Foreign Service Members Offer Candid Views of @StateDept Mental Health Services (via FSJ)

Posted: 3:04 am EDT


The January issue of the Foreign Service Journal is out. The issue is focused on mental health care for the Foreign Service.  Dr. Samuel Thielman,  a recently retired regional medical officer/psychiatrist for the Department of State writes about how MED’s mental health program has grown and evolved over the years to address the unusual needs of FS employees and their families serving overseas in The Evolution of State’s Mental Health Services. Chantay White, the chief of the Employee Assistance Program with the State Department Employee Consultation Services and Paulette Baldwin, a Licensed Clinical Social Worker write about Mental Health and ECS—What You Should Know. Dr. Stephen A. Young, the director of Mental Health Services for the State department since September 2015, writes about The Face of Mental Health Services Overseas.

One part of the bureaucracy that is glaringly missing here is, of course, Diplomatic Security.  A majority of these comments express concern about DS and security clearance. The most instructive part is probably the section on MED/MHS Checkup: Foreign Service Members Weigh In that offers very candid views from people in the field.

The FSJ writes that the compilation includes 45 responses from FS members in Washington, D.C., and overseas, some entry-level and a few retired, from the foreign affairs agencies, primarily State and USAID. The gender split was about even. “Due to the sensitive nature of the topic, and known concerns about privacy, we took the unprecedented step of offering to print comments without attribution,” the editors write.

Some excerpts below, each paragraph selected from a separate FS member response.  The last one It’s No Joke is in full; the contributor appears to be part of US Mission Libya following the 2012 attacks. The full comments are available to read here.

“Dealing with the bureaucracy after having sought mental health treatment is itself enough to cause PTSD.”

“Senior officers, in particular, need to set the example by ensuring that their employees understand that a mental health issue, like any ailment, is best addressed early. Until they do, we will all still sign notes like this as… Anonymous.”

“During a rough patch in a relationship, my partner and I sought couples counseling. When my security clearance was up for renewal, I was grilled by the investigator regarding this counseling. I had to defend myself for wanting counseling, and the harsh and critical tone she took for me wanting to do what I needed for my relationship was upsetting. I got the clearance, but it was a stressful process.”

“After service in Iraq, there is no doubt in my mind that I suffered from PTSD. Now (several years later), I see my symptoms as both classic and obvious. At the time I was suffering, however, I hid my symptoms out of fear that knowledge that I suffered from PTSD would harm my career. That concern was heightened by the intense questioning I endured by a Diplomatic Security agent conducting a security clearance update when I was serving in Iraq. When it became known that I had sought mental health care, I was hassled and forced to repeat the content of a private discussion with a mental health professional to a DS agent with zero mental health training. I found the entire episode both distasteful and inappropriate.”

“My mistake—I was told by MED that I’d be given a Class 2 because of seeking continued therapy. I thought that showing that I’d made arrangements for my mental health would ensure a Class 1, but instead that’s what gave me the Class 2. Geez, why be honest with MED—it could have cost me my assignment.”

“I met with a therapist who told me he never wrote anything down because all of his FS clients were terrified of getting caught seeking assistance for their stress-related problems. It’s sad. Concerns about security clearances have a big effect on whether or not I seek mental health care.”

“I feel that if I had declared myself an alcoholic I would have gotten more attention from MED than when I was traumatized and sat in my office working, feeling like an isolated zombie.”

“Once I joined the Foreign Service, I could easily understand why there is an impression that the Service has an alcohol abuse problem—it’s self-medication that is easy to hide from a clearance process. I find that distressing and disturbing and extremely unsupportive.”

“Despite former Secretary of State Hillary Clinton’s message a few years ago telling employees that their clearance will not be affected by seeking mental health treatment, that is not what happens in practice. DS investigators zero in on this, considering it a red flag, as if mental health were any different than physical health.”

“No matter what management says about the importance of mental health, if there are no real changes, then the Foreign Service will continue to be an ineffective and unsupportive mental health environment.”

“You also do not know who the regional psychiatrist’s client really is: you or the State Department? Does a psychiatrist see you as a patient who needs help or just a problem for the Foreign Service best remedied by removing you from post?”

“The mandatory out brief improved between the time I returned from Afghanistan in 2007 and 2012, when I returned from Iraq. However, both times I was told that the symptoms in the PTSD questionnaire are normal for six months and not to worry unless they persist. (And I was offended when taken aside after the briefing and asked how pervasive I thought infidelity was in Baghdad.)”

“During the onward assignments process, MED refused to consider my needs as identified by my therapist, instead assigning me to a post where there was no one in-country who could serve as an appropriate psychiatrist. There, I raised an issue of concern with the health unit nurse, who in turn shared it with the management officer, who then told my supervisor that I was “nuts.” This was not only a violation of my privacy; it reflected total ignorance on the management officer’s part of what PTSD and its symptoms are.”

“I would rate the mental health support at 3 out of 10, with 10 being the best. Working in a high-stress post that was not a “high-threat” post, my colleagues and I were given limited support in a time of crisis.”

