clintonemail.com’ server  (Source: Washington Examiner)

February 27, 2015  State Department staffers tell Benghazi committee aides that Clinton had used her private address exclusively during her tenure at the agency, and that they don’t have any of her emails other than those she provided voluntarily. (Source: Washington Examiner)

February 27, 2015:  Mike Schmidt, reporter with The New York Times contacts NARA General Counsel requesting off the record chat on regulations for government employees who use their personal email addresses to conduct government business. Gary Stern tells his boss “I am happy to talk to him about what the law is (there are no regulations at this time).” (View email here)

March 2, 2015: NYTimes broke the news that Hillary Clinton exclusively used a personal email account to conduct government business as secretary of state.

March 2, 2015: NARA Legal Counsel talks to State Department Deputy Legal Advisor on the use of personal email accounts (View email from NARA Records Officer Wester to State/DAS Margaret P. Grafeld)

March 3, 2015: NARA puts together ‘Talking Points’ on Clinton emails. (View pdf). Talking Points available here.

March 3, 2015: NARA Acting IG asks NARA: “[W]ho is the NARA liaison with the State department for records management? Were we aware the gov email system was not being used by Ms Clinton. If we were not aware why not. What checks and balances do we have in place to ensure the gov email systems are being used. (View email)

March 4, 2015:  Clinton tweeted, “I want the public to see my email. I asked State to release them. They said they will review them for release as soon as possible.”

March 6, 2015: Marie Harf, a State Department spokeswoman, said the Foreign Affairs Manual was a department document and didn’t carry the force of law. She also said a memo to diplomatic staff around the word bearing Mrs. Clinton’s name and discouraging the use of personal emails was “colloquial guidance,” not a mandate. (Via Wall Street Journal)

March 10, 2015: Clinton holds a presscon at the UN, admits that she deleted more than 30,000 emails that she says were personal in nature, says she turned over everything work-related to the State Department, while insisting that “I did not email any classified material to anyone on my email.” (Ex-Chief Information-Disclosure Guru on Hillary’s Email Defense and the Folks Asleep at the SwitchFormer Secretary Clinton talks about her state.gov private emails)

March 10, 2015:  “I don’t have the FAM in front of me. I can certainly check and see if there were certain policies, if there were regulations. The FAM is not a regulation; it’s recommendations,” said Jennifer Psaki, State Department Spokesman during the Daily Press Briefing.  NewsFlash: “The FAM is not a regulation; it’s recommendations.” Hurry, DECLINE button over there!

March 11, 2015: The Associated Press sues the State Department to force the release of Clinton’s emails and other documents that the agency has failed to turn over following a Freedom Of Information Act request. The legal action comes after repeated requests filed under the U.S. Freedom of Information Act have gone unfulfilled. They include one request the AP says it made five years ago and others pending since the summer of 2013.

March 12, 2015: Senators Burr, Corker, Johnson sends a letter to State/OIG to coordinate “with the Inspector General for the Intelligence Community, and any other appropriate Federal entities, conduct a thorough audit related to electronic communications by State Department employees, including former senior officials, that were principally carried out on non-government-owned, or non-government-protected, information networks.” (View letter here via freebeacon.com).

March 25, 2015: Letter from Secretary of State, John Kerry to State Department IG, Steve Linick re: review of records management, preservation, and transparency practices, March 25, 2015

April 12, 2015: The former secretary of state announced her second presidential campaign in a video released online. (Video)

May 18, 2015: Leopold v. State Department – Court Declaration of State Depart FOIA official John F. Hackett (view in pdf)

May 21, 2015:  The Department releases a set of 296 of Clinton documents which previously had been provided in February 2015 to the House Select Committee on Benghazi. May Release via foia.state.gov. This is the first batch of Clinton’s emails made public by the State Department; roughly 850 pages, captures concerns over Libya (Via NYTimes).

May 27, 2015:  U.S. District Court Judge Rudolph Contreras set particular targets for the State Department to meet each month as it wades through the roughly 30,000 emails totaling about 55,000 pages. (The percentages set for each disclosure can be viewed in the judge’s written order, posted here.) Scheduled every 30 days, setting monthly targets for State so the work is completed by January 29, 2016 (Via Politico).

May 29, 2015: State Department updates its Foreign Affairs Manual 5 FAM 480 CLASSIFYING AND DECLASSIFYING NATIONAL SECURITY INFORMATION—EXECUTIVE ORDER 13526

June 2015: State Department releases more emails. June Release via foia.state.gov

June 25, 2015: State Department updates 12 FAM 530 STORING AND SAFEGUARDING CLASSIFIED MATERIAL

June-July 2015:  | Potential Issues Identified by the Office of the Inspector General of the Intelligence Community Concerning the Department of State’s Process for the Review of Former Secretary Clinton’s Emails under the Freedom of Information Act (pdf)

July 23, 2015: Charles McCullough, the inspector general for the U.S. intelligence community tells members of Congress in a letter that a limited sampling of 40 Clinton emails turned up four that “should have been marked and handled at the SECRET level.” (View memo here via Politico)

July 24, 2015: Andrea Williams, a spokeswoman for the inspector general for the Intelligence Community, told NPR’s Carrie Johnson that at least four emails that were sent through Clinton’s private email network “were classified when they were sent and are classified now.” 

