Colin Powell Is Done Talking About Hillary Clinton’s Emails, So Let’s Take A Trip Down @StateDept Tech Lane

Posted: 1:27 am ET

 

After making waves for saying “Her people have been trying to pin it on me,” former Secretary of State Colin Powell is done talking about former Secretary of State Hillary Clinton’s emails and is not commenting anymore on it.

For those too young to remember this  — there was a time, not too long ago when the State Department communicated via teletype machines (with paper tape), similar to the one below.   You draft your cables on a Wang computer, give it to the local secretary to convert the document, and then she (almost always a she) runs it through the teletype machine for transmission to Main State and other diplomatic posts overseas.  If I remember right,  State had some creative IT folks who hooked up a DOS computer to the teletype machine so conversion was possible.  You still had to print it out and it still took a lot of trees.

Image via Open Tech School

 

When Colin Powell came to the State Department in 2001, the State Department was still using the Wang machine similar to the one below. They were either stand alone machines or were connected via a local area network and hooked up to a gigantic magnetic disc.  If post was lucky, it got one computer also hook up for email. Otherwise, you have a Selectric typewriter and a weekly diplomatic pouch.

Via Pinterest

Here is retired FSO Pater Van Buren with a look at technology at State during the Powell era.

When the rest of the world was working on PCs and using then-modern software in their offices, State clung to an old, clunky mainframe system made by the now-defunct company WANG. WANG’s version of a word processor was only a basic text editor with no font or formatting tools. Spell check was an option many locations did not have installed. IBM had bid on a contract to move State to PCs in 1990, but was rejected in favor of a renewal of the WANG mainframes.
[…]
Until Powell demanded the change, internet at State was limited to stand-alone, dial up access that had to be procured locally. Offices had, if they were lucky, one stand alone PC off in the corner connected to a noisy modem. If you wanted to use it, you needed in most cases to stand in line and wait your turn.
[…]
The way I see it, there’s about a 99.9 percent probability that he discussed his signature accomplishment at State with her, and cited his own limited, almost experimental, use of an AOL email account, as an example of how to break down the technical, security, bureaucratic, and cultural barriers that still plague the State Department today.

Read in full below:

 

#

 

 

State/OIG Reviews @StateDept Policies and Controls Protecting PII and National Security Data

Posted: 2:03 am ET

 

State/OIG recently posted online its review of the State Department’s policies and controls protecting personally identifiable information (PII) data and national security data. Below is an excerpt:

The Consolidated Appropriations Act, 2016,1 Section 406, Federal Computer Security, requires the Inspector General of each covered agency to submit a report that contains a description of controls utilized by covered agencies to protect sensitive information maintained, processed, and transmitted by a covered system. Specifically, the Consolidated Appropriations Act requires a description of controls utilized by covered agencies to protect two types of data contained within covered systems: personally identifiable information (PII) data and national security data. Information related to national security data is covered in a classified annex to this information report.
[…]
Specifically, Williams Adley selected and reviewed 4 systems from a Department-provided listing of 216 systems (Electronic Medical Records System (eMED), Integrated Personnel Management System (IPMS), Consular Consolidated Database (CCD), and Consular Lookout and Support System (CLASS)) that provide access to PII. In addition, Williams Adley reviewed 2 National Security Systems (NSS) from a Department-provided listing of 60 systems (Chief of Mission and Special Embassy Programs Database (NSDD 38), and Principal Officers Executive Management System (POEMS)).

This report describes the policies and controls used by the Department for five specific topics identified in the Act:

(1) logical access policies and practices;

The review found only two of the six systems reviewed (eMED and IPMS) had system-specific logical access control policies.

(2) logical access controls and multi-factor authentication used;

With respect to why logical access controls or multi-factor authentication are not being used, according to Department officials, two of the six systems (IPMS and one NSS) did not implement multi-factor authentication to govern system-level privileged user access because functional capabilities are not available. According to Department officials, IPMS is currently planning multi-factor implementation, while the one NSS is waiting for the Department to provide the functional capabilities necessary to implement multi-factor authentication to govern privileged user logical access.

(3) the reasons logical access controls or multi-factor authentication have not been used;

With respect to access and multi-factor authentication, Williams Adley found the Department has not fully implemented multi-factor authentication at the entity level; however, it had implemented other logical access compensating controls to govern privileged user access. Four of the six systems reviewed (eMED, CCD, CLASS, and one NSS) had either fully or partially implemented multi-factor authentication to government system-level privileged user logical access. The two systems that did not utilize multi-factor authentication to govern logical access of privileged users (IPMS and one NSS) relied on username and password combinations. Nevertheless, all six systems had some type of logical access controls in place.

(4) information security management practices used for covered systems;

With respect to information security management practices used for covered systems, Williams Adley found the Department uses a federated model to manage software inventory. In addition, the Department has implemented a defense-in-depth information system program. Further, the Department monitors network traffic, detects and responds to incidents, and scans for security compliance and vulnerabilities. However, the Department has only partially implemented a data loss prevention system and has not implemented digital rights management technology.

(5) policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors.

With respect to policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors, Williams Adley found the Department has a number of policies related to this topic. The relevant Department policies and procedures are established within the Department’s Foreign Affairs Manual (FAM).