“I am grateful for the mental health assistance available to me. If it weren’t for grief counseling, I would have qualms about seeing the RMO/P, because I’d need to disclose this in the five-yearly security update. And while that disclosure might not affect my security clearance, I still think there’s a stigma attached to the fact that I needed mental health assistance.”

“As a veteran of two priority staffing post (PSP) tours—one in Iraq (2007–2008) and the other in Afghanistan (2013–2014)—my experience with transition support has been abysmal. Just getting authorization to attend out briefings and to access mental health services was impossible.”

“I am not concerned about medical and security clearances as they relate to mental health care. Most people have seen a therapist at one time or another, and I don’t think it would affect a security clearance. But corridor reputation is a concern. Even when people need to talk to a mental health professional, they’re more worried about their corridor reputation and often won’t seek help due to the stigma of being “weak.”

“In my final post, when I had finally had enough bullying from my fourth bully boss (three of whom were DCMs and one a GS-15), I worked with the regional psychiatrist who prescribed two anti-anxiety/anti-depressants and a sleeping pill to help me cope. I sought assistance from the ombudsman, but received no help, so I resigned.”

“I had discussed my mental health with the regional psychiatrist during his visits, but he just gave me Xanax and told me panic attacks were normal. He asked me about work-related stress, but reported the results of our meetings with post leadership, contributing to my stress.”

“When State does not actively intervene in cases of abusive behavior, managers are given the impression that they have carte blanche to do whatever they want. Even if victims get mental health care afterwards, the damage has been done. From what I hear, the problem is getting worse and more widespread. It doesn’t have to be this way. Instead of sending out feel-good cables on workplace atmosphere and bullying, put policies in place that have real teeth. A zero-tolerance policy for workplace bullies, administered neutrally and enforced by D.C., would lead to an instant decrease in unacceptable behaviors and the resulting damage they cause.”

It’s No Joke

The first MED-directed mental health intervention that was provided in Tripoli after the Benghazi attacks on Sept. 11, 2012, was a video conference in April 2013, conveniently less than a week before the Director General arrived for a visit to Libya. Prior to that, the only service provided was a discussion with the nurse about “fostering resiliency” several months after the attack…hardly a useful assist.

The half-day course for those returning from hardship posts is a joke. I took it after my first (!) unaccompanied tour (UT), and both the instructor and some of the other students made fun of me for enrolling, since at the time my tour was seen as one of the “cupcake UTs,” without an active war going on outside the embassy walls. I refused to take the course after my second UT. No one from HR or my bureau asked if I’d taken it or even how I was doing after the second UT.

An RMO/P made fun of some of my coworkers in a high-stress, high-threat post that happened to be a popular destination for American tourists. He told them that they had no idea what serving in an actually difficult post was like, comparing it to the regional city where he was based. Never mind the fact that almost every person at that highly desirable but still challenging post got there via a tour in Iraq or Afghanistan.

I have neither respect for nor faith in MED’s mental health efforts. As long as MED is staffed with people who see mental health as an inconvenience, supported by State leadership (from the very top down) who barely pay lip service to mental health and a work-life balance, there’s no hope for anyone who suffers in the aftermath of an emotionally catastrophic tour abroad. At least there is solidarity among those who survived terrible times abroad.

Read in full the candid views from the filed via the Foreign Service Journal.



OPM Data Breach Victims Get New Verification Site Through DOD, ID Protection Services Through ID Experts

Posted: 1:23 am EDT



OPM’s Cybersecurity Resource Center allows individuals impacted by the hack to sign up for protection services through ID Experts or verify if one is impacted by the data breach through DOD.

OPM says that while it is “not aware of any misuse of your information,” it is offering victims and dependent minor children who were under the age of 18 as of July 1, 2015, credit and identity monitoring, identity theft insurance, and identity restoration services for the next three years “through ID Experts, a company that specializes in identity theft protection.”

According to OPM, the identify thief insurance became effective on September 1, 2015 and the scope of the coverage includes all claims submitted on or prior to December 31, 2018. This insurance covers expenses incurred in restoring identity and is valid for amounts up to $1,000,000 with no deductible.

If you received a notification letter and PIN code from the Office of Personnel Management, OPM has determined that your Social Security Number and other personal information was stolen in a cyber intrusion involving background investigation records. You have to sign up for MyIDCare to access the protection if offers.

Screen Shot

OPM has published what its notification letters look like:

The Federal Government has also set up a verification center to assist individuals who have lost their PIN code or believe their data may be impacted but have not yet received notification letters. If you believe that you were impacted, but have not yet received your notification letter, OPM asks that you wait until mid-December before contacting the verification center. The Federal Government anticipates completing the mailing of notification letters by the end of the second week in December.

To verify by phone, call 866-408-4555 Toll Free; 503-520-4453 International; 503-597-7662 TTY or verify online here through DOD.

The verification website offered through the Department of Defense says that its purpose is “To provide breach notification and facilitate the provision of breach mitigation services to individuals affected by the breach of information in the Office of Personnel Management (OPM) background investigation databases.”

