State Dept’s Wibbly Wobbly Jello Stance on Use of Private Email, Also Gummy Jello on Prostitution

Posted: 1:38 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

We’ve added to our timeline of the Clinton Email saga (see Clinton Email Controversy Needs Its Own Cable Channel, For Now, a Timeline).

On August 24, 2015, State Dept. Spokesman John Kirby told CNN:  “At The Time, When She Was Secretary Of State, There Was No Prohibition To Her Use Of A Private Email.” Below is the video clip with Mr. Kirby.

Okay, then. Would somebody please get the State Department to sort something out. If there was no prohibition on then Secretary Clinton’s use of a private email, why, oh, why did the OIG inspectors dinged the then ambassador to Kenya, Scott Gration for using commercial email back in 2012? (See OIG inspection of US Embassy Kenya, 2012).

Screen Shot 2015-08-25

Oh, and here’s a more recent one dated August 25, 2015. The OIG inspection of U.S. Embassy Japan (pdf) says this:

In the course of its inspection, OIG received reports concerning embassy staff use of private email accounts to conduct official business. On the basis of these reports, OIG’s Office of Evaluations and Special Projects conducted a review and confirmed that senior embassy staff, including the Ambassador, used personal email accounts to send and receive messages containing official business. In addition, OIG identified instances where emails labeled Sensitive but Unclassified6 were sent from, or received by, personal email accounts.

OIG has previously reported on the risks associated with using commercial email for official Government business. Such risks include data loss, hacking, phishing, and spoofing of email accounts, as well as inadequate protections for personally identifiable information. Department policy is that employees generally should not use private email accounts (for example, Gmail, AOL, Yahoo, and so forth) for official business.7 Employees are also expected to use approved, secure methods to transmit Sensitive but Unclassified information when available and practical.8

OIG report referenced two cables, we’ve inserted the hyperlinks publicly available online: 11 STATE 65111 and 14 STATE 128030 and 12 FAM 544.3, which has been in the rules book, at least since 2005:

12 FAM 544.3 Electronic Transmission Via the Internet  (updated November 4, 2005)

“It is the Department’s general policy that normal day-to-day operations be conducted on an authorized [Automated Information System], which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information.”

This section of the FAM was put together by the Office of Information Security (DS/SI/IS) under the Bureau of Diplomatic Security, one of the multiple bureaus that report to the Under Secretary for Management.

Either the somebodies were asleep at the switch, as the cliché goes, or somebody at the State Department gave authorization to the Clinton private server as an Automated Information System.

In any case, the State Department’s stance on the application of regulations on the use of private and/or commercial email is, not wobbly jello on just this one subject or on just this instance.

gummy-bears-o

dancing jello gummy bears

On October 16, 2014, State/OIG released its Review of Selected Internal Investigations Conducted by the Bureau of Diplomatic Security. This review arose out of a 2012 OIG inspection of the Department of State (Department) Bureau of Diplomatic Security (DS). At that time, OIG inspectors were informed of allegations of undue influence and favoritism related to the handling of a number of internal investigations by the DS internal investigations unit. The allegations initially related to eight, high-profile, internal investigations. (See State/OIG Releases Investigation on CBS News Allegations: Prostitution as “Management Issues” Unless It’s NotCBS News: Possible State Dept Cover-Ups on Sex, Drugs, Hookers — Why the “Missing Firewall” Was a Big Deal).

One of those eight cases relate to an allegation of soliciting a prostitute.

The Foreign Affairs Manual (FAM) provides that disciplinary action may be taken against persons who engage in behavior, such as soliciting prostitutes, that would cause the U.S. Government to be held in opprobrium were it to become public.1

In May 2011, DS was alerted to suspicions by the security staff at a U.S. embassy that the U.S. Ambassador solicited a prostitute in a public park near the embassy. DS assigned an agent from its internal investigations unit to conduct a preliminary inquiry. However, 2 days later, the agent was directed to stop further inquiry because of a decision by senior Department officials to treat the matter as a “management issue.” The Ambassador was recalled to Washington and, in June 2011, met with the Under Secretary of State for Management and the then Chief of Staff and Counselor to the Secretary of State. At the meeting, the Ambassador denied the allegations and was then permitted to return to post. The Department took no further action affecting the Ambassador.