July 25, 2015:  “I am confident that I never sent nor received any information that was classified at the time it was sent and received,” Clinton told reporters in Winterset, Iowa, after news emerged this week that a federal watchdog had asked the FBI to review whether potentially classified material in her e-mails had been jeopardized during a State Department review of the messages ahead of public release. (Via Bloomberg).

July 27, 2015: Select Committee on Benghazi Chairman Trey Gowdy announced the State Department’s pledged to produce 5,000 new pages of documents to the Committee. As a result of the forthcoming production, the Chairman accepted Mr. Finer’s request to postpone the compliance hearing. (see State Dept to Release 5,000 Pages to Benghazi Panel, No Hearing With Kerry Top Aide For Now)

July 27, 2015: The State Department issues enhanced guidance for speaking, writing, teaching and media engagement for its employees, retirees, externs, interns and others. The clearance requirement covers  testimony provided in Congress even in an employee’s private capacity.  See State Dept Releases New 3 FAM 4170 aka: The “Stop The Next Peter Van Buren” Regulation

July 31, 2015: The second installment of emails from Hillary Clinton’s private server, released Friday by the State Department, includes 41 messages that reviewers determined contained classified material. (Via Daily Mail).

July 2015: State Department releases more emails. July Release via foia.state.gov

August 7, 2015: According to Nick Merrill, a Clinton press secretary, “She did not send nor receive any emails that were marked classified at the time.” (Observer.com)

August 10, 2015: Clinton makes court declaration under penalty of perjury per request from U.S. District Court Judge Emmet Sullivan. (Via Politico“While I do not know what information may be ‘responsive’ for purposes of this law suit, I have directed that all my emails on clintonemail.com in my custody, that were or potentially were federal records be provided to the Department of State, and on information and belief, this has been done,” wrote Clinton (view declaration here).

August 11, 2015: McCullough updates his statement to Congress on classified materials on personal electronic storage devices,  saying that Clinton emails reviewed contains information classified up to TOP SECRET//SI/TK//NOFORM. (See pdf file here)

August 12, 2015: Server was transferred to the FBI by Platte River Networks, a Denver firm hired by Clinton (via Associated Press)

August 13, 2015:  Gawker Media has previously requested the release of emails belonging to Philippe Reines, the loyal Hillary Clinton aide and former deputy assistant secretary of state. The department claimed that “no records responsive to your request were located.”  On August 13, lawyers for the U.S. Attorney General submitted a court-ordered status report to the U.S. District Court of the District of Columbia in which it disclosed that State employees had discovered “5.5 gigabytes of data containing 81,159 emails of varying length” that were sent or received by Reines during his government tenure. Of those emails, the attorneys added, “an estimated 17,855” were likely responsive to Gawker’s request (See status report for the court via Gawker).

August 17, 2015: Screeners of the 30,000 Hillary Clinton e-mail messages ordered released by a federal judge in May have flagged 305 of those documents for further review by U.S. intelligence agencies, government lawyers said in court papers. (via Bloomberg)

August 17, 2015: Clinton told reporter Clay Masters with Iowa Public Radio what she thinks will come of her controversial decision to exclusively use private email while secretary of state. “I think this will all sort itself out,” Clinton said. “And in a way, it’s kind of an interesting insight into how the government operates. Because if I had not asked for my emails all to be made public, none of this would have been in the public arena. But I want people to know what we did, I’m proud of the four years I was secretary of state.” (Via Politifact)

August 19, 2015: An email from a top Clinton adviser containing classified military intelligence information, and one from a top aide containing classified information about the Benghazi terror attack, were reportedly the documents that kick-started the FBI investigation into the mishandling of classified information. See the two of the Benghazi-related emails on the server (Via Fox News)

August 20, 2015: U.S. District Judge Emmet Sullivan orders the State Department to work with the FBI to determine if any of Hillary Clinton’s emails on her server during her tenure as secretary of state could be recovered. The State Department has 30 days to comply with Sullivan’s order. (Via Fox News) At a hearing for a Freedom of Information Act lawsuit against the State Department, Judge Sullivan of Federal District Court for the District of Columbia, said that “we wouldn’t be here today if the employee had followed government policy.” (Via NYTimes)

August 21, 2015: Dozens of Clinton emails were classified from the start, U.S. rules suggest (Via Reuters)

August 21, 2015: Clinton attorney David Kendall writes a letter to U/S for Management Patrick Kennedy and explains how, contrary to a Judge Emmet D. Sullivan’s s comment this week, her use of personal email was permitted under the NARA, FRA and FAM guidelines in place at the time she served. (letter here via ScribD)

August 21, 2015:  The lawyer for Huma Abedin, a longtime confidante of Hillary Rodham Clinton, wrote a letter to the State Department disputing concerns that Senator Charles E. Grassley raised about a possible conflict of interest involving her. (read the letter via NYTimes)

August 24, 2015: State Dept. Spokesman John Kirby Tells CNN:  “At The Time, When She Was Secretary Of State, There Was No Prohibition To Her Use Of A Private Email”

 

Sigh … to be continued

October 22, 2015: Clinton is scheduled to appear before the Select Committee on Benghazi.

#

P.S. For obvious reasons, the slugfeast ring for this post is disabled.

US Embassy London Local Employee Charged With Cyberstalking, Computer Hacking and Wire Fraud

Posted: 5:50 pm EDT

 

We posted about this case last May (see State Dept Employee Posted at US Embassy London Faces ‘Sextortion’ Charges in Georgia). On August 19, the Justice Department announced that a locally employed staff member of US Embassy London,  Michael C. Ford, 36, was charged by indictment on Aug. 18, 2015, with nine counts of cyberstalking, seven counts of computer hacking to extort and one count of wire fraud.  During the Daily Press Briefing of May 21st, the deputy spokesperson for the State Department informed the press that as of May 18th, this individual is no longer an embassy employee.

Via USDOJ | August 19, 2015:

WASHINGTON—A former locally-employed staff member of the U.S. Embassy in London was charged with engaging in a hacking and cyberstalking scheme in which, using stolen passwords, he obtained sexually explicit photographs and other personal information from victims’ e-mail and social media accounts, and threatened to share the photographs and personal information unless the victims ceded to certain demands.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney John A. Horn of the Northern District of Georgia, Director Bill A. Miller of the U.S. Department of State’s Diplomatic Security Service and Special Agent in Charge J. Britt Johnson of the FBI’s Atlanta Division made the announcement.

Michael C. Ford, 36, was charged by indictment on Aug. 18, 2015, with nine counts of cyberstalking, seven counts of computer hacking to extort and one count of wire fraud.

“According to the indictment, Ford hacked into e-mail accounts and extorted sexually explicit images from scores of victims,” said Assistant Attorney General Caldwell. “As these allegations highlight, predators use the Internet to target innocent victims. With the help of victims and our law enforcement partners, we will find those predators and hold them accountable.”

“Ford is alleged to have hacked into hundreds of e-mail accounts and tormented women across the country, by threatening to humiliate them unless they provided him with sexually explicit photos and videos,” said U.S. Attorney John Horn. “This sadistic conduct is all the more disturbing as Ford is alleged to have used the U.S. Embassy in London as a base for his cyberstalking campaign.”

“The Diplomatic Security Service is firmly committed to working with the Department of Justice and our other law enforcement partners to investigate allegations of crime and to bring those who commit these crimes to justice,” said Director Miller. “When a public servant in a position of trust is alleged to have committed a federal felony such as cybercrime, we vigorously investigate such claims.”

“While the allegations in this case are disturbing, it does illustrate the willingness and commitment of the FBI and its federal partners to aggressively follow those allegations wherever they take us,” said Special Agent in Charge Johnson. “The FBI will continue to provide significant resources and assets as we address complex cyber based investigations as seen here.”

According to allegations in the indictment, from January 2013 through May 2015, Ford, using various aliases that included “David Anderson” and “John Parsons,” engaged in a computer hacking and “sextortion” campaign to force numerous women to provide him with personal information and sexually explicit photographs and videos. To do so, Ford allegedly posed as a member of the fictitious “account deletion team” for a well-known e-mail service provider and sent notices to thousands of potential victims, including members of college sororities, warning them that their accounts would be deleted if they did not provide their passwords.

Using the passwords collected from this phishing scheme, Ford allegedly hacked into hundreds of e-mail and social media accounts, stole sexually explicit photographs and personal identifying information (PII), and saved both the photographs and PII to his personal repository.

Ford then allegedly e-mailed the victims and threatened to release the photographs, which were attached to the e-mails, unless they obtained videos of “sexy girls” undressing in changing rooms at pools, gyms and clothing stores, and then sent the videos to him.

The indictment alleges that, when the victims either refused to comply or begged Ford to leave them alone, Ford responded with additional threats, including by reminding the victims that he knew where they lived. On several occasions, Ford allegedly followed through with his threats by sending sexually explicit photographs to victims’ family members and friends.

During the pendency of the alleged scheme, Ford was a civilian employee at the U.S. Embassy in London, England. He allegedly used his government-issued computer at the U.S. Embassy to conduct the phishing, hacking and cyberstalking activities.

The charges and allegations contained in an indictment are merely accusations. The defendant is presumed innocent unless and until proven guilty.

The case is being investigated by the U.S. Department of State’s Diplomatic Security Service and the FBI. The Criminal Division’s Office of International Affairs and the U.S. Embassy in London provided assistance. The case is being prosecuted by Senior Trial Attorney Mona Sedky of the Criminal Division’s Computer Crime and Intellectual Property Section, Trial Attorney Jamie Perry of the Criminal Division’s Human Rights and Special Prosecutions Section and Assistant U.S. Attorney Kamal Ghali of the Northern District of Georgia.

Anyone who believes that they are the victim of hacking, cyberstalking, or “sextortion” should contact law enforcement. Resources regarding hacking and other cybercrimes can be found at: https://www.fbi.gov/about-us/investigate/cyber.