DoD will also “use the data to respond to breach verification inquiries received from individuals using the link on OPM’s website that redirects individuals to a DoD website where they can enter their information to find out if they have been affected by this breach. These records may also be used for tracking, reporting, measuring, and improving the Department’s effectiveness in implementing this data breach notification.”

Screen Shot 2015-12-01

Click here for the Frequents Asked Questions. If you have already enrolled and have questions or concerns about your post-enrollment services, you may call OPM’s 800-750-3004.


Related posts:


When the Boss Is Last to Know: Chaffetz Snoops at the Secret Service

Posted: 1:06 pm EDT


The Department of Homeland Security Inspector General has completed its independent investigation into allegations that one or more Secret Service agents improperly accessed internal databases to look up the 2003 employment application of Congressman Jason Chaffetz, Chairman of the House Committee on Oversight and Government Reform. The Inspector General has confirmed that between March 24 and April 2, 2015, on approximately 60 different occasions, 45 Secret Service employees accessed Chaffetz’ sensitive personal information. The OIG concluded that only 4 of the 45 employees had an arguable legitimate need to access the information.

Here is the IG’s conclusion:

This episode reflects an obvious lack of care on the part of Secret Service personnel as to the sensitivity of the information entrusted to them. It also reflects a failure by the Secret Service management and leadership to understand the potential risk to the agency as events unfolded and react to and prevent or mitigate the damage caused by their workforce’s actions.

Screen Shot 2015-09-30

via dhs/oig

All personnel involved – the agents who inappropriately accessed the information, the mid-level supervisors who understood what was occurring, and the senior leadership of the Service – bear responsibility for what occurred. Better and more frequent training is only part of the solution. Ultimately, while the responsibility for this activity can be fairly placed on the shoulders of the agents who casually disregarded important privacy rules, the Secret Service leadership must do a better job of controlling the actions of its personnel. The Secret Service leadership must demonstrate a commitment to integrity. This includes setting an appropriate tone at the top, but more importantly requires a commitment to establishing and adhering to standards of conduct and ethical and reasonable behavior. Standards of conduct and ethics are meaningful only if they are enforced and if deviations from such standards are dealt with appropriately.

It doesn’t take a lawyer explaining the nuances of the Privacy Act to know that the conduct that occurred here – by dozens of agents in every part of the agency – was simply wrong. The agents should have known better. Those who engaged in this behavior should be made to understand how destructive and corrosive to the agency their actions were. These agents work for an agency whose motto – “worthy of trust and confidence” – is engraved in marble in the lobby of their headquarters building. Few could credibly argue that the agents involved in this episode lived up to that motto. Given the sensitivity of the information with which these agents are entrusted, particularly with regard to their protective function, this episode is deeply disturbing.

Additionally, it is especially ironic, and troubling, that the Director of the Secret Service was apparently the only one in the Secret Service who was unaware of the issue until it reached the media. At the March 24th hearing, he testified that he was “infuriated” that he was not made aware of the March 4th drinking incident. He testified that he was “working furiously to try to break down these barriers where people feel that they can’t talk up the chain.” In the days after this testimony, 18 supervisors, including his Chief of Staff and the Deputy Director, were aware of what was occurring. Yet, the Director himself did not know. When he became aware, he took swift and decisive action, but too late to prevent his agency from again being subject to justified criticism.

Read the full report here. Check out Appendix 1 for the chronological access to the Chaffetz record which includes multiple field offices, including the London office. Appendix 2 is the timeline of record access.

We can’t remember anything like this happening in the recent past.  There was the 1992 passportgate, of course, which involves a presidential candidate, but that’s not quite the same. In 2009, the DOJ said that a ninth individual pleaded guilty for illegally accessing numerous confidential passport application files, although it was for what’s considered “idle curiosity.”

Whether the intent of the Chaffetz record breach was to embarrass a sitting congressman or curiosity (not everyone who looked at the files leak it to the media), the files are protected by the Privacy Act of 1974, and access by employees is strictly limited to official government duties. Only 4 of the 45 employees who did access the Chaffetz records had a legitimate reason to access the protected information. If the DOJ pursued 9 State Department employees for peeking at the passport records of politicians and celebrities, we can’t imagine that it could simply look away in this case. Particularly in this case.  Winter is definitely coming to the Secret Service.



The State Dept’s 360 Degree Feedback as Placement Tool, and Probably, a Lawsuit Waiting to Happen

Posted: 2:05 am EDT

We have originally written about the 360 degree feedback in 2008 as it started gaining popularity within the State Department. (see Sexing up the 360-Degree Feedback, Revisited). We thought then, and we still think now, that using the 360° feedback for evaluative purposes, (instead of using it primarily for development), especially when a candidate’s next job is on the line can easily transform this useful learning tool into an inflated, useless material with real consequences for operational effectiveness. We understand from comments received this past July, that this is being used as a developmental tool by Consular Affairs and the Leadership and Management School at FSI (see a couple of feedback), but those are, in all likelihood, the two exceptions. The 360 degree feedback is primarily used as an assignments or placement tool.