The report notes that the Bureau of Information Resource Management, the Executive Secretariat’s Office of Information Resource Management, and the Bureau of Diplomatic Security, provided comments to a draft of the report. Because the comments were marked sensitive, the comments have been reprinted, in their entirety, in the classified annex of the report (AUD-IT- 16-45A).

The publicly available report is available here: https://oig.state.gov/system/files/aud-it-16-45.pdf

#

 

More Email Fallout and Security Clearance: @StateDept Says, “We’ll do it by the FAM.”

Posted: 4:22 am ET

The State Department has reportedly resumed its internal review related to the Clinton emails.  The spox refused to confirm “what specific materials” the State Department will consider or “what individuals may or may not be evaluated for possible employment or security clearance-related actions.” Note that this internal review is conducted by Diplomatic Security; perhaps due to public interest the results of the review may be released to the public, but that is not a given.

Via DPB dated July 15, 2016

We have additional information to provide about our internal review process. I will not be speaking about any specific case, nor will I be engaging in hypotheticals. As is standard, to protect the integrity of our work we cannot discuss the details of an ongoing review. Just as the FBI did not comment on its investigation, while it is ongoing we will not comment on our review.

That means I cannot confirm for you what specific materials we will consider or what individuals may or may not be evaluated for possible employment or security clearance-related actions. Our policy – so yes, it is —

QUESTION: What can you tell us?

MS TRUDEAU: It is moving. Yes, well, let’s go and I’ll give you exactly what we can.

Our policy is to assess each case on its own merits while taking into account all relative – relevant facts and circumstances. Furthermore, the department cannot comment on the status of any particular individual’s security clearance. Our goal is to complete this process thoroughly and expeditiously, but we will not put arbitrary deadlines on our work.

There is a significant amount of information about our process available to the public online. You’ll like this: For instance, I would point you to our Foreign Affairs Manual, specifically 12 FAM 500 and 230 sections. I’ll do my best to outline this process from the podium, but I cannot speak to every provision in the FAM. I also cannot speak to how the process will be applied to account for any specific circumstances.

In summary – and I still have a lot more to go, so stay with me – Diplomatic Security is responsible for evaluating security incidents and then reviewing them as appropriate for potential security clearance-related actions. Diplomatic Security is also responsible for referring certain incidents to our Bureau of Human Resources for potential employment actions. No matter the individual or conduct involved, the department conducts the review process in a professional, impartial, and fair manner that takes into account all relevant circumstances.

Multiple components within Diplomatic Security are involved in the process, supervised and overseen by the assistant secretary for Diplomatic Security. One component of Diplomatic Security conducts an initial assessment of security incidents and, when appropriate, issues security infractions or security violations. Security clearance reviews are conducted by a different DS component. As with Director Comey at the FBI and Attorney General Lynch at DOJ, it’s standard for our chief law enforcement officer, the assistant secretary for Diplomatic Security, to be involved with high-profile or complex matters, which is certainly the case here.

Assistant Secretary Greg Starr is the person in Diplomatic Security who is ultimately responsible for affirming or rejecting recommendations to revoke an individual’s security clearance. A decision to revoke a security clearance may be appealed to the Security Appeals Panel. Similarly, our human resource process can include multiple components, but ultimately Director General Arnold Chacon is responsible for taking disciplinary actions on an employee. That’s our process.

I know there’s questions about potential outcomes of the process. The short answer is that outcomes for any individual depend on their specific circumstances taking into account all of the relevant facts. This is what our review will determine. Current employees can face a range of employment discipline including reprimand, suspension, and termination. People with security clearances, including former employees, could have those clearances suspended and/or revoked.

We also maintain a security file on all personnel involved in security incidents. For individuals who no longer have a security clearance, the incident information is kept in their security file so it can be considered if they apply for a security clearance in the future. When evaluating whether a person remains eligible for access to classified information, the department follows the whole person approach based on the government-wide adjudication guidelines. Our Foreign Affairs Manual states that, quote, “Each case will be judged on its own merits,” end quote, based on specific, quote, “facts and circumstances,” end quote. Under the guidelines we can look at the severity of an incident, whether the person is a repeat offender, whether the individual is amenable to training or reform, and whether the incident was a technical violation or resulted in actual harm to national security.

As we have said, now that the FBI and DOJ have concluded their investigation, the department intends to conduct a review of Secretary Clinton’s emails according to our well established Security Incident Program. We’re preparing to conduct our review.

QUESTION: Okay.

MS TRUDEAU: So there’s a lot. Thank you for your patience.

QUESTION: Well, I’ve got to digest quite a few.

MS TRUDEAU: Yeah.

QUESTION: But be with me on this, because I’m trying to get my head around it.

MS TRUDEAU: Yeah.

QUESTION: So the question here is: Has the FBI handed over – and how many emails has the FBI handed over to be reviewed?

MS TRUDEAU: At this stage, we have not received any from the FBI.

QUESTION: Have they indicated to you when that’s going to be?

MS TRUDEAU: I have no timeline on that, but we have not received them.

QUESTION: And then on DS, are they the – do they have the final word? Would – does Greg Starr have the – Assistant Secretary Greg Starr have the final word on this? Or can Secretary Kerry or even the President overturn those decisions or have the final say?

MS TRUDEAU: So I said there is – as I mentioned, there is a significant amount of information about our process online. So for this particularly, look at section 230 and 500 of 12-FAM. The 500 section outlines the Security Incident Program, which is handled by the Program Applications Division of Diplomatic Security. The 230 section outlines the security clearance, which is administered by the Office of Personnel Security and Suitability, also within DS. Both components operate under the oversight and supervision of the assistant secretary for Diplomatic Security.

QUESTION: So when it comes to Diplomatic Security, is that withdrawn – as you’re investigating it, is that withdrawn at the end or is it withdrawn at the beginning? Is it frozen? How does that work?

MS TRUDEAU: So the process you’re talking about – and forgive me for the FAM references, but it’s really detailed and really specific. So if people are looking for the details on this, refer to 12-FAM 233.4. I’m going to refer you there. As a general matter, the suspension of a security clearance is available if Diplomatic Security determines it’s appropriate while they carry out their review. However, if you read the FAM, you’ll see it’s not an automatic process; whether or not to suspend a person’s clearance depends on the circumstances. It’s a judgment of the trained professionals in DS.

QUESTION: And then how unusual is it that Diplomatic Security – or how unusual is it that this process – that you use this process?

MS TRUDEAU: So I’m not – it’s – I’m not going to talk sort of precedent, but I would say that there is offices within Diplomatic Security, and this is their mandate. All of us within the department – and we’ve spoken about this; Secretary Kerry has spoken about this – have the obligation to safeguard and correctly handle information.

QUESTION: So would this also include former employees? It includes former employees, right?

MS TRUDEAU: As I’ve said.

QUESTION: As you said. Does it include employees that are not part of the State Department but might also be involved in this – in the emails?

MS TRUDEAU: Okay, I’m not going to speak, as I mentioned, to the specifics of any individual, any case. I just want to outline this broadly, bring you guys up to date on it, and give you the references, because it is such a technical and granular matter.

QUESTION: Yeah. But I mean, as you know, Secretary Kerry – Secretary Clinton has been involved in this, and a lot of people are wondering how this could affect her. So would you be able to make some kind of outcome whether it includes her or whether it includes somebody in a lower position? Is everybody going to be looked at equally?

MS TRUDEAU: Again, I just can’t speak to the specifics on who will be reviewed, what incidents will be reviewed. But I will say the review is taking place.

QUESTION: And you can’t tell us when this review is going to start?

MS TRUDEAU: No. No, they – the idea of projecting a timeline on this – we’ll say they’re committed to a fair, impartial, and absolutely rigorous process.

QUESTION: And when you say – just one more question.

MS TRUDEAU: Sure.

QUESTION: When the FBI says that it’s looking at thousands of withheld emails, that it’s going to give State thousands, you don’t know if it’s going to be thousands or if it’s going to be hundreds? You have no idea?

MS TRUDEAU: I couldn’t speak to the FBI documents.
[…]
QUESTION: Is Pat Kennedy going to be involved in any of this?

MS TRUDEAU: Okay, so thanks for the question.

QUESTION: I know there’s been some questions about that.

MS TRUDEAU: Yeah. So first, as we’ve said many times, Under Secretary Kennedy did not approve nor was he aware of the extent to which Secretary Clinton was using personal emails. No matter the individual or the conduct involved, the department will conduct and does conduct the security clearance process review in a professional, impartial, and fair manner that takes into account all relevant circumstances.

According to our Foreign Affairs Manual, the Under Secretary for Management Pat Kennedy becomes involved in a security clearance revocation in the event of an appeal. He is a member of a three-person panel that’s at the very end of our process. I’m not going to speculate that it’ll even get that far.

QUESTION: And you said Secretary Kerry is not going to be involved?

MS TRUDEAU: So Secretary Kerry will be informed of the details, the results of the review, after its completion. Again, I’m not going to speculate on outcomes or hypotheticals. As we’ve said many times from this podium, he wants this review done by the book, and the book requires Diplomatic Security lead and conduct this review.

QUESTION: And then just one more small one.

MS TRUDEAU: Sure.

QUESTION: Will the – so FAM is pretty clear that supervisors (inaudible) be held responsible for their subordinates’ actions. How are you going to deal with this? Is this —

MS TRUDEAU: That is – that’s something I think I’m not going to speculate on that. I’m not going – I can’t speak to the details of that. I can’t speak to the review. And honestly, I’m not going to get into hypotheticals on the review.

QUESTION: Yeah. And then are you going to deal it as one big infraction, or are you going to look at several —

MS TRUDEAU: Again —

QUESTION: You don’t know?

MS TRUDEAU: I can’t speak to how they’ll do it – specific incident, individuals. It’s just the review is happening.

QUESTION: Will they —

MS TRUDEAU: We’ll do it by the FAM.

#

US Embassy Havana: To Cuba, to Cuba — here are five things you should know before you go

Posted: 3:20 am ET

Are you planning a trip to Cuba? Here are five things you should know before you go; put together by US Embassy Havana:

 

#

@StateDept Spox: Lax security culture here? We don’t share that assessment

Posted: 2:47 am ET

 

Via the Daily Press Briefing with John Kirby:

QUESTION: So one of the word I think that kind of stood out in this regarding the State Department’s equities was “careless.” I think he even said extremely careless at one point regarding the former secretary and how she handled her emails – top staff around her, including some still at the department, and the agency as a whole. Do you agree that this agency was extremely careless with how it dealt with classified and otherwise sensitive information?