#

State Dept Responds to Purported ISIS ‘Hit List’ — This Gives Me A Sad

Posted: 3:18 pm EDT

On August 16, we blogged this: Purported ISIS ‘Hit List’ With 1,482 Targets Includes State Department Names.  We asked the State Department about this over the weekend. We wanted to know if the agency has been able to confirmed the affected State personnel. The State Department, on background, told us this:

We acknowledge the reports. While we will not comment on or confirm the specifics of this particular assertion, we know that malicious actors often target email accounts of government and business leaders across the United States.

We’ve also inquired about its response, or guidance to personnel , if any, and the State Department, still on background, would only say this:

We believe it is important for not only government and private sector companies but also individuals to improve their cybersecurity practices. That is why this Administration is working hard to raise our cyber defenses across the board.

Yikes! ¯\_(ツ)_/¯  

Well, we hope they’re talking to employees behind the firewall with more substance than this two-sentence practically useless response.

*

We have not been able to find anything State Department related-response/guidance on this on the public net, but DOD has some useful reminders posted on the wide-web, no logons required. The first set of slides below is actually a social networking cybersecurity awareness briefing by Diplomatic Security. The slide set appears dated a few years back (uses 2009 examples) and is not available, as far as we can tell, from state.gov. We found this set posted on the slideshare site maintained by the Defense Department. The other two set of slides are on opsec for families and one on geotagging safety for those who posts photos online. both from the DOD site.

Social Networking Cybersecurity Awareness


.

Social Media Cyber Security Awareness Briefing | OPSEC For Families

.

Social Media Roundup/Geotagging Safety

#

Burn Bag: Embarrassed by Hillary Server Scandal (*/_⧹) Not Enough Facepalms

Via Burn Bag:

“I understand most in our profession are admirers of Hillary, but the lack of response from the Department on this e-mail issue is a disgrace.  A Cabinet-level official and her top aides completely disregard IT security policies for 4 years, and we’re not even recognizing how badly we failed?  How many in the Executive Secretariat knew about this?  Short of formal reprimands, have we at least said this must never happen again?  Maybe a FAM amendment explicitly forbidding senior officials from doing this?”

via reactiongifs.com

via reactiongifs.com

#

State Dept Releases New 3 FAM 4170 aka: The “Stop The Next Peter Van Buren” Regulation

Posted: 3:41 am EDT

Congratulations!  This is almost three years in the making!

We’ve previously covered the Peter Van Buren case quite extensively in this blog (see After a Year of Serious Roars and Growls, State Dept Officially Retires FSO-Non Grata Peter Van Buren). The State Department officially retired Mr. Van Buren on September 30, 2012. He left with full retirement. In December 2012, we were informed by inside the building sources that the Department was rewriting its 3 FAM 4170 rules on official clearance for speaking, writing, and teaching. (see State Dept to Rewrite Media Engagement Rules for Employees in Wake of Van Buren Affair).

On July 27, 2015, two months short of Year 3 since Mr. Van Buren retired, the State Department without much fanfare released its new 3 FAM 4170 rules in 19 pages. For the FAM is not a regulation; it’s recommendations” crowd, we hope you folks have great lawyers.

My! Look who’s covered!

The updated FAM, same as the old FAM, is divided into two meaty parts — official capacity public communication and personal capacity public appearances and communications.  The new version of 3 FAM 4170 is all encompassing, covering the following (not exhaustive list):

— all personnel in the United States and abroad who are currently employed (even if in Leave Without Pay status) by the Department of State and the United States Agency for International Development (USAID), including but not limited to Foreign Service (FS) employees, Civil Service (CS) employees (including schedule C appointees and annuitants returning to work on temporary appointments on an intermittent basis, commonly referred to as “While Actually Employed (WAE)” personnel), locally employed staff (LE Staff), personal service contractors (PSCs), employees assigned to fellowships or details elsewhere and detailees or fellows from other entities assigned to the Department, externs/interns, and special government employees (SGEs).

— Former Department of State employees (including former interns and externs) must seek guidance from A/GIS/IPS for applicable review process information. Former USAID employees (including former interns and externs) must consult the Bureau for Legislative and Public Affairs for applicable review process information.

— Employee testimony, whether in an official capacity or in a personal capacity on a matter of Departmental concern, may be subject to the review requirements of this subchapter. Employees should consult with the Department of State’s Office of the Legal Adviser or USAID’s Office of the General Counsel, as appropriate, to determine applicable procedures.

In practical terms, we think this means that if you get summoned to appear before the House Select Benghazi Committee and is testifying in your personal capacity as a former or retired employee of the State Department, these new regulations may still apply to you, and you may still need clearance before your testimony.

Convince us that we’re reading this wrong, otherwise, somebody poke Congress, please.

Also, does this mean that all retired FSOs who contribute to ADST’s Oral History project are similarly required to obtain clearance since by its definition, “online forums such as blogs” and “a person or entity engaged in disseminating information to the general public” are considered media organizations under these new rules?

Institutional interest vs. public interest

We are particularly interested in the personal capacity publication/communication rules because that’s the one that can get people in big trouble, as shown in the Van Buren case. Here’s the equivalent of our bold Sharpie.

3 FAM 4176.4 says:  “A principal goal of the review process for personal capacity public communications is to ensure that no classified or other protected information will be disclosed without authorization. In addition, the Final Review Office will evaluate whether the employee’s public communication is highly likely to result in serious adverse consequences to the efficiency or mission of the Department, such that preventing those consequences outweighs the employee’s presumptively high interest in communicating and the public’s interest in receiving the communication.”