In 2013, the Marine Corps Times reported that the Pentagon was expanding its use of “360-degree” reviews for senior officers, but legal concerns may limit their inclusion in any formal promotion or command screening process:

Even if there is interest among the brass to formalize the process, there may be big legal hurdles to expanding the 360-review process beyond a strictly confidential tool for self-awareness.

Officers have valid concerns about anonymous and unverified criticisms seeping into the official process for doling out promotions, command assignments or seats at prestigious schools.

If officers feel their career was damaged by a harsh 360-degree review, they might insist on knowing precisely who lodged the criticisms in order to rebut them. And if the confidentiality is questioned, then the whole endeavor ceases to have much value.
From a legal standpoint, that officer might have a right to file a Freedom of Information Act request to find out who submitted that confidential review.

“The more that’s at stake … the more difficult it will be to maintain the anonymity,” the senior official said. “And, of course, if you don’t maintain the confidentiality, then you have a very different product,” because peers and subordinates will be far less likely to offer candid criticism.

In April 2015, an official Pentagon study concludes that the “360-degree reviews” probably should not be used as a part of the formal military evaluation and promotion process. Below via the Military Times:

[T]he new report cites a long list of legal, cultural and practical concerns that would prevent this type of review’s widespread use in determining who gets selected for promotions, command assignments or slots at prestigious schools.

In 2013, Congress ordered the Defense Department to do a thorough assessment of whether and how 360-degree reviews should be used in the military personnel system.

Rand researchers concluded that the tools should be limited to personnel development programs, which means some troops are subject to 360-degree reviews but the results are provided only to the individual for his or her own benefit, and are not included in any official personnel file.

In the September issue of the Foreign Service Journal, consular-coned officer, William Bent, currently serving at the US Embassy in Barbados pens a Speaking Out piece on the need for the State Department to reevaluate its use of the 360-degree reviews.

Mr. Bent spells out the following concerns as the 360 feedback continue to be used as a placement tool by “assignment decision-makers”:

♨︎ || The reviews are seldom transparent. In current practice, the assessed employee usually has no idea what feedback the deciding official has received, and an employee receiving any negative feedback is rarely, if ever, contacted to discuss the issues raised. This creates the potential for unsubstantiated criticism that can unfairly undermine an employee’s chance for advancement. One does not have to assume deliberate career sabotage here: as a manager, one sometimes has to make unpopular decisions that years later still rankle former subordinates who, because of inexperience, may not have had the full picture.

The Bureau of Consular Affair’s recent development of the Consular Bidder Assessment Tool addresses the issue of transparency by allowing the assessed employee to see the anonymous feedback statements. But the employee is denied the opportunity for a timely discussion of the results (bidders are instructed not to attempt to discuss results until after bidding season is over). This is a surprising approach from the bureau that brought us the innovative CLI.

The DCM/principal officer 360-degree reviews are neither transparent, nor do they provide any opportunity for assessed employees to obtain feedback.

♨︎ || The reviews have little value because the assessed employee chooses the assessor. On the whole, most peers and subordinates resist being frank and candid in their reviews. Having the assessed employee pick his or her own assessors emphasizes this tendency, skewing the results.

It also replicates the EER problem: when everyone walks on water, the decision-makers try to read between the lines, looking for any chinks in an individual’s armor. Paradoxically, this feeds into the concerns discussed above, since any negative review raises bells and whistles and is given extra weight.

♨︎ || Use of 360-degree reviews for purposes other than development remains controversial among human resource experts. Using them to determine assignments is akin to using them as performance appraisals, which some human resource experts see as detrimental to an organization because of its negative effect on personal growth. When the results are not shared in a transparent way, trust is undermined.
♨︎ || The State Department’s use of 360s in determining assignments was not adequately studied prior to implementation. This practice appears to have been implemented on an ad hoc basis several years ago, with a few bureaus using email as a platform to receive input. The use of 360s has now proliferated, with all bureaus involved in the assignment process utilizing them to make decisions.

Yet there seems to have been no prior centralized review of the ramifications of broad use of the tool on the Foreign Service workforce. The use of SharePoint and other technologies to gather the results also raises confidentiality questions (some 360s have been posted—I assume accidentally—on the State Department’s intranet site).

♨︎ || Some recipients of the results may lack the training and expertise to interpret them effectively. There is a reason there are books and articles written by human resource academics and specialists on how to effectively implement and utilize the 360-degree review process. Has the State Department trained officials using the results in human resource management or the 360-degree review process? Do these officials have goals beyond filling the position in question (e.g., the further career development of an employee)?

Moreover, what role has the Bureau of Human Resources—the one bureau theoretically best placed to manage this process—played in implementing the 360 review requirements? Are career development officers discussing the results of 360s with clients to improve the employee’s chances of strengthening skills?

