— By Domani Spero

On September 30, President Obama proclaimed October 2013 as National Cybersecurity Awareness Month.  In light of that proclamation, we’re highlighting a grievance case by a Foreign Service officer who downloaded and installed the Mozilla Firefox browser which potentially cost him a promotion.  The State Department proposed to issue him a Letter of Reprimand. The officer filed a grievance challenging the issuance of a Letter of Reprimand. For relief, he asks that the decision to impose discipline be rescinded and the discipline letter be removed from his Official Personnel File (OPF). In addition, he requests that the 2011 Selection Board’s decision to promote him be given immediate effect, and that he be reimbursed for attorney’s fees. The Department denied his grievance on March 13, 2012. He appealed that decision to the Foreign Service Grievance Board on May 14, 2012.  On December 2012, the Board found that grievant’s argument was without merit and sustained the proposed discipline.

This case is available publicly (pdf) from the newly relaunched fsgb.gov.  (BTW, the site is now searchable, yay!) As far as we are aware, the State Department still only allows two browsers for official use — Internet Explorer and more recently during Secretary Clinton’s tenure, Google Chrome was approved for department-wide use.   According to the browser stats maintained by w3schools.com, Internet Explorer’s downward use continues to hover around 12% in 2013, while Chrome continues to climb above 50 percent. Firefox’s usage remains at around the 27% mark.

Now some details on this case extracted from the record of proceeding:

Grievant, an FS-03 Officer, installed a software application, Mozilla Firefox Browser, on his workstation in August 2010. Grievant admitted that he installed the software because he was concerned that his savings accounts may have been the subject of identity theft and he wanted to check his credit union account on-line with what he thought was a safer web browser. The Mozilla software was found to be an executable application so that by downloading it grievant violated the Department’s Cyber Security Policy, and such action could have led to disruption of the Department’s cyber infrastructure. Grievant argued that he was unaware that the Mozilla Browser was an executable file when he installed it, and therefore, did not have the intent to violate the policy. The Board found that grievant’s argument was without merit and sustained the proposed discipline.

Anyone with questions about executable files should check the list here and best consult post’s information systems security officer (ISSO).

Also it might not be bad to get acquainted with 12 FAM 590 CYBER SECURITY INCIDENT PROGRAM if you haven’t already.

The government’s charge:

The Department charged the grievant with violating the directives and procedures for Cyber Security contained in 12 FAM 592.2b 8. The charge is based on grievant’s action in downloading the Mozilla Browser on his workstation on August 9, 2010. A revised cyber security program was implemented in 2007 throughout the Department. The Department asserts that grievant’s failure to comply with the cyber security policy could have resulted in damage or risk to the Department’s cyber infrastructure. The Mozilla Browser could compromise the integrity of the system and introduce a virus or malicious code.

Grievant was informed on December 22, 2010 by the Bureau of Diplomatic Security that the installation of the Mozilla Browser by him was a violation of the regulation. Grievant was further advised that the violation determination would be forwarded to the Bureau of Human Resources. Grievant was advised of his right to appeal the finding of a violation by the Bureau of Security, but chose not to do so. He did submit a Statement of Understanding acknowledging receipt of the December 22, 2010 letter and the Department’s security policies.

The Department dismisses grievant’s argument that his action in downloading the Mozilla browser required “mens rea” or a ”deliberate” act on his part to download an application that he knew was not authorized for installation. In his view, the Department has failed to prove that he made such a deliberate decision. He asserts that he did not actually know that the software was not authorized, and that his actions were inadvertent. He explains that he was ignorant that the software was an executable application that was not authorized. He states that he “lacked the knowledge of the difference between a search engine website and web browsing software.” He contends that the Department’s decision to not charge him with the downloading of the Shockwave program demonstrates that his action was not deliberate.

The FSO’s defense and argument:

Grievant has admitted that he installed Mozilla to assist himself with issues concerning his personal savings accounts. He could have used his personal computer to deal with the “spoofing” problems he was having with the possible identity theft matters. Finally, grievant should have reported the “spoofing” problems to the ISSO and checked with that office to determine if he could download Mozilla.

Grievant asserts that the proposed Letter of Reprimand should be rescinded because he lacked the intent necessary to violate the regulation. In 2009 – 2010, grievant was the victim of identity theft. He lost several thousand dollars to the thief, had to cancel his credit cards on two occasions, and was informed that his medical records were among those stolen from an Office of Medical Services database. On August 9, 2010, he received on his agency email four “spoofing” messages purporting to be from his credit union and his retirement fund.

Grievant was concerned that his savings accounts might have been stolen and his Department computer may have been compromised. He installed the Mozilla Firefox browser on his workstation instead of other browsers, such as Google, because he thought that Mozilla was a safer web browser. He was quickly informed by ISSO that Mozilla was not allowed to be downloaded on the Department’s system since it was an executable file. Grievant explained his concerns about his savings accounts and the reason that he downloaded the browser. He stated on several occasions that he did not know Mozilla was an executable file in violation of the regulation, and believed it to be a secure web-based browser. Grievant apologized and accepted responsibility for what he believed was an “inadvertent download of an executable file”.

Grievant argues that he should not be disciplined for downloading the Mozilla browser. In his view, the Department must show that it was his conscious object to download an executable file on to the Department’s network. He admits that his action was prohibited by the FAM, and that he exposed the Department to serious risk by downloading the browser on his workstation. However, he argues that the FAM requires specific intent to violate the regulation, which he did not have when the downloading took place. Grievant argues only deliberate acts, not negligent ones, are punishable under the regulation. He believes it is unjust to punish “a deliberate act that was believed would cause only a permissible result.” His action was negligent and he acted out of ignorance believing Mozilla to be a web based application rather than an executable file. In essence, he states that he believed that he was doing nothing more than accessing a website and that he lacked the knowledge required to make his action of downloading a deliberate violation of the regulation.

Grievant is remorseful and admits that he is fully responsible for his action. He did not know that he was downloading an executable file, and lacking that knowledge he did not have the mental state required by the regulation. Among other things, grievant asks that the decision to impose discipline be rescinded and the Letter of Reprimand be removed from his OPF. In addition, he asks that the Department give immediate effect to the 2011 Selection Board’s decision to promote him.

The FSGB was not persuaded:

Grievant intended to install Mozilla on his workstation. He engaged in a deliberate act. The fact that he was ignorant that it was an executable file in violation of the regulation does not obviate or lessen his culpability. As the Department points out, his action could have resulted in damage or significant risk to the Department’s cyber infrastructure, which could have caused major disruptions and loss of sensitive information. His admitted ignorance or lack of knowledge about Mozilla being an executable file does not excuse his action or his culpability for that action.

This is grievant’s first incident of any kind that caused him to be disciplined. As noted, his record is one of success and accomplishment. Grievant believes that discipline in this case is unjust. However, the proposed Letter of Reprimand is consistent with the penalties imposed in prior cases, and is reasonable under the facts of this case.

One related item, the agency’s cybersecurity was most recently in the news with a BuzzFeed exclusive report that the State Department Lacks Basic Cybersecurity. The report alleges that  “the State Department cable and messaging system, built and maintained — like the troubled ObamaCare system — mainly by large IT contractors, has routinely failed to meet basic security standards.” It further alleges that “There is hackable backdoor access to servers and the potential for spillage of classified information in the unclassified enclave.”  BuzzFeed says that it has  internal docs although those do not appear to be posted online at this time.  Read more here.

* * *