 

Institutional interest trumps public interest? Where do you draw the line? You can still write a dissent cable as the “3 FAM 4172.1-3(D). No Review of Dissent Channel Communications” included in the 2009 version of the FAM survives as 3 FAM 4171 (e) in the current rules:

Views on matters of Departmental concern communicated through methods of internal communication (including, for example, the Department’s internal dissent channel) or disclosures made pursuant to 5 U.S.C. 2302(b)(8)(B) are not subject to the review requirements of this subchapter.

Which is fine and all, except — who the heck gets to read your dissent cable except the folks at Policy Planning? The State Department is not obligated to share with Congress or with the American public any dissenting opinions from its diplomats. One might argue that this is appropriate, after all, you can’t have diplomats second guessing in public every foreign policy decision of every administration. So, the American public typically only hears about it when a diplomat quits.  But given the two long wars in Iraq and Afghanistan, is the American public best served by this policy?  And by the way, candid opinion like the case of the six-page memo, entitled “The Perfect Storm,” in the lead up to the Iraq War, is still classified. Why is that?

The new regs also say this:

“To the extent time and resources allow, reviewers may assist the employee in identifying possible modifications or other adjustments to avoid the inclusion of non-classified but otherwise protected information, or the potential for adverse consequences to the Department’s mission or efficiency (including the employee’s ability to perform his or her duties effectively in the future).”

If we weigh the Van Buren book against these parameters, how much of the book’s 288 pages would survive such “modifications” or “adjustments.”

There goes the book, We Meant Well in Afghanistan, Also.

The Peter Van Buren Clause

We’ve come to call “3 FAM 4172.1-7 Use or Publication of Materials Prepared in an Employee’s Private Capacity That Have Been Submitted for Review as the Peter Van Buren clause. Below is the original language from the 2009 version of the FAM:

An employee may use, issue, or publish materials on matters of official concern that have been submitted for review, and for which the presumption of private capacity has not been overcome, upon expiration of the designated period of comment and review regardless of the final content of such materials so long as they do not contain information that is classified or otherwise exempt from disclosure as described in 3 FAM 4172.1-6(A).

That section of the FAM appears to survive under the current 3 FAM 4174.3 Final Review Offices, underlined for emphasis below.

c. To ensure that no classified information is improperly disclosed, an employee must not take any steps to proceed with a public communication (including making commitments to publishers or other parties) until he or she receives written notice to proceed from the Final Review Office, except as described below. If, upon expiration of the relevant timeframes below, the Final Review Office has not provided an employee with either a final response or an indication that a public communication involves equities of another U.S. Government entity (including a list of the entity or entities with equities), the employee may use, issue, or publish materials on matters of Departmental concern that have been submitted for review so long as such materials do not contain information described in 3 FAM 4176.2(a) and taking into account the principles in 4176.2(b). When an employee has been informed by the Final Review Office that his or her public communication involves equities of another U.S. Government entity or entities, the employee should not proceed without written notice to proceed from the Final Review Office. Upon the employee’s request, the Final Review Office will provide the employee with an update on the status of the review of his or her public communication, including, if applicable, the date(s) on which the Department submitted the employee’s communication to another entity or entities for review. Ultimately, employees remain responsible for their personal capacity public communications whether or not such communications are on topics of Departmental concern.

The Van Buren clause appears to survive, until you take a closer look; italicized below for emphasis:

3 FAM 4176.2 (a) Content of Personal Capacity Public Communications

a. When engaging in personal capacity public communications, employees must not:

(1) Claim to represent the Department or its policies, or those of the U.S. Government, or use Department or other U.S. Government seals or logos; or

(2) Disclose, or in any way allow the public to access, classified information, even if it is already publicly available due to a previous unauthorized disclosure.

3 FAM 4176.2 (b) Content of Personal Capacity Public Communications

b. As stated in 3 FAM 4174.2(c)(1), a purpose of this review process is to determine whether the communication would disclose classified or other protected information without authorization. Other protected information that is or may be subject to public disclosure restrictions includes, but is not limited to: 

(1) Material that meets one or more of the criteria for exemption from public disclosure under the Freedom of Information Act (FOIA), 5 U.S.C. 552(b), including internal pre-decisional deliberative material; 

(2) Information that reasonably could be expected to interfere with law enforcement proceedings or operations;

(3) Information pertaining to procurement in violation of 41 U.S.C. 2101-2107;

(4) Sensitive personally identifiable information as defined in 5 FAM 795.1(f); or

(5) Other nonpublic information, when used in a manner as prohibited by 5 CFR 2635.703.

Can one make the case that the conversations between the writer and his boss in the Van Buren book are “internal pre-decisional deliberative material?” Or that any conversation between two FSOs are deliberative? Of course. State can make a case about anything and everything.  Remember, it did try to make the case that the book contained classified information. (see “Classified” Information Contained in We Meant Well – It’s a Slam Dunk, Baby!). Also, we should note that documents marked SBU or sensitive but unclassified are typically considered nonpublic information.  Under these new rules, it’s not just classified information anymore, anything the agency considers deliberative material or any nonpublic material may be subject to disclosure restrictions.