♨︎ || The annual deluge of 360s creates significant time and resource issues. Let’s face it, the 360 process has become a major time suck for everyone involved, with email inboxes inundated each summer with requests for 360-degree reviews. Although we all have a responsibility to assist our colleagues and the organization as a whole by diligently filling out the reviews, the sheer volume of requests can be overwhelming. This could result in less comprehensive responses that don’t give a full portrait of the assessed employee.

Mr. Bent provides four recommendations including, the immediate suspension of “the use of 360s in the Foreign Service assignment process pending the completion of a study, conducted by an outside consultant, on the effectiveness of their use.”

If the Pentagon’s decision not to jump into the 360 degree bandwagon is not enough to give the State Department pause in its use of the 360 as part of the employes’ assignment process, then perhaps what should give them pause is the potential for privacy and FOIA litigation.  360 results posted online, hello?

We’ve located the Pentagon 360 study conducted by the Rand Corporation. In one part, it quotes a participant of its study saying, “Conventional wisdom in regards to 360-degree assessments from experts and researchers is that the most effective use of 360 assessments is to enhance professional, individual development. Once you change the purpose or intent of a 360 from development to evaluation, you affect the willingness of raters to provide candid or unfettered feedback.” That’s probably the most apt comment when it comes to the 360 degree feedback.

Read Rand’s 360-Degree Assessments: Are They the Right Tool for the U.S. Military? (pdf).



Related posts:

1) More Systems Compromised in #OPMHack, 2) A Love Letter to Hackers, and 3) What’s a Credit Freeze?

Posted: 3:29 am  EDT


On June 4, OPM released a statement on “a cybersecurity incident” that potentially affected personnel data of current and former federal employees, including personally identifiable information (PII) (see OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info).  The initial estimate was that the OPM hack affected potentially 4 million employees. On June 12, fedscoop reported that the American Federation of Government Employees (AFGE) believed that the breach may have compromised personal data of as high as 14 million employees.

We understand that the State Department issued a notice to employees concerning the OPM breach on June 4. A second notice dated June 12 (am told this was actually a June 11 notice) was shared with BuzzFeed (see below). Several unnamed State Department employees were quoted in that BuzzFeed article, a tell-tale sign of growing frustration that we can also see from our inbox.






Excerpt from email sent by Under Secretary of Management Pat Kennedy on June 12 (via BuzzFeed)

This is an update to my previous e-mail of June 4th [repeated at the very end of this message.]

As was communicated last week, the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the Personally Identifiable Information (PII) of some current and former Federal employees. This email provides additional information regarding next steps for those affected State Department employees. But, every employee should read this email.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from [DELETED] and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks. To protect yourself, we encourage you to check the following:

1. Make sure the sender email address is [DELETED]

2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.

3. The email subject should be exactly [DELETED]

4. Do not click on the included link. Instead, record the provided PIN code, open a web browser then manually type the URL {DELETED]. You can then use the provided instructions to enroll [DELETED].

5. The email should not contain any attachments. If it does, do not open them.

6. The email should not contain any requests for additional personal information.

7. The official email should look like the sample screenshot below.

Additional information has also been made available beginning on June 8, 2015 on the company’s website [DELETED].

Regardless of whether or not you receive this notification, employees should take extra care to ensure that they are following recommended cyber and personal security procedures. If you suspect that you have received a phishing attack, contact your agency’s security office.

In general, government employees are often frequent targets of “phishing” attacks, which are surreptitious approaches to stealing your identity, accessing official computer systems, running up bills in your name, or even committing crimes using your identity. Phishing schemes use e-mail or websites to trick you into disclosing personal and sensitive information.

Oh, man.

Hopefully no one will copy this “recipe” to send folks a fake notification to enroll somewhere else.

On May 28, just days before the OPM breach was reported, OPM issued a solicitation for OPM Privacy Act Incident Services. The services required include 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. According to the solicitation, these services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII).  The $20,760,741.63 contract for Call 1 was awarded to Winvale Group, LLC on June 2 but was published on fedbiz on June 5, the day after the breach was reported. Call 1 contract includes services to no more than 4 million units/employees.

Note that the State Department notice dated June 12 says that “email should not contain any attachments (#5). The OPM Services awarded on June 2 includes the following: Contractor email Notification: The Contractor will prepare and send email notifications to affected individuals using read receipts. Emails (or attachments) will appear on Government letterhead, will contain Government-approved language, and will contain the signature of the Government official(s). Emails may contain one or more attachments. Email notification proof(s) will be provided to the Government for approval not later than 48 hours after award of a Call against the BPA. The Government will approve the email notification within 24 hours to enable the Contractor to begin preparation for distribution. The Contractor will require, receipt, track, and manage read receipts for email notifications.

Get that?

Now this. Somebody from State sent us a love letter for the hackers:

Dear Hackers: While you’re in there, please get my travel voucher for $291.46 approved, permanently cripple Carlson Wagonlit so we can stop wasting money on a useless product, and figure out how many special political hires there really are roaming our halls.  Oh and please don’t use my SF-86 info against my parents, it isn’t their fault I was an idiot and gave the government every last bit of info on my entire life.  I’m sure there’s more but it’s the weekend, let’s chat Monday. #LetsActLikeNothingHappened #SeriouslyThoughWTF .