MR KIRBY: Well, I’m not going to, again, comment on the specific findings and recommendations that the FBI director noted today.

QUESTION: Why not?

MR KIRBY: But the question about —

QUESTION: That was a public statement.

MR KIRBY: The claim about – I do want to address this – the claim about a lax environment or culture when it comes to handling classified information. And I would just say – and I’m comfortable commenting on that because, as the director himself said, that was not part of their investigation – his – their assessment of a lax environment or culture. We don’t share that assessment of our institution. That said – and I’ve said this many times before – we’re always looking for ways to improve. We’re going to continue to look for ways to improve. But we don’t share the broad assessment made of our institution that there’s a lax culture here when it comes to protecting classified information. We take it very, very seriously.

QUESTION: But I’m sorry, you don’t share the assessment that when the former head of the agency had thousands of emails that you had to upgrade, including hundreds that were – over a hundred that were classified at the time, that that doesn’t amount to a lax approach to classified information? I mean, how many hundreds would you need for it to be lax, in your opinion?

MR KIRBY: What I’m saying, Brad, is that as a cultural assessment of the State Department as an institution that we have a lax culture here, we don’t share that assessment. And as the director said himself, that’s not – wasn’t part of their investigation or the findings and recommendations that they made inside that investigation.

QUESTION: Well, but so it’s not – it’s true that it was not the scope of their investigation, but in looking at her emails and the number of officials that were emailing here about classified information, that’s where they came to the determination that there was a lax culture. So I mean, I guess you would have to look at every single employee and see what their treatment of email to determine that it’s a lax culture, but clearly, the FBI found enough – Secretary Clinton’s intent or whatever notwithstanding, that generally that there were a lot of officials and that they came across in the scope of this investigation which led them to believe that the culture is not taken as seriously as it could be.

MR KIRBY: Well, I’ll let the FBI director speak to their findings and recommendations and his investigation, as he should. The question was do I share, do we share, the assessment of the culture at the – of the – at the institution of the State Department to be lax, and we do not share that assessment. We take it very seriously here.

 

let me stop you right there

 

QUESTION: So you think – well, clearly, he found it in the previous administration, in the previous term. So are you saying that maybe that there was a lax culture that doesn’t exist anymore?

MR KIRBY: No, I’m not saying that. I’m not saying that at all, Elise. I’m not parsing words here. I’m saying that the State Department has in the past and does today take the treatment of classified information very seriously. And when we —

QUESTION: So it was just some bad apples?

MR KIRBY: And when we have – pardon?

QUESTION: So it was just a few people that did not take enough care?

MR KIRBY: I’m not going to speak to any more specifically about the findings and recommendations that the FBI made and announced today. What I can tell is we don’t share the broad assessment that there is a lax culture here at the State Department when it comes to dealing with classified information. In fact, quite the contrary; we take it very seriously.

QUESTION: I have one more. I have one more. Can you – the FBI director said that had some of these people still been in office that they would have been subject or could have been subject to administrative penalties. Is anybody that’s currently employed by the State Department going to have any notes in their files as a result of anything that their emails uncovered in terms of their communications?

And then also, some of the previous employees that worked for Secretary Clinton that were found to have exchanged what is now believed to be classified information, are they going to have kind of posthumous notes put in their file should they ever seek to be employed by the U.S. Government again? And does the State Department do that or does the FBI do that, and is that through OPM? Like what’s the process there?

MR KIRBY: So let me answer it this way, and I think I alluded to this at the top. We’re going to determine the appropriate next steps following a decision by the Department of Justice, and that’s where this really lays right now. We have – as you know and I’ve said, we have an administrative process to evaluate cases where information may have been mishandled, and as I’ve said previously, at the request of the FBI, we didn’t move forward with that process so as not to interfere with their investigation. We also don’t believe that it’s appropriate at this time, given that there are – that the matter is now before the Department of Justice to determine their next step, to make decisions or not to make decisions – we don’t think it’s appropriate for us to move forward on that at this time. So I just don’t have an update for you on the – on any possible timing or scope of that review process.

QUESTION: So what would be the – so once the Department of Justice makes their recommendation, then you would determine what administrative processes you want to move forward with?

MR KIRBY: I think we need to wait to see what the Justice Department decides to do now in the wake of the FBI investigation before we move forward one way or the other, and we want to allow the proper time and space for that before we decide anything further with respect to those issues.

QUESTION: Kirby, a couple of detailed questions on this, and if you don’t have the answers, if you could undertake to take them. As has been explained to me, there are two separate processes that can be undertaken here. One of them is an administrative process and the other is a security clearance-related process.

As has been explained to me, but I’d like to confirm, the administrative process governs solely people who are currently employed by the Department of State. So can you confirm that that’s the case, that administrative processes or sanctions don’t apply to people who are no longer employed by State?

Second, as it’s been explained to me, it is possible for people who are no longer employed at State but who retain a security clearance to be subject to a security clearance process and perhaps sanction. Is that your understanding as well?

And then a couple of other specific things. Are any – is – does Secretary – former Secretary Clinton or any of her senior aides – specifically Cheryl Mills, Jake Sullivan, and Huma Abedin – continue to have security clearances provided by the State Department? And if so, is it theoretically possible that you would then review those security clearances in the light of whatever is ultimately the Justice Department prosecutorial decision and the FBI’s investigative material?