OIG found that, based on the limited evidence collected by DS, the suspected misconduct by the Ambassador was not substantiated. DS management told OIG, in 2013, that the preliminary inquiry was appropriately halted because no further investigation was possible. OIG concluded, however, that additional evidence, confirming or refuting the suspected misconduct, could have been collected. For example, before the preliminary inquiry was halted, only one of multiple potential witnesses on the embassy’s security staff had been interviewed. Additionally, DS never interviewed the Ambassador and did not follow its usual investigative protocol of assigning an investigative case number to the matter or opening and keeping investigative case files.

Department officials offered different justifications for handling the matter as a “management issue,” and they did not create or retain any record to justify their handling of it in that manner. In addition, OIG did not discover any guidance on what factors should be considered, or processes should be followed, in making a “management issue” determination, nor did OIG discover any records documenting management’s handling of the matter once the determination was made.

The Under Secretary of State for Management told OIG that he decided to handle the suspected incident as a “management issue” based on a disciplinary provision in the FAM that he had employed on prior occasions to address allegations of misconduct by Chiefs of Mission. The provision, applicable to Chiefs of Mission and other senior officials, states that when “exceptional circumstances” exist, the Under Secretary need not refer the suspected misconduct to OIG or DS for further investigation (as is otherwise required).2 In this instance, the Under Secretary cited as “exceptional circumstances” the fact that the Ambassador worked overseas.3

DS managers told OIG that they viewed the Ambassador’s suspected misconduct as a “management issue” based on another FAM disciplinary provision applicable to lower-ranking employees. The provision permits treating misconduct allegations as a “management issue” when they are “relatively minor.”4 DS managers told OIG that they considered the allegations “relatively minor” and not involving criminal violations.

Office of the Legal Adviser staff told OIG that the FAM’s disciplinary provisions do not apply to Ambassadors who, as in this instance, are political appointees and are not members of the Foreign Service or the Civil Service.5

OIG questions the differing justifications offered and recommends that the Department promulgate clear and consistent protocols and procedures for the handling of allegations involving misconduct by Chiefs of Mission and other senior officials. Doing so should minimize the risk of (1) actual or perceived undue influence and favoritism and (2) disparate treatment between higher and lower-ranking officials suspected of misconduct.6 In addition, OIG concludes that the Under Secretary’s application of the “exceptional circumstances” provision to remove matters from DS and OIG review could impair OIG’s independence and unduly limit DS’s and OIG’s abilities to investigate alleged misconduct by Chiefs of Mission and other senior Department officials.

In the SBU report provided to Congress and the Department, OIG cited an additional factor considered by the Under Secretary—namely, that the Ambassador’s suspected misconduct (solicitation of prostitution) was not a crime in the host country. However, after the SBU report was issued, the Under Secretary advised OIG that that factor did not affect his decision to treat the matter as a “management issue” and that he cited it in a different context. This does not change any of OIG’s findings or conclusions in this matter. 

After the SBU report was issued, the Under Secretary of State for Management advised OIG that he disagrees with the Office of the Legal Adviser interpretation, citing the provisions in the Foreign Service Act of 1980 which designate Chiefs of Mission appointed by the President as members of the Foreign Service. See Foreign Service Act of 1980, §§ 103(1) & 302(a)(1) (22 USC §§ 3903(1) & 3942(a)(1)). 

During the course of that review, State/OIG said it discovered some evidence of disparity in DS’s handling of allegations involving prostitution. Between 2009 and 2011, DS investigated 13 prostitution-related cases involving lower-ranking officials.

The OIG apparently, found no evidence that any of those inquiries were halted and treated as “management issues.”

.

Also, have you heard?  Apparently, DEA now has an updated “etiquette” training for its agents overseas.

That’s all.

Is there a diplomatic way to request that the responsible folks at the State Department culture some real backbone in a petri-dish?

No, no, not jello backbone, please!

#

Advertisements

Rabbit Hole News: State Dept’s Private Email Usage Policy, Plus Attn: State/OIG – Firecracker Coming Your Way

Posted: 01:47 EST
Updated: 11:19 EST
Updated 15:14 EST
[twitter-follow screen_name=’Diplopundit’ ]

 

Shortly after the NYT broke the story about the former secretary of state’s exclusive used of a personal email account to conduct government business, we sent an inquiry to the State Department’s Office of Inspector General. We don’t know if they could comment about it but we wanted to ask anyway.  We’ve looked at the regs but the FAM is silent on the use of private email, or at least we thought it was. It almost seem as if the rule makers presumed that all employees will be using official email, thus, the rules only spell out the requirement for the preservation of records.

If Secretary Clinton was using a private email account and if her close advisers were also using private email accounts, we wanted to know how is this reconciled with the ability of individuals to FOIA government documents. We were also interested how this would keep other senior or even regular employees from using Yahoo or Gmail to conduct official business.

State/OIG’s response was, “we are not in a position to comment at this time.”

Actually, we asked the wrong questions.

In 2012, we blogged about the OIG inspection report of the U.S. Embassy in Kenya. (See State/OIG Releases Ambassador Scott Gration’s Embassy Report Card – And Look, No Redactions!). We mentioned in passing the ambassador’s use of commercial email for official government business. In light of these news reports that Secretary Clinton exclusively used nongovernment email during her four year tenure as secretary of state, the old 2012 report is getting some legs again.

 

.
Below is an excerpt from that 2012 report specifically addressing the ambassador’s use of commercial email for daily communication of official government business. The ambassador was also slammed for using “a government-owned laptop that is not physically or electronically connected to the Department’s OpenNet network.”  

Mission Leadership Challenge 

Very soon after the Ambassador’s arrival in May 2011, he broadcast his lack of confidence in the information management staff. Because the information management office could not change the Department’s policy for handling Sensitive But Unclassified material, he assumed charge of the mission’s information management operations. He ordered a commercial Internet connection installed in his embassy office bathroom so he could work there on a laptop not connected to the Department email system. He drafted and distributed a mission policy authorizing himself and other mission personnel to use commercial email for daily communication of official government business. During the inspection, the Ambassador continued to use commercial email for official government business. The Department email system provides automatic security, record-keeping, and backup functions as required. The Ambassador’s requirements for use of commercial email in the office and his flouting of direct instructions to adhere to Department policy have placed the information management staff in a conundrum: balancing the desire to be responsive to their mission leader and the need to adhere to Department regulations and government information security standards. The Ambassador compounded the problem on several occasions by publicly berating members of the staff, attacking them personally, loudly questioning their competence, and threatening career-ending disciplinary actions. These actions have sapped the resources and morale of a busy and understaffed information management staff as it supports the largest embassy in sub-Saharan Africa.

Authorized Automated Information Systems 

The Ambassador uses a government-owned laptop that is not physically or electronically connected to the Department’s OpenNet network. Authorized Department OpenNet email systems are available on the Ambassador’s office desktop. According to 12 FAM 544.3 and 11 State 73417 (from the Assistant Secretary for Diplomatic Security to the Ambassador), it is the Department’s general policy that normal day-to-day operations be conducted on an authorized information system, which has the proper level of security controls. The use of unauthorized information systems increases the risk for data loss, phishing, and spoofing of email accounts, as well as inadequate protections for personally identifiable information. The use of unauthorized information systems can also result in the loss of official public records as these systems do not have approved record preservation or backup functions. Conducting official business on non-Department automated information systems must be limited to only maintaining communications during emergencies.

Recommendation 57: Embassy Nairobi should cease using commercial email to process Department information and use authorized Department automated information systems for conducting official business. (Action: Embassy Nairobi)

Source:  Inspection of Embassy Nairobi, Kenya | Report Number ISP-I-12-38A, August 2012 | pdf

 

We should point out that the 2012 report was issued prior to the tenure of IG Steve Linick and Secretary Clinton tenure at the State Department ended in February 2013.  But with 2016 just around the corner, this email debacle will not die a quiet death.

The unclassified cable  STATE 065111 on securing email accounts sent to all overseas posts on June 28, 2011 only says “avoid conducting official Department business from your personal email accounts.”

See the magic word there? It did not say you can’t, only that you shouldn’t.

So for the second day in a row, the subject of the Clinton emails was featured in the Daily Press Briefing. The State Department’s deputy spox, Marie Harf was impressive when she said that “There was no prohibition” on the use of personal email.  She emphasized that “There was not then and there is not now a prohibition on using a personal email for official business, and at the time she was in office, there was no time requirement for when those needed to be preserved as records.”

Entertainment value? High.

In any case, the question that we probably should have asked the OIG is this — if an ambassador was “hammered” for his use of nongovernment, private email, can we presume that ordinary bureaucrats would get a similar treatment? And if this is so  — don’t we then have a set of rules that applied to everyone but the head of the agency?   We originally cited 5 FAM 440 (pdf) as the rules governing  Electronic Records, Facsimile Records, and Electronic Mail Records in the State Department.  But wait —  the 2012 OIG report on Kenya cited 12 FAM 544.3 Electronic Transmission Via the Internet (pdf), a section of the FAM that has been in the rules books since 2005. It says in part:

It is the Department’s general policy that normal day-to-day operations be conducted on an authorized AIS [automated information system], which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information. The Department’s authorized telework solution(s) are designed in a manner that meet these requirements and are not considered end points outside of the Department’s management control.
[…]
c. Employees should be aware that transmissions from the Department’s OpenNet to and from non-U.S. Government Internet addresses, and other .gov or .mil addresses, unless specifically directed through an approved secure means, traverse the Internet unencrypted. Therefore, employees must be cognizant of the sensitivity of the information and mandated security controls, and evaluate the possible security risks and then decide whether a more secure means of transmission is warranted (i.e., secure fax, mail or network, etc.)

d. In the absence of a Department-provided secure method, employees with a valid business need may transmit SBU information over the Internet unencrypted after carefully considering that:

(1) SBU information within the category in 12 FAM 541b(7)(a) and (b) must never be sent unencrypted via the Internet;

(2) Unencrypted information transmitted via the Internet is susceptible to access by unauthorized personnel;

(3) Email transmissions via the Internet generally consist of multipoint communications that are routed to their destination through the path of least resistance, which may include multiple foreign and U.S. controlled Internet service providers (ISP);

(4) Once resident on an ISP server, the SBU information remains until it is overwritten;

(5) Unencrypted email transmissions are subject to a risk of compromise of information confidentiality or integrity;

(6) SBU information resident on personally owned computers connected to the Internet is generally more susceptible to cyber attacks and/or compromise than information on government owned computers connected to the Internet;

(7) The Internet is globally accessed (i.e., there are no physical or traditional territorial boundaries). Transmissions through foreign ISPs or servers can magnify these risks; and

(8) Current technology can target specific email addresses or suffixes and content of unencrypted messages.

 

General policies, of course, can have exceptions and if that’s what happened here, wouldn’t it be nice to know who were granted exceptions to use private email accounts besides the secretary of state and why? And did the Legal Advisor or somebody else signed off on those exceptions? Was the clintonemail.com server an authorized AIS [automated information system] of the State Department, and if so, who authorized it?

We cannot predict where this email controversy is going to end, but some Internet sleuth is digging up Dubai, Denmark, Luxembourg in what seems to be an already convoluted matter.  If you read the link below there is an interesting question whether the Clinton e-mail server was hosted for some period of time by an outside hosting firm.  If the hosting firm was based overseas at an external location in Texas or elsewhere,  wouldn’t this be an added headache for cybersecurity and something the OIG’s new Office of Evaluations and Special Projects (ESP) might be interested in?

.

.

While the Inspector General of the State Department might not be in a position to comment about this issue publicly at this time, or might not want to wade into the rabbit hole with this political firecracker, it may not have much of a choice.  Even our apolitical neighbors were dismayed by this.  The perception that the rules may have been applied selectively, based on rank undermines the Service.  That in itself is an excellent excuse to review the entire practice and determine to what extent exceptions were made.  The Republican National Committee has reportedly already asked the Office of Inspector General to look into whether Clinton’s practices led her or the department to violate the Federal Records Act.

It’s only a matter of time before there is a formal congressional request. Heads up State/OIG, this firecracker is heading your way.

* * *

Related post:
So wait — Hillary Clinton never got a state.gov email? What does the FAM say?

Related items:

State Department June 28, 2011 Unclassified Cable 065111 on Securing Email Accounts via (foxnews)

NARA Bulletin 2014-06 | September 15, 2014 – Guidance on Managing Email

NARA Bulletin 2013-03 | September 9, 2013 – Guidance for agency employees on the management of Federal records, including email accounts, and the protection of Federal records from unauthorized removal

NARA Bulletin 2011-03 | December 22, 2010 – Guidance Concerning the use of E-mail Archiving Applications to Store E-mail

OMB | Managing Government Records Directive requires that Federal agencies manage all their email electronically by December 31, 2016.