And because the initial report is often understated per abrakadabra playbook hoping the bad news will go away, we’re now hearing this:

Oops, wait, what’s this?

Well, here is part of that email sent from “M” on  June 15, 5:35 pm ET:

“OPM has recently discovered that additional systems were compromised. These systems include those that contain info related to background investigations of current, former, and prospective Federal government employees, as well as other individuals from whom a Federal background investigation was conducted. This separate incident…was discovered as a result of OPM’s aggressive efforts to update its cybersecurity posture… OPM will notify those individuals whose info may have been compromised as soon as practical. You will be updated when we have more info on how and when these notifications will occur.”

So that original OPM estimate of 4 million affected employees is now OBE. That original $20 million contract will potentially go up.

Brian Krebs‘ piece on credit monitoring, the default response these days when a breach happens is worth a read. Basically, he’s saying that credit monitoring services aren’t really built to prevent ID theft (read Are Credit Monitoring Services Worth It?).

What can you do besides the suggestions provided by the State Department and OPM? Brian Krebs suggests a “credit freeze” or a “security freeze” not discussed or offered by OPM. Check out the very informative Q&A here.


We  know what else is on our to-do list today.


Former Secretary Clinton talks about her private emails

Posted: 01:11 am  EDT


Excerpt from the transcript of Hillary Clinton’s remarks on the email controversy swirling about via Time’s @ZekeJMiller:

There are four things I want the public to know.

First, when I got to work as secretary of state, I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.

Looking back, it would’ve been better if I’d simply used a second email account and carried a second phone, but at the time, this didn’t seem like an issue.

Second, the vast majority of my work emails went to government employees at their government addresses, which meant they were captured and preserved immediately on the system at the State Department.

Third, after I left office, the State Department asked former secretaries of state for our assistance in providing copies of work- related emails from our personal accounts. I responded right away and provided all my emails that could possibly be work-related, which totalled roughly 55,000 printed pages, even though I knew that the State Department already had the vast majority of them. We went through a thorough process to identify all of my work- related emails and deliver them to the State Department. At the end, I chose not to keep my private personal emails — emails about planning Chelsea’s wedding or my mother’s funeral arrangements, condolence notes to friends as well as yoga routines, family vacations, the other things you typically find in inboxes.

No one wants their personal emails made public, and I think most people understand that and respect that privacy.

Fourth, I took the unprecedented step of asking that the State Department make all my work-related emails public for everyone to see.

I am very proud of the work that I and my colleagues and our public servants at the department did during my four years as secretary of state, and I look forward to people being able to see that for themselves.

Again, looking back, it would’ve been better for me to use two separate phones and two email accounts. I thought using one device would be simpler, and obviously, it hasn’t worked out that way.


The Clinton folks have also released a Q&A on her email use:




So if we tell over 70,000 employees that they should secure their email accounts and “avoid conducting official Department business from your personal email accounts,” then we go off and use our own private non-government email, what leadership message are we sending out to the troops?  Follow what I say not what I do?


The secretary of state is the highest classifying authority at the State Department. Since she did not have a account, does this mean, she never sent/receive any classified material via email in the entirety of her tenure at the State Department? If so, was there a specific person who routinely checked classified email and cable traffic intended for the secretary of state?


The podium heads insist that there is no restriction in use of private emails. Never mind that this is exclusive use of private emails. If a junior diplomat or IT specialist sets-up his/her own email server to conduct government business at the home backyard shed in Northern Virginia, do you think Diplomatic Security would not be after him or her? Would he/she even gets tenured by the Tenuring Board despite systems management practices contrary to published guidelines?  If the answer is “yes,” we’d really like to know how this works. For ordinary people.

And then there’s this — if there were a hundred people at State that the then secretary of state regularly sent emails to, was there not a single one who said, “wait a minute’ this might not be such a great idea?


Bottomline despite this brouhaha? Her personal email server will remain private. She has full control over what the public get to see. End of story. Or maybe not.


Oops, what’s this? Oh, dear.



State Dept refused to name its SGEs because of reasons #1, #2, #3, #4 and … oh right, the Privacy Act of 1974

— Domani Spero

Last week, ProPublica posted this: Who Are State Dept’s 100 “Special Government Employees”? It Won’t Say.  We blogged about it here: Who Are State Dept’s 100 “Special Government Employees”? Dunno But Is Non-Disclosure For Public Good? Today, the Project On Government Oversight (POGO) has more on the subject. And after months of giving one reason or another to the reporters pursuing this case, the State Department is down to its Captain America shield  — the Privacy Act of 1974.

Below excerpted from POGO: State Dept. Won’t Name Advisers Already in Government’s Public Database:

They’ve all been selected to advise the State Department on foreign policy issues. Their names are listed on the State Department’s website.