 

3 FAM 4174.2 Overview (2015): Waving the ‘suitability for continued employment’ flag

c. Employees’ personal capacity public communications must be reviewed if they are on a topic “of Departmental concern” (see 3 FAM 4173). Personal capacity public communications that clearly do not address matters of Departmental concern need not be submitted for review.

(1) The personal capacity public communications review requirement is intended to serve three purposes: to determine whether the communication would disclose classified or other protected information without authorization; to allow the Department to prepare to handle any potential ramifications for its mission or employees that could result from the proposed public communication; or, in rare cases, to identify public communications that are highly likely to result in serious adverse consequences to the mission or efficiency of the Department, such that the Secretary or Deputy Secretary must be afforded the opportunity to decide whether it is necessary to prohibit the communication (see 3 FAM 4176.4).

(2) The purposes of the review are limited to those described in paragraph (1); the review is not meant to insulate employees from discipline or other administrative action related to their communications, or otherwise provide assurances to employees on matters such as suitability for continued employment (see, e.g., 3 FAM 4130 for foreign service personnel and 5 CFR 731 for civil service personnel). Ultimately, employees remain responsible for their personal capacity public communications whether or not such communications are on topics of Departmental concern.

 

More 3 FAM 4170 Fun: Not meant to insulate employees from discipline or other administrative action

3 FAM 4176.1(e) General

e. As stated in 3 FAM 4174.2(c)(1), the review process is limited to three purposes. (See also 3 FAM 4176.4.) Therefore, completion of the review process is not a Department “clearance” or “approval” of the planned communication, and is not meant to insulate employees from discipline or other administrative action related to their communications, including for conducting personal capacity public communications that interfere with the Department’s ability to effectively and efficiently carry out its mission and responsibilities, by, for example, disrupting operations, impairing working relationships, or impeding the employee from carrying out his or her duties. Ultimately, employees remain responsible for their personal communications whether or not the communications are on topics of Departmental concern.

 

3 FAM 4176.3 Employee must disclose his/her identity to Department reviewers

a. PA reviews all personal capacity public communications on matters of Departmental concern by senior officials at the Assistant Secretary level and above, including Chiefs of Mission. For all other employees wishing to communicate publicly in their personal capacity on matters of Departmental concern, there are two review processes available:

(1) Individuals may, as a first step, submit their requests for review to the Final Review Office (as described in 3 FAM 4174.3(a)). For employees submitting a request to PA, such requests should be submitted via PAReviews@state.gov. The Final Review Office will then consult with the employee’s immediate supervisor(s) and any other offices concerned with the subject matter in accordance with 3 FAM 4176.4(c). The Final Review Office will then make the final determination; and

(2) Alternatively, employees may initially submit their requests for review to their immediate supervisor(s), the Public Affairs Office in their bureaus or posts, and any other Department offices concerned with the subject matter. The materials must then be submitted to the Final Review Office, noting all such reviewers and any comments received. The Final Review Office will then verify those reviews, assess whether other reviews are needed, and make the final determination.

b. Supervisors, Public Affairs Offices, or any other offices involved in the review process must flag for the Final Review Office any view that the proposed public communication may:

(1) Contain classified or other protected information;

(2) Result in serious adverse consequences to the efficiency or mission of the Department; or

(3) Be or become high impact or high profile, for example communication that is controversial, or otherwise involves a sensitive Department priority; and

(4) The Final Review Office will then apply the standard described in 3 FAM 4176.4(a).

c. In all cases, an employee must disclose his or her identity to the relevant Department reviewers.

d. If another U.S. Government entity seeks Department review of a personal capacity public communication by that entity’s employee, the Department office in receipt of such request must coordinate with PA.

 

3 FAM 4177 Noncompliance may result in disciplinary action, criminal prosecution and/or civil liability.

a. Failure to follow the provisions of this subchapter, including failure to seek advance reviews where required, may result in disciplinary or other administrative action up to and including separation. Violations by USAID employees may be referred to the Deputy Administrator for Human Resources or USAID’s Office of the Inspector General (see 3 FAM 4320). Disciplinary action will be pursued consistent with applicable law, including 5 U.S.C. 2302

b. Publication or dissemination of classified or other protected information may result in disciplinary action, criminal prosecution and/or civil liability.

This is the part where we must remind you that what the former State Department spokesperson said about the FAM being recommendations is a serious bunch of hooey!

Oh, hey, remember the 2-day clearance for tweets …’er scandal?

We wrote about it here and here, and the “ain’t gonna happen 2-day clearance” for social media posting is now part of the Foreign Affairs Manual.  Apologies if the 2-working day review timeframe below for social media postings is too shocking for 21st century statecraft innovation purists. These are the rules, unless you can get the current State Department spokesperson to say from the podium that these are merely recommendations that employees/retirees/interns/charforce are free to ignore. We must add that the 2009 version of these rules, required that materials of official concern submitted in the employee’s private capacity must “be submitted for a reasonable period of review, not to exceed thirty days.” The old rules made no distinction whether the submitted material is a book manuscript, an article, a blogpost or a tweet.
screen grab from 3 FAM 4172

screen grab from 3 FAM 4170

Yo! What’s Missing?

