State/OIG Officially Releases Report aka @StateDept Email Crap When FAM is Optional

Posted: 12:58 pm ET
[twitter-follow screen_name=’Diplopundit’ ]

State/OIG’s report on the Evaluation of Email Records Management and Cybersecurity Requirements (ESP-16-03) leaked yesterday has now been officially released and posted at the oig.state.gov website (PDF).  The OIG makes eight recommendations and the State Department concurred with all of them. The report also makes clear that the State Department rules books were decorative only for some folks.

Upfront, the report makes clear where the requests for this evaluation came from, and that it covers the tenures of five secretaries of state – from Albright to Kerry:

As part of ongoing efforts to respond to requests from the current Secretary of State and several Members of Congress, the Office of Inspector General (OIG) reviewed records management requirements and policies regarding the use of non-Departmental communications systems. The scope of this evaluation covers the Office of the Secretary, specifically the tenures of Secretaries of State Madeleine Albright, Colin Powell, Condoleezza Rice, Hillary Clinton, and John Kerry.

State/OIG released its report to lawmakers on Wednesday.  The leaked copy of the report still includes the following notation, which, of course, did not dissuade lawmaker/s from leaking it to various media outlets:

This report is intended solely for the official use of the Department of State or the Broadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of Inspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or the Broadcasting Board of Governors, by them or by other agencies or organizations, without prior authorization by the Inspector General. Public availability of the document will be determined by the Inspector General under the U.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.

Here are a few interesting details:

HRC declined OIG’s request for an interview

OIG also interviewed dozens of former and current Department employees, including the Deputy Secretary for Management and Resources (D-MR); the Under Secretary for Management (M); the Assistant Secretary and other staff in the Bureau of Administration (A); and various staff in the Office of the Secretary and its Executive Secretariat (S/ES), the Office of the Legal Adviser (L), the Bureau of Information Resource Management (IRM), and the Bureau of Diplomatic Security (DS). In conjunction with the interviews, OIG reviewed paper and electronic records and documents associated with these offices. OIG also consulted with NARA officials. Finally, OIG interviewed Secretary Kerry and former Secretaries Albright, Powell, and Rice. Through her counsel, Secretary Clinton declined OIG’s request for an interview.

HRC’s top staffers declined OIG requests for interviews

In addition to Secretary Clinton, eight former Department employees declined OIG requests for interviews: (1) the Chief of Staff to Secretary Powell (2002-05); (2) the Counselor and Chief of Staff to Secretary Clinton (2009-13); (3) the Deputy Chief of Staff for Policy to Secretary Clinton (2009-11) and the Director of Policy Planning (2011-13); (4) the Deputy Chief of Staff for Operations to Secretary Clinton (2009-13); (5) the Deputy Assistant Secretary for Strategic Communication (2009-13); (6) the Director of the S/ES Office of Information Resources Management (2008-13); (7) a Special Advisor to the Deputy Chief Information Officer (2009-13) who provided technical support for Secretary Clinton’s personal email system; and (8) a Senior Advisor to the Department, who supervised responses to Congressional inquiries (2014-15). Two additional individuals did not respond to OIG interview requests: the Deputy Secretary of State for Management and Resources (2011-13) and an individual based in New York who provided technical support for Secretary Clinton’s personal email system but who was never employed by the Department.

State/IPS gets an “F” for records retention reviews during FIVE Secretaries’ terms.

The Office of Information Programs and Services (IPS) is the component of the Bureau specifically tasked with issuing records guidance and overseeing records management efforts of the Department. Upon request, IPS reviews the records management practices of Department offices. The Acting Co-Director of IPS currently serves as the Agency Records Officer with program management responsibility for all records Department-wide throughout their life cycle (creation, acquisition, maintenance, use, and disposition). IPS has provided briefings, in conjunction with S/ES, to Office of the Secretary staff and has issued Department-wide notices and cables about records retention requirements, some of which included requirements to save email records, including records contained in personal emails. According to the FAM, the Agency Records Officer is “responsible for seeing that the Department and all of its component elements in the United States and abroad are in compliance with Federal records statutes and  regulations,” yet IPS has not reviewed Office of the Secretary records retention practices during the current or past four Secretaries’ terms.

NARA gets an “F” for failing to do records retention reviews for 25 years!

Although NARA is responsible for conducting inspections or surveys of agencies’ records and records management programs and practices, it last reviewed the Office of the Secretary’s records retention practices in 1991–a quarter century ago. Beginning in 2009, NARA has relied on annual records management self-assessments and periodic reports from the Department to gauge the need to conduct formal inspections. The Department’s last two self-assessments did not highlight any deficiencies.

FOIA Fun! No email accounts from Secretary Clinton’s staff were in retired material.