So why won’t the Department disclose that these individuals are special government employees (SGEs)?

For four months, State has refused to name its SGEs, ProPublica reported last week, leaving the public to guess which outside experts are advising the Department on matters that affect the public’s interest.

Yet, the Project On Government Oversight was able to find more than 100 of the advisers identified as SGEs in an online government database. In other words, some of the information that State has been refusing to provide is hiding in plain sight.
State has refused to identify any of its special employees, even though most agencies contacted by ProPublica were easily able to provide a list of their SGEs.

First, a State spokeswoman told ProPublica her agency “does not disclose employee information of this nature.”

When ProPublica filed a request seeking the list of names under the Freedom of Information Act (FOIA), it was told the agency doesn’t keep such a list, and State’s FOIA office refused to track down the information because it would require “extensive research.”

In September, ProPublica told State it planned to report that the Department was refusing to provide a list of names. In response, State said the FOIA request “was being reopened” and that the records would be provided “in a few weeks,” according to ProPublica.

“The State Department has since pushed back the delivery date three times and still hasn’t provided any list,” ProPublica reported last week. “It has been four months since we filed the original request.”

On Friday, a State official told The Washington Post that the Department is “diligently working to resolve” the FOIA request. The official cited concerns about “maintaining employee protections of privacy.”

State’s posture over the past several months is at odds with POGO’s finding: why can’t the Department give the press the same information it already supplied to a public database?

“Disclosure of certain employee information is subject to the Privacy Act of 1974,” Alec Gerlach, a State spokesperson, told POGO. “That some information may already be publicly available does not absolve the Department of Privacy Act requirements. Whether someone is an SGE is Privacy Act-protected information that we would not release except through the FOIA process.”

However, one of the authors of ProPublica’s story questioned why State hasn’t turned over the requested records. “I think anytime a government agency won’t reveal information, it raises questions about why they aren’t,” Liz Day, ProPublica’s Director of Research, told POGO.

Holy mother of god of distraught spoxes!  Okay, please, try not to laugh. It is disturbing to watch this type of contortion, and it seems to be coming regularly these days from Foggy Bottom.

Seriously.  If this is about the Privacy Act of 1974, why wasn’t ProPublica told of this restriction four months ago? And does that mean that all other agencies who released their SGE names were in violation of the Privacy Act of 1974?

Also, State/OIG was told that “The number of special government employee filers was given as 100.”  A State Department spokeswoman told ProPublica that there are “about 100” such employees.  But what do you know?  The Project On Government Oversight was able to find more than 100 of the advisers (excel download file) identified as SGEs in an online government database. Are there more? How many more?

The list does not include the more famous SGEs of the State Department previously identified in news report.

New message from Mission Command:  “Good morning, Mr. Hunt (or whoever is available). Your mission, should you choose to accept it, involves the retrieval of very Special Government Employee (SGE) names. There are more than a hundred names but no one knows how many more.  They are padlocked in the Privacy Act of 1974 vault, guarded by a monstrous fire-breathing creature from Asia Minor. PA1974 vault location is currently in Foggy Bottom.  As always, should you or any member of your team be caught or killed, everybody with a badge will disavow all knowledge of your actions. This message will self-destruct in five seconds.  If not, well, find a match and burn.”

* * *





Take Time Today to Tell Your Senators to #StopCISPA

Via the Electronic Frontier Foundation.  Click on the image below to use EFF’s automated system to email your senators.  Sunlight Foundation shows that backers of the Cyber Intelligence Sharing and Protection Act had $605 million in lobbying expenditures from 2011 through the third quarter of last year compared to $4.3 million spent by opponents of the bill. Lopsided resources in action.

Screen Shot 2013-04-21

EFF: U.S. House of Representatives Shamefully Passes CISPA; Internet Freedom Advocates Prepare for a Battle in the Senate

ACLU:  CISPA Explainer #1: What Information Can Be Shared?

ACLU: CISPA Explainer #2: With Whom Can Information Be Shared?

ACLU:  CISPA Explainer #3: What Can Be Done With Information After It Is Shared?

The Security Skeptic:  What you (still) need to know about CISPA

— DS






US Embassies Cyprus & Greece: Federal Benefits Recipients at Risk of Identity Theft

You’ve heard about the financial crisis roiling the tiny Mediterranean island of Cyprus.  The €10 billion bailout announced recently is not going to be the end of it.  According to The Telegraph, Cyprus central bank official Yiangos Dimitriou has confirmed that the cashing of cheques will be banned as part of the introduction of capital controls. Dimitriou also announced that bank withdrawals will be limited to €300 a day.  Reuters reported that people leaving Cyprus may take only €1,000 with them. Apparently, there are also notices at the airport warning travelers of the new restrictions and that officers had orders to confiscate cash above the €1,000 euro limit.

Given that the 2010 OIG report of US Embassy Nicosia made no mention of American Citizen Services, we presume that there are not too many American residents in the island.  American retirees have flocked to Greece and their number in Cyprus is significantly lower than the UK pensioners, of which there are reportedly about 18,000 in the island. We understand that the Athens consular district is home to approximately 110,000 American citizens and there is a federal benefits attaché at the US Embassy in Greece who reports to the consul general.

Still, there potentially are enough Americans residing and banking in Cyprus which prompted the Federal Benefits Unit at the US Embassy in Athens to released the following statement:

We have arranged the following contingencies for customers who receive their federal benefits through Cyprus banks. Under any of these options, direct deposit changes usually occur 2 months after the month we receive the request, so do not close your old account until you receive the first payment in your new account.

Send an email to to change how you receive direct deposits.

Use a Subject Line in this format: SUBJECT: CYPRUS

– Your name and last 4 digits of your social security number

In the message, provide the following:

1. Last name and first name

2. Street Address

3. Phone Number

4. Social Security Number (9 Digits), and

5.  Direct deposit information, depending the option you request.

Options include designating a bank in the United States to receive direct deposits, designating a bank in the Greece to receive direct deposits (though the account must be in euros), and requesting a Chase Direct Benefit Card from JP Morgan Chase Bank

Read in full here.

Similarly, the contact info for the Federal Benefits Unit in Nicosia requires beneficiaries to provide their SSN via email to .

Screen Shot 2013-03-24

The intentions to help as expeditiously as possible is commendable but did anyone stop and pause how this might put retirees and recipients at risk of identify thief?

Did anyone stop and think how Social Security information is an identity thief’s dream?

With your Social Security number in hand, an opportunistic hacker or other online criminal can do just about anything — create phony bank accounts using your name; charge unlimited amounts of goods and services to credit accounts you never meant to open; steal your identity and recreate it multiple times and in multiple locations.

What security provisions are there to minimized potential misused of SSN transmitted via unencrypted email?

Where is the disclosure statement required under the Privacy Act?

The Privacy Act states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well. Read the Code of Federal Regulations section here:

If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. You can also contact your Congressional representative and U.S. Senators with your complaint. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement.

Asking the federal benefits beneficiaries to send their social security numbers via email is like asking them to write it on a postcard.  C’mon folks,  would you write and mail yours on a postcard? No? Well then ….




US Embassy Manila: George Anikow, Diplomatic Spouse Killed in Early Morning Altercation

Citing the Information Officer of the US Embassy in Manila Tina Malone, reported that the husband of an American Embassy employee was killed in Makati City, in the Philippines on Saturday, November 24.  Ms. Malone declined to disclose more details about the incident but did say that the Philippine National Police (PNP) have suspects in custody and that “The US Embassy appreciates the cooperation of the Philippine authorities, and will work closely with the PNP in their investigation.”

An ABS-CBN report identified the victim as George Anikow, who was allegedly killed by 4 suspects at around 4 am, Saturday, in front of the gate of Bel-Air Subdivision.  Elsewhere local reports also indicate that US embassy press attache Tina Malone confirmed the incident but refused to give out the name of the victim for “privacy reasons.” Various news reports spelled the victim’s name as Anico.

The alleged attackers, young men who reportedly come from well-off Filipino families, ranged in age from 22 to 28 and are publicly named by the news report here.

The Philippine Daily Inquirer also reported this incident:

George Anikow, 41, an inactive US marine officer, died on Saturday morning after he was mauled and fatally stabbed at the back and left shoulder in an event so random he and the other men hardly knew each other, Senior Supt. Manuel Lukban, Makati police chief, said in an interview.
The victim, a dependent of one of the officers of the US Embassy, was awaiting order from the US Marine to be called to duty, the police said.

Lukban said the Makati police opted to file murder, a non-bailable offense, instead of homicide since the attackers chased the victim “with the intent to kill.”

We emailed the US Embassy Manila last night but have yet to receive a response (which may or may not come).  We’ve also seen the public affairs arms of embassies do this often enough citing “privacy reasons” for the deceased in refusing to release or confirm the identity of victims.  They ought to know better than that since the privacy rules no longer cover the dead. Would be a lot more understandable if they decline to provide details due to sensitivity to the next of kin rather than privacy rules.

While we have been unable to confirm this, it looks like the FSO in this case is a first tour officer on a consular assignment to the US Embassy in Manila.  Public records also indicate that the US Embassy in Manila back in August solicited a quotation for a service apartment for this FSO and her family (spouse,  three children 12, 10 and 6 and a 50 lb Labrador) for 40 nights ending on September 24, 2012. Which seems to indicate they were in temporary housing until late September.  And if that’s the case, then they have just moved in to Bel-Air within the last two months, a private subdivision and gated community in Makati where the victim was reportedly a resident.

The latest Crime and Security Report issued by the Regional Security Office of the US Embassy says that crime is a significant concern in urban areas of the Philippines. Typical criminal acts include pick pocketing, confidence schemes, acquaintance scams, and, in some cases, credit card fraud. It also says that carjacking, kidnappings, robberies, and violent assaults sporadically occur throughout metro Manila and elsewhere in the Philippines.