The new regs emphasized the need for official clearance for official and private communication “to ensure that no classified information is improperly disclosed.” It however, does not include any guidance on the use of a private server for emails and social media postings where classified information could be improperly disclosed.

A Much Better FAM Version, Hey?

From the organizational perspective, some folks would say that this is a “much better” version of the FAM.  We’d call this a much better plug. An insider could argue that this is a “very fine sieve.”

Okeedokee, but what do you think will be its consequences for the rank and file? No one will officially admit this as the intent, but after reading this new version of 3 FAM 4170, this is what we think it really says:

The updated regs also says that “In light of the rapid pace with which many social media platforms are used, all offices, sections, or employees who routinely post to such platforms in their official capacity are encouraged to seek advance blanket authorization to engage for their social media communications, in accordance with 3 FAM 4175.1(c).”

The blanket authorization as far as we can tell only applies to those who are engaged in social media platforms in their official capacities, it makes no similar provision for employees in social media platforms in their private capacities.

Fun With Fido or Grumpy Cat

The new regs helpfully notes that “Employees who, in their personal capacity, wish to communicate publicly on matters that are clearly not “of Departmental concern” (see 3 FAM 4173) need not seek Department review under the procedures outlined herein, and need not use the personal capacity disclaimer discussed below in paragraph (b).”

So, basically, if you blog, tweet or write a book about Kitty Kat or Fidodog, or about their travels and adventures in Baghdad, Kabul, Sanaa, and all the garden spots, you don’t need to seek Department review. That is, as long as Kitty Kat is not secretly arming the rodent insurgents and tweeting about it and Fidodog is not flushing government money down the toilet and blogging about it.

#

Related items:

Read the new 3 FAM 4170 July 27, 2015 | REVIEW OF PUBLIC SPEAKING, TEACHING, WRITING, AND MEDIA ENGAGEMENT

Download it here (pdf).

 

Purported ISIS ‘Hit List’ With 1,482 Targets Includes State Department Names

Posted: 6:52 pm EDT


According
to CNN, a group calling itself the Islamic State Hacking Division recently posted online a purported list of names and contacts for Americans it refers to as “targets,” according to officials.

Though the legitimacy of the list is questionable, and much of the information it contains is outdated, the message claims to provide the phone numbers, locations, and “passwords” for 1400 American government and military personnel as well as purported credit card numbers, and excerpts of some Facebook chats.

The Guardian describes the list as a spreadsheet, published online last week which exposes names, email addresses, phone numbers and passwords. The 1,482 names include members of the U.S. Marine Corps, NASA, the State Department, the U.S. Air Force, and the FBI.

The Daily Mail  reports that the list includes an accompanying message that reads:  ‘Know that we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts.’

The list apparently also includes the names of eight Australians and UK government personnel. In Australia where there this is huge news, Prime Minister Tony Abbott told the press, “We’ve just discovered that it’s actually able to launch cyber attacks in this country so this is a very sophisticated and deadly threat to us even here in Australia.” A chief executive of a forensic data firm in the country went so far as to advise that Canberra’s public servants get off social media. He also recommended that “on the day [ADFA] cadets enlist, their entire electronic lives be erased” and that “they should not exist on digital networks until they retire from Defence.”

The reaction here is a little less ZOMG!  Last week, then Army Chief of Staff Gen. Ray Odierno said in a press conference that “this is the second or third time they’ve claimed that and the first two times I’ll tell you, whatever lists they got were not taken by any cyber attack.”

“This is no different than the other two,” Odierno said. “But I take it seriously because it’s clear what they’re trying to do … even though I believe they have not been successful with their plan.”

CNN reports that Pentagon spokesman Lt. Col. Jeffrey Pool also cautioned that many of the military email addresses looked at least several years old, based on their suffixes. He said that shortly after this list was posted, a reminder went out to service personnel that they should limit the personal information they put on social media. “If any of your information on it is accurate, you’re very concerned,” former Homeland Security adviser Fran Townsend told CNN, “as are government officials.”

According to the Washington Examiner, State Department employees comprise about a quarter of the alleged personal information on the list. That would be about 370 names. It also says that at the bottom of the leaked document, originally posted on zonehmirrors.org, are receipts from State Department employees along with their credit card numbers.  The report notes that Islamic State supporters tweeted a link to the document and also tweeted, in one instance, information claiming to be the personal details of a staff member from the U.S. embassy in Cairo that said: “To the lone wolves of Egypt.”

Technology security expert, Troy Hunt,  writes that “nothing makes headlines like a combination of ISIS / hackers / terrorism!” and has taken a closer look with an analysis here. Mr. Hunt’s conclusion — drawn merely from looking at the leaked list and applying what he observed from experience with previous data dumps leaked list —  is that “the data is almost certainly from multiple locations and very unlikely to be from a single data breach.” Also that “most of the data is easily discoverable via either existing data breaches or information intentionally made public.” He writes, “Even the source of the amalgamated data is unverifiable – it could be someone who does indeed wish harm on the individuals named, it could be a kid in his pyjamas, there’s just not enough information to draw a conclusion either way.”

In his analysis of the ISIS list, Mr. Hunt says that “there are many sources from which attributes in this list can be compiled.” As an example, he cited the Adobe breach of 2013 in which 152M records were leaked, which includes 257k .gov email addresses. He writes:

The ISIS list has a lot of state.gov email addresses – Adobe leaked 1,657 of those and they look just like this:

state.gov email addresses in the Adobe data breach

state.gov email addresses in the Adobe data breach via Troy Hunt (used with permission)

“Adobe also leaked password hints so you can begin to quite easily build a profile around people working in the US State Department,” he said.

Would be good to know if any of the names in the Adobe breach are showing up in the ISIS list. We have not seen the purported ISIS list or the names from the Adobe hack but we hope somebody at State is looking at those names. Folks probably need to work on their password hints, too.

In a separate post, Mr. Hunt also notes this:

“The hyperbole and the fear, uncertainty and doubt that spread over this was just off the scale compared to the significance of the actual data. Here we have what amounts to little more than easily discoverable information mostly already in the public domain and suddenly it’s become a huge terror hack. [….] However, the legitimacy of the claims that this was an “ISIS hack” appear to have gotten in the way of a good story and the news has simply run with it.

A couple more reading clips below from Troy Hunt:

.

.

There’s not much one can do with the Adobe, Target, Home Depot, OPM hack except to sign up for credit monitoring service or put a credit freeze on one’s account. That is, if we’re concerned about identity thief. But those services  will not work against potential blackmails related to a foreign government hack, or online threats related to potentially scraped data, collected from websites and social media accounts.

We are persuaded by Mr. Hunt’s analysis that this was not a real hack. But real or not, the information is out there and thinking about ‘lone wolf’ offenders seduced by ISIS’ call, in the U.S. or elsewhere is not paranoid.  Folks might consider this a good excuse to review their digital footprint.

The threats online — whether real or part of propaganda — is not going to abate anytime soon. This is the world as it is, and not an attempt at hyperbole.  Employees overseas can report these threats to RSOs but hey, have you seen the rundown of the RSO’s managed programs?   We don’t even know what specific office at State tracks these breaches or who has responsibility for online threats. Was anyone notified by State when the Adobe breach occurred in 2013 and leaked hundreds of official emails? Were those emails changed?  A talkinghead writinghead would like to know.

Also some of USG’s overseas posts still display the official email addresses of personnel in public affairs, and those dealing with contracts, solicitations, and acquisitions on their websites. Those should be generic e-mail accounts not linked to an individual’s name but linked instead to the section, function or office, e.g. Sanaacontracts@state.gov. Makes better sense as people rotate jobs anyway.

We’re trying to find if Diplomatic Security has any response, guidance, reminder for State Department personnel given this report and the Burn Bag received earlier.  Would be a good time as any to issue an opsec reminder. We will have a follow-up post if/when we get an official response.

 #

UK Ambassador to Lebanon Signs Off With a Memorable Blog Post: So…Yalla, Bye

Posted: 12:58 am EDT

“The driving quest of diplomacy is for imperfect ways to help people not kill each other.”
-Tom Fletcher

The Naked Diplomat is done for now.  Tom Fletcher, the British Ambassador to Lebanon signed off from his diplomatic assignment recently. Quite a valedictory address blogpost. Excerpt below:

Dear Lebanon,

Sorry to write again. But I’m leaving your extraordinary country after four years. Unlike your politicians, I can’t extend my own term.

When I arrived, my first email said ‘welcome to Lebanon, your files have been corrupted’. It should have continued: never think you understand it, never think you can fix it, never think you can leave unscathed. I dreamt of Beirutopia and Leb 2020 , but lived the grim reality of the Syria war.

Bullets and botox. Dictators and divas. Warlords and wasta. Machiavellis and mafia. Guns, greed and God. Game of Thrones with RPGs. Human rights and hummus rights. Four marathons, 100 blogs, 10,000 tweets, 59 calls on Prime Ministers, 600+ long dinners, 52 graduation speeches, two #OneLebanon rock concerts, 43 grey hairs, a job swap with a domestic worker, a walk the length of the coast (Video). I got to fly a Red Arrow upside down, and a fly over Lebanon’s northern border to see how LAF is enforcing Lebanese sovereignty. I was even offered a free buttock lift – its value exceeded our £140 gift limit, so that daunting task is left undone.

Your politics are also daunting, for ambassadors as well as Lebanese citizens. When we think we’ve hit bottom, we hear a faint knocking sound below. Some oligarchs tell us they agree on change but can’t. They flatter and feed us. They needlessly overcomplicate issues with layers of conspiracy, creative fixes, intrigue. They undermine leaders working in the national interest. Then do nothing, and blame opponents/another sect/Sykes-Picot/Israel/Iran/Saudi (delete as applicable). They then ask us to move their cousin’s friend in front of people applying for a visa. It is Orwellian, infuriating and destructive of the Lebanese citizens they’re supposed to serve. But this frustration beats the alternative – given potential for mishap, terror or invasion, there is no substitute for unrelenting, maddening, political process.

Continue reading,  So…Yalla, Bye, running on over 300 comments right now.

#