MR KIRBY: There’s an awful lot there. Let me see if I can dissect it. I’m certainly not going to get ahead of what is still an ongoing process now at the Justice Department, or speculate one way or the other about which way this will go. I don’t know – I’m happy to ask the question, your question about administrative processes. I don’t know if there is a technical definition for “administrative” and whether that applies in broad scope to only current employees or former employees. I’ll have to take that.

On the security clearance process or review, all I can tell you generally speaking is that – is that if there is a need – and I’m speaking broadly, not to this – that – the way it typically works, as I understand it, is that the department that issues a security clearance, if there is – if it’s determined that that clearance needs to be reviewed for whatever reason, it’s up to that – it’s up to the department that issued it to review it regardless of whether the employee is still at the – is still employed by the agency. The agency has that responsibility unless, of course, that employee went to a different federal agency and then got it renewed there. Does that make sense?

I’m not going to speculate one way or another about the degree to which this is – this is even a part of it. The FBI director was very careful; I’m going to be very careful. These are now decisions that have to be discussed. The findings and recommendations now have to be absorbed by the Department of Justice, and then they make – they’ll make decisions or not going forward.

And then on your last question, about the individuals, we do not discuss the security clearance of individuals as a matter of policy. We just don’t discuss it.

QUESTION: In – but these are former officials.

MR KIRBY: We don’t – we do not discuss.

QUESTION: And one of them, Jake Sullivan, in the transcript of his deposition in the civil lawsuit in which he was deposed as part of discovery, his lawyer said that his security clearance was restored so that he would have the ability to look at some of the material that was classified that they wanted to talk to him about. And so it’s at least in the public domain in that one instance, according to his lawyer, that he had, as of that date about a week ago, a security clearance.

MR KIRBY: Yeah.

QUESTION: Why can’t you talk about whether former officials have security clearances?

MR KIRBY: Because that’s our policy.

QUESTION: You don’t want —

MR KIRBY: And it’s been longstanding policy. We do not discuss the security clearance levels or access of individuals, current or former. We just don’t – that’s our policy and I’m not going to violate that.

QUESTION: It’s a State Department policy or a government-wide policy?

MR KIRBY: I know it’s at least a State Department policy, Elise. I’ll find out if it goes beyond that. I’m not going to —

QUESTION: Because certainly there have been instances, whether it’s General Petraeus or Sandy Berger or others, that when there was punitive action taken, they did discuss the security clearance.

MR KIRBY: I’m not going to discuss the individual security clearances from this podium – just not going to do it. And if there’s – I’d refer you to the individuals in question and if they’re represented by others to speak to that, but I won’t do that.

QUESTION: Just one more on the question of lax – laxity. You state that you disagree with the assessment that the State Department is lax, has a culture of being lax in the protection of classified information. Why is it that the highest State Department official was allowed to establish and use a private email server with, as I understand it, no government-provided security for emails that contain information that, as the FBI director said this morning, some of which was classified at the time it was sent and received? I mean, if it’s not lax, how can the top official of the department go off and set up their own system that isn’t subject to the normal procedures here?

MR KIRBY: Look, I’m not going to re-litigate the investigation. As I said, I’m not going to speak to the findings and recommendations – the FBI director spoke to that earlier today – and to what they found in terms of the practices back then and how those practices were followed. What I’ll just tell you – broadly speaking, we don’t share the assessment that as an institution – an entire institution – that the State Department has in the past or does today take lightly the issue of sensitive and classified information. We absolutely don’t.

QUESTION: What’s your basis for that?

QUESTION: The reason I asked it is that you look at, as I understand it, kind of every level of potential check or balance here, right? The assistant secretaries for DS, the under secretary for management – according to the inspector general’s report, these people were not asked and did not voice an opinion on the use of this system. The person on the seventh floor who was charged with these kinds of issues, at least according to the report, told people – told two people not to talk to anybody about it. So even if the quibble is with the world “laxity,” do you feel that your systems were sufficient to safeguard classified information sent by or to the secretary of state?

MR KIRBY: Again, I think the FBI director addressed that as well as part of their investigation. I am simply not going to discuss or comment on their findings and recommendations with respect to this case.

QUESTION: Well, I mean —

MR KIRBY: This issue – wait a second, Elise. Wait, wait – and to your question. And as he said himself, his assessment of the State Department’s culture was not part of this investigation, and that’s why I’m comfortable addressing that, that on – as a whole, in the main, we absolutely do not share the broad assessment that the entire culture here at the State Department is lax when it comes to protecting sensitive and classified information.

And what I’m basing that on, Brad, is the longstanding – and I don’t just mean recently – the longstanding training and indoctrination that one goes through before you get employed here and the periodic reviews of the training and sensitive information handling that you have to go through all the time. I’ve been here a little bit more than a year; I’ve already had to go through it several times myself. That you – we have two networks for email traffic that are deliberately set up to handle various degrees of sensitive information, and that the work of diplomats all around the world is by its very nature is sensitive, but it’s also outward-facing, and has to be. And there is a role here at the State Department to be communicative, to have dialogue, to foster communication. That’s a big part of who we are. And I can – and I can tell you that everybody involved in that understands the risks and the opportunities of it, and takes it very seriously.