In April 2015, S/ES retired nine lots of electronic records containing approximately 16 gigabytes of data, consisting of emails, memoranda, travel records, and administrative documents from the tenures of former Secretaries Powell, Rice, and Clinton. However, the only email accounts included in this material were those of six of former Secretary Powell’s staff and two of former Secretary Rice’s staff. No email accounts from Secretary Clinton’s staff were in the retired material.

The audacity of rank: different rules books for different people

OIG identified many examples of staff using personal email accounts to conduct official business; however, OIG could only identify three cases where officials used non-Departmental systems on an exclusive basis for day-to-day operations. These include former Secretaries Powell and Clinton, as well as Jonathan Scott Gration, a former Ambassador to Kenya. Although the former Ambassador was not a member of the Office of the Secretary, the Department’s response to his actions demonstrates how such usage is normally handled when Department cybersecurity officials become aware of it.
[…]
[T]he Ambassador continued to use unauthorized systems to conduct official business. The Department subsequently initiated disciplinary proceedings against him for his failure to follow these directions and for several other infractions, but he resigned before any disciplinary measures were imposed.  OIG could find no other instances where the Department initiated disciplinary procedures against a senior official for using non-Departmental systems for day-to-day operations.

Dammit! No guidance or approval obtained

Throughout Secretary Clinton’s tenure, the FAM stated that normal day-to-day operations should be conducted on an authorized AIS, yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server. According to the current CIO and Assistant Secretary for Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. However, according to these officials, DS and IRM did not—and would not—approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so. […] OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU.

Top State Department officials “unaware” of scope of HRC’s email use

In addition to interviewing current and former officials in DS and IRM, OIG interviewed other senior Department officials with relevant knowledge who served under Secretary Clinton, including the Under Secretary for Management, who supervises both DS and IRM; current and former Executive Secretaries; and attorneys within the Office of the Legal Adviser. These officials all stated that they were not asked to approve or otherwise review the use of Secretary Clinton’s server and that they had no knowledge of approval or review by other Department staff. These officials also stated that they were unaware of the scope or extent of Secretary Clinton’s use of a personal email account, though many of them sent emails to the Secretary on this account.

Dammit! No reporting compliance for cybersecurity incidents

In another incident occurring on May 13, 2011, two of Secretary Clinton’s immediate staff discussed via email the Secretary’s concern that someone was “hacking into her email” after she received an email with a suspicious link. Several hours later, Secretary Clinton received an email from the personal account of then-Under Secretary of State for Political Affairs that also had a link to a suspect website. The next morning, Secretary Clinton replied to the email with the following message to the Under Secretary: “Is this really from you? I was worried about opening it!” Department policy requires employees to report cybersecurity incidents to IRM security officials when any improper cyber-security practice comes to their attention. 12 FAM 592.4 (January 10, 2007). Notification is required when a user suspects compromise of, among other things, a personally owned device containing personally identifiable information. 12 FAM 682.2-6 (August 4, 2008). However, OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department.

Two staffers who got it right were told to just pretty please shut up

Two staff in S/ES-IRM reported to OIG that, in late 2010, they each discussed their concerns about Secretary Clinton’s use of a personal email account in separate meetings with the then-Director of S/ES-IRM. In one meeting, one staff member raised concerns that information sent and received on Secretary Clinton’s account could contain Federal records that needed to be preserved in order to satisfy Federal recordkeeping requirements. According to the staff member, the Director stated that the Secretary’s personal system had been reviewed and approved by Department legal staff and that the matter was not to be discussed any further. As previously noted, OIG found no evidence that staff in the Office of the Legal Adviser reviewed or approved Secretary Clinton’s personal system. According to the other S/ES-IRM staff member who raised concerns about the server, the Director stated that the mission of S/ES-IRM is to support the Secretary and instructed the staff never to speak of the Secretary’s personal email system again.

Note that Politico is reporting that “a 2012 directory lists John Bentel as the director of the office that handles information technology for the Office of the Secretary. Bentel no longer works for State and has refused to answer Congressional investigators’ questions on this matter.

GOP reps are falling over each other, trying to release their own statements.  And a democratic congressional rep has already released a statement accusing the IG of  a “hit job.” Man, this is the only “hit job” with extensive footnotes and appendices.

Proper respect goes to OIG Steve Linick and his team who did good work under challenging circumstances.

  • Jennifer L. Costello, Team Leader, Office of Evaluations and Special Projects
  • David Z. Seide, Team Leader, Office of Evaluations and Special Projects
  • Jeffrey McDermott, Office of Evaluations and Special Projects
  • Robert Lovely, Office of Evaluations and Special Projects
  • Michael Bosserdet, Office of Inspections
  • Brett Fegley, Office of Inspections
  • Kristene McMinn, Office of Inspections
  • Timothy Williams, Office of Inspections
  • Aaron Leonard, Office of Audits
  • Phillip Ropella, Office of Audits
  • Kelly Minghella, Office of Investigations
  • Eric Myers, Office of Investigations

Read the OIG report below:

#
%d bloggers like this: