Colin Powell Is Done Talking About Hillary Clinton’s Emails, So Let’s Take A Trip Down @StateDept Tech Lane

Posted: 1:27 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

After making waves for saying “Her people have been trying to pin it on me,” former Secretary of State Colin Powell is done talking about former Secretary of State Hillary Clinton’s emails and is not commenting anymore on it.

For those too young to remember this  — there was a time, not too long ago when the State Department communicated via teletype machines (with paper tape), similar to the one below.   You draft your cables on a Wang computer, give it to the local secretary to convert the document, and then she (almost always a she) runs it through the teletype machine for transmission to Main State and other diplomatic posts overseas.  If I remember right,  State had some creative IT folks who hooked up a DOS computer to the teletype machine so conversion was possible.  You still had to print it out and it still took a lot of trees.

Image via Open Tech School

 

When Colin Powell came to the State Department in 2001, the State Department was still using the Wang machine similar to the one below. They were either stand alone machines or were connected via a local area network and hooked up to a gigantic magnetic disc.  If post was lucky, it got one computer also hook up for email. Otherwise, you have a Selectric typewriter and a weekly diplomatic pouch.

Via Pinterest

Here is retired FSO Pater Van Buren with a look at technology at State during the Powell era.

When the rest of the world was working on PCs and using then-modern software in their offices, State clung to an old, clunky mainframe system made by the now-defunct company WANG. WANG’s version of a word processor was only a basic text editor with no font or formatting tools. Spell check was an option many locations did not have installed. IBM had bid on a contract to move State to PCs in 1990, but was rejected in favor of a renewal of the WANG mainframes.
[…]
Until Powell demanded the change, internet at State was limited to stand-alone, dial up access that had to be procured locally. Offices had, if they were lucky, one stand alone PC off in the corner connected to a noisy modem. If you wanted to use it, you needed in most cases to stand in line and wait your turn.
[…]
The way I see it, there’s about a 99.9 percent probability that he discussed his signature accomplishment at State with her, and cited his own limited, almost experimental, use of an AOL email account, as an example of how to break down the technical, security, bureaucratic, and cultural barriers that still plague the State Department today.

Read in full below:

 

#

 

 

Advertisements

USAID/OIG Highlights Challenges to the Management and Administration of Foreign Assistance

Posted: 3:24 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

On March 15, the new USAID Inspector General Ann Calvaresi Barr went before the Subcommittee of the Senate Committee on Appropriations during its review of the FY2017 budget request and funding justification hearing for USAID. She told the subcommittee that in FY2016, OIG issued 698 financial and performance audits and reviews with more than 1,268 recommendations for improving foreign assistance programs.

These audits identified approximately $290 million in questioned costs and funds to be put to better use. OIG’s investigative work led to 10 arrests and 91 administrative actions such as suspensions, debarments, and terminations of employment. OIG also realized nearly $85 million in savings and recoveries in FY 2015 as a result of its investigations. In addition, OIG provided 270 fraud awareness briefings and training sessions for close to 8,600 attendees in 36 countries.

She talked about changes in the USAID OIG operations:

On the horizon are changes to improve OIG’s work to ensure it has a meaningful impact on the strategy, policy, and practice of U.S. foreign assistance. This includes building and maintaining a workforce equipped with the right guidance, skills, and resources to evaluate complex development programs, unravel sophisticated fraud schemes, and address new oversight requirements.
[….]
In addition to recruiting and developing top-notch staff, I am committed to making certain that OIG has the right internal policies, processes, and systems in place to meet the highest standards for reliable and meaningful oversight. The quality of our audit and investigative work must be beyond question.

Most importantly, she highlighted to Congress the many challenges to the management and administration of U.S. foreign assistance:

Work in nonpermissive environment:

Work in nonpermissive environments is a leading challenge for foreign assistance agencies. Programs in conflict-affected settings face greater risks than those operating in more stable environments. These risks typically include a more acute threat to the lives of U.S. Government and implementer personnel. In these settings, in addition to limited access to projects and threats to safety, USAID often confronts dishonest and opportunistic actors who look to prey upon the influx of foreign aid. In some cases, instability and weak institutions threaten both the immediate progress and long-term benefit of development efforts. Agency staff and implementing partners alike face severe constraints in monitoring the progress of development and humanitarian assistance activities in these settings. Shortfalls in these activities can lead to health and environmental hazards, such as those we observed in a camp for displaced persons in Iraq. They can also create conditions for pervasive fraud and diversion. OIG, for example, recently documented the large-scale substitution of basic hygiene and food items intended for displaced Syrians with substandard materials. In other cases, we have noted the diversion of humanitarian goods to terrorist groups, and uncovered a case in which a sub-implementer received funds for a range of humanitarian assistance activities that it never performed. Meanwhile, in Afghanistan we found that a lack of access to project sites constrained USAID’s ability to observe 74 percent of the projects it funded.

Unreliable data: collection, reporting and use

[T]he collection, use, and reporting of unreliable data in connection with development programs. OIG has identified poor data quality as a concern across a spectrum of USAID’s programs, irrespective of geographic location or functional area. Of 196 performance audit and survey reports OIG published from FY 2013 to FY 2015, about 4 in 10 identified problems with data quality or sufficiency. OIG has repeatedly identified errors and overstatements, gaps in data collection and reporting, and problems in the consistency with which underlying calculations are made. Recent OIG work on USAID’s Ebola response activities, for example, found that the Office of Foreign Disaster Assistance lacked adequate performance measures given the nature of the Ebola crisis. OIG identifies data quality problems in more traditional development programs as well, as indicated in recent reports on justice system reform efforts, activities under the Feed the Future Initiative, and education programs. Without reliable data that meaningfully speaks to program results, USAID cannot effectively manage its programs or plan new ones. Moreover, absent reliable information on program progress, policymakers are unable to make fully informed decisions on the course of U.S. foreign assistance.

Sustainability:

USAID’s long-term goal is to transfer ownership of its development initiatives so that the progress and results from its projects continue. To achieve this end, USAID is responsible for building sustainability into its plans and activities. Notwithstanding this aim, sustainability remains a major management challenge and OIG has often found that USAID planning for