QUESTION: Well —

MR KIRBY: So to say that the culture here —

QUESTION: Yeah.

MR KIRBY: — is lax, that’s a pretty broad brush, and again, we wouldn’t use it; we don’t believe it.

QUESTION: The problem is this indoctrination that you speak of obviously didn’t work when it came to the past secretary, or the hundred or so officials who all contacted her during the course of her tenure, or the dozens of officials who would have known that she wasn’t using a state.gov address or would have known that information that was at least on the borderline was going to a nongovernment account. So that failed across the board, right?

MR KIRBY: I’m not going to make a qualitative assessment.

QUESTION: The IG report said as much.

MR KIRBY: The IG spoke as well to this. I’m not going to talk about the findings and recommendations of this investigation.

QUESTION: Well —

QUESTION: And —

MR KIRBY: But this was – there is a difference, Brad, between an assessment of email practices under Secretary Clinton’s tenure and how they were implemented and saying that the culture here at the State Department is lax.

QUESTION: Okay, well, what —

QUESTION: Yeah, but – no, no, no, hold on. But – sorry, you can’t separate the head of the agency and everybody who worked around her at a senior level in this agency and say —

MR KIRBY: Right, and I’m not trying to.

QUESTION: Well, you —

QUESTION: — well, there were somebody out there who was following the rules, so the culture was okay.

MR KIRBY: It’s more than somebody, Brad.

QUESTION: Well —

QUESTION: Well, I don’t know. Show me an IG report that shows all the adherence.

QUESTION: Let me —

QUESTION: And secondly, you’re making this case about how the State Department was an – is an outward-looking agency.

MR KIRBY: Yeah.

QUESTION: None of these emails from Secretary Clinton were outward-focused. They were all about internal messaging, they were all about her and her aides consulting on matters —

MR KIRBY: Sure.

QUESTION: — that weren’t meant for public consumption, and there’s even messages about not wanting things out for public consumption. So I fail to see how that’s an argument that shows why somehow this is distinct or excusable.

MR KIRBY: It’s a valid argument when you’re talking about the entire institution, Brad, and not an individual inside it, regardless of whatever level that individual serves, to make a broad assessment – and look, I don’t – I don’t – I’m not going to – I think I’ve said it plenty of times already – to make a broad assessment of the entire institution, that it was lax or that we don’t care or we don’t take it seriously. We don’t share it.

Now, look, as I also said, we’re always looking for ways to improve. And if there’s ways we can learn from this particular investigation to improve, then we’ll do that.

QUESTION: So, John – okay. So I think it’s pretty clear what you’re taking issue with is that you’re – you’re interpreting the FBI director’s comments to mean a culture throughout the whole State Department apparatus. And I think his – what he’s trying to say is based on – and they did not – the scope of their investigation was not the whole State Department; it was Secretary Clinton and the immediate staff and several other dozen officials that were emailing her – that there was a lax culture among a subset of State Department officials. That – I don’t think he’s making an indictment on the whole State Department, but he is saying that there was a culture inside the State Department where the security was lax. I mean, the fact that this took place kind of indicates that it was.

And he does also say that this use of a personal email domain was known by a large number of people and readily apparent. So there were numerous people inside the State Department that knew that she was using this type of system. So how can you not – if you don’t want to acknowledge that there was a lax culture in the whole kind of State Department bureaucracy, can you not acknowledge that among a subset of employees at the time that there was a lax – a culture of lax security among that subset?

MR KIRBY: Well, I’ll let the investigation speak for itself and the FBI director to speak for it.

QUESTION: But by you kind of parsing out and saying that this – let me finish – that by you parsing out and saying that the whole building doesn’t have a lax security problem suggests that you’re dismissing that a small portion did.

MR KIRBY: I was not suggesting any such thing, Elise. As I said, we cooperated with the FBI on its investigation. I can’t talk about the scope of that cooperation. I’m not going to, again, address the specific findings and recommendations that he made. And the director has spoken for their investigative work, and I would refer you to him and to his staff to speak to it going forward. And I don’t have his exact quote, so I can’t tell you if I’ve misinterpreted or not. I mean, he can speak for himself in terms of what he meant. The way we interpreted it was that it was a broad-brush assessment of the culture here at the State Department when it came to —

QUESTION: Do you not – do you not agree that a group of people, however large it was, that knew about this system and let it kind of – greenlighted it and let it go forward and didn’t ask questions about it suggests that security – and a culture of security was lax somewhere in the —

MR KIRBY: Look, our inspector general himself found that there were lapses and that not all appropriate practices were conducted. I mean, nobody’s taking issue with that. What I’m taking issue with – and the only thing I’m taking issue with today, because I’m not going to comment, as I said, on the specifics – the only thing I’m taking issue with is an assessment, a broad assessment, of the culture of the institution, which we do not share.

QUESTION: Can I follow up on this?

QUESTION: Something else from today: The director of the FBI said that the FBI had found over a hundred emails that contained classified information at the time that they were sent or received, and some were even actually marked classified. So that contradicts what the State Department has been saying throughout this investigation, so how do you square the two?

MR KIRBY: As I said, I’m not going to comment on the specific findings and recommendations of the investigation.

QUESTION: John —

QUESTION: One follow-up —

QUESTION: Would you, though, at least acknowledge that —

MR KIRBY: Hang on a second. Hang on.

QUESTION: Something else that he said in his comment – he said that the 110 emails had been determined by the owning agency to contain classified information. So do you now acknowledge that it is the owning agency’s responsibility, not the recipient’s or even necessarily the State Department, in determining what information is classified and what’s not?

MR KIRBY: Again, what I would tell you is we cooperated fully with the FBI on this and I’m not going to comment specifically on the findings of the investigation. As much as I know you’d like me to, I’m not going to do that. There is now – there is a process here in place where the Department of Justice is going to take a look at this. We’re going to let that process play out, as we should, and we’ll await any pending decisions by the Department of Justice before the State Department moves forward one way or another.

QUESTION: John, how do you stand up —

QUESTION: What about the possibility that people hostile to the U.S. had possibly gained access to —

MR KIRBY: I’m sorry?

QUESTION: What about the possibility that states or entities hostile to the U.S. had possibly gained access to some of the content of those emails? Do you share those concerns that the FBI director said today?

MR KIRBY: Well, again, we, of course, take the security of our systems very, very seriously, and we’re always concerned about intrusions into our system. I think the director also said that they didn’t find any direct evidence that the system was compromised, but I don’t have additional details to offer today.

QUESTION: But he also said that you couldn’t be sure and that – and it’s possible that they did so and you don’t even know about it.

MR KIRBY: Again, we’re always concerned about this. And look, federal government systems get attacked every day. I just don’t have any additional details on this.

QUESTION: Oh, you’re not – you’re not suggesting that because government systems are hacked that there was enough security in place that would replace —

MR KIRBY: I’m not —

QUESTION: — that would be equal to the government security? The FBI director specifically said that it was not as secure as a government system or even a Gmail account.

MR KIRBY: Again, I’m not going to discuss or debate the findings or the recommendations.

QUESTION: But you were the one that raised it. You said government computers get – or government systems get hacked all the time.

MR KIRBY: It doesn’t mean we don’t take it seriously, Elise.

QUESTION: Hey, John, just – can I —

MR KIRBY: Carol.

QUESTION: John, do you – I believe the FBI director made a point of saying that you were lax in comparison to elsewhere within government. Do you believe that you stand up equally to other agencies in the government, including national security agencies like the FBI and the CIA, the White House, and the Pentagon? Do you think you are equal to them?

MR KIRBY: I think – look, first of all, that everybody has a – everybody in the federal government has standard rules that crosscut agencies in terms of how sensitive and classified information is treated and dealt with. We all have the same basic rules. But each federal agency also has a fundamental different purpose and each of the major federal agencies has to, by dint of their purpose, look at the world in different ways.

As I said to Brad, we are required – not just that we like it – we’re required to be outward-facing, we’re required to communicate, we’re required to foster dialogue, we’re required to have conversations with foreign leaders and in foreign countries all around the world every single day. Now, that doesn’t obviate, doesn’t excuse, it doesn’t mean that we’re not also responsible in the conduct of that business to protect sensitive information. We have to. But the State Department, unique to many – unique, I think, among federal agencies, has an actual obligation to communicate.

So that’s why I’m confident in saying that – look, do we always get it right? No. Have we admitted that there were things we could have done better in the past? Absolutely. The IG found that. The Secretary himself has taken steps to try to improve records management here. But we have an obligation to communicate, and you have to find the right balance between the need to do that – to foster dialogue, to try to gain better understanding of what somebody else thinks and articulate your policy, at the same time protecting sensitive information. So we have a different role. I don’t think it’s useful to compare each and every federal agency with the way they do this because each of them have different responsibilities in terms of the information environment. But again, I’m not at all excusing anything in terms of our responsibilities – our baseline responsibilities, which every federal agency has – to protect classified and sensitive information.

QUESTION: Hey, Kirby.

MR KIRBY: Yeah.

QUESTION: According to a letter dated February 18th, 2016, from Julia Frifield, the assistant secretary for legislative affairs, to Chairman Grassley, the letter explicitly discloses that Cheryl Mills did maintain a top-secret – well, did maintain a security clearance because, pursuant to Section 4.4 of Executive Order 13526, she was designated by former Secretary Clinton to assist her in research consistent with that section of the executive order. So you do disclose – you do talk about security clearances, at least in this one instance, with regard to Ms. Mills.

MR KIRBY: That’s a – that – you’re talking about a piece of correspondence between the head of legislative affairs here and a senator. That’s different than public disclosure, certainly different than disclosure and talking about it here from the podium. As I said, our policy is not to discuss it, and I’m not going to change the policy here today.

QUESTION: Even though you’ve told lawmakers about it?

MR KIRBY: That is not the same as having a public discussion of security clearance. That’s a vastly different thing.

QUESTION: Is it – that wasn’t a classified letter.

MR KIRBY: Just because something’s not classified doesn’t mean that it’s —

QUESTION: Well, we know that.

MR KIRBY: — that it’s okay to discuss here at the podium, Brad.

QUESTION: I know.

MR KIRBY: I mean, look, the – I’m not going to violate —

QUESTION: We know that classified isn’t the marker for you to —

MR KIRBY: I’m not going to violate the policy today.

 

JW v. @StateDept: Huma Abedin’s Testimony (Transcript)

Posted: 3:47 am ET

 

Judicial Watch has released the transcript of Huma Abedin’s deposition in connection with the group’s FOIA litigation.

If you want to read the transcript, it is available below or read the original post here (PDF).

 

#

DHS Proposes Collection of Social Media Identifier For U.S. Visitors

Posted: 2:20 am ET

Via the Federal Register:

On December 18, 2015, the President signed into law the Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015 as part of the Consolidated Appropriations Act of 2016. To meet the requirements of this new Act, DHS strengthened the security of the VWP by enhancing the ESTA application and Form I-94W. In two recent emergency submissions under the Paperwork Reduction Act, additional questions were added to ESTA and to Form I-94W that request information from applicants about countries to which they have traveled on or after March 1, 2011; countries of which they are citizens/nationals; countries for which they hold passports; and Global Entry Numbers.

DHS proposes to add the following question to ESTA and to Form I-94W:

“Please enter information associated with your online presence—Provider/Platform—Social media identifier.” It will be an optional data field to request social media identifiers to be used for vetting purposes, as well as applicant contact information. Collecting social media data will enhance the existing investigative process and provide DHS greater clarity and visibility to possible nefarious activity and connections by providing an additional tool set which analysts and investigators may use to better analyze and investigate the case.

The information collection is optional under the proposed rule.  DHS estimates that there will be over 32 million travelers who will be  Electronic System for Travel Authorization (ESTA) respondents and nonimmigrant visa respondents entering the United States and filling out the I-94 Arrival and Departure forms.

The question we have is 1) Will the baddies be dumb enough to provide their social media identifiers if they have nefarious intent during their travels? 2) Does DHS have a system that combs through this huge haystack to find a a few needles?

#

An American Diplomat in Poland With His Red “Baby”, a Fiat 126 From the 70’s

Posted: 1:32 am ET

Below is a video from U.S. Embassy Warsaw featuring one of our consular officers driving around Poland in his Maluch, a Fiat 126 which was introduced at the Turin Auto show in 1972. The car was manufactured in Poland until 2000 and was exported to many Eastern bloc countries. In Poland, it is called  called Maluch, which means “small one”, baby or toddler. It is known as kispolszki (“little Polish”) in Hungary, Bolha (“flea”) in Slovenia, Bambino in Germany,  “Polaquito” in Cuba and Peglica (“little iron”) in Serbia.

This guy’s a natural, hey!  The video has walk on parts by other embassy employees, as well as the Ambassador to Poland Paul Jones. We don’t speak Polish but it looks like he’s having fun explaining why he loves his red “baby.” Apparently the Poles love him–the video is all over the local news outlets.  Already interviewed on the morning news, sounds like his language skills are also impressive.  Luv the matching jacket, Dan!

 

#

 

 

JW v. @StateDept: IT Server Mystery Man Bryan Pagliano Pleads the Fifth (Transcript)

Posted: 1:28 am ET

See the transcript below or read it here (PDF).

 

#

 

New Directive: Social Media Info Collection For Security Clearance Background Investigations

Posted: 1:37 am ET

 

On May 12, 2016, the Director of National Intelligence (DNI) authorized the use of social media by official investigators who are conducting background investigations for security clearances.

The directive addresses the collection and use of publicly available social media information during the conduct of personnel security background investigations and adjudications for determining initial or continued eligibility for access to classified national security information or eligibility to hold a sensitive position and the retention of such information. This affects prospective hires and all employees who are subjects of periodic investigations.

The policy says that agencies “may choose to collect publicly available social media information in the personnel security hackground investigation process, which pertains to the covered individual’s associations, behavior and conduct, as long as the information pertains to the adjudicative guidelines for making determinations of initial or continued eligibility for access to classified information or eligibility to hold a sensitive position.”

  • Authorized investigative agencies may collect, usc, and retain publicly available social media information as part of a covered individual’s background investigation and, if collected, shall incorporate the relevant results in the investigative record. The period of coverage for publicly available electronic information will be consistent with the scope of the investigation.
  • Authorized adjudicative agencies may use and retain publicly available social media information when determining initial or continued eligibility of a covered individual for access to classified information or eligibility to hold a sensitive position.
  • Collection of publicly available social media information shall only be conducted after obtaining the signed Authorization for Release of information form of the Standard Form 86, Questionnaire for National Security Positions, which includes notice of the collection of such information.
  • Only publicly available social media information pertaining to the covered individual under investigation shall intentionally be collected. Absent a national security concern, or criminal reporting requirement, information pertaining to individuals other than the covered individual will not be investigated or pursued. Information inadvertently collected relating to other individuals will not be retained unless that information is relevant to a security determination or the covered individual.

The directive says that covered individuals “shall not be requested or required” to provide passwords, log into a private account; or take any action that would disclose non-publicly available social media information. Agencies are also precluded from creating accounts or using existing accounts on social media for the purpose of connecting (e.g., “friend”, “follow”) to a covered individual or enlist the assistance of a third party in order to bypass privacy controls and/or access otherwise non-publicly available social media information.

Read more below or see Collection, Use, and Retention of Publicly Available Social Media Information in Personnel Security Background Investigations and AdjudicationsSecurity Executive Agent Directive 5, May 12, 2016.

Via FAS/Secrecy News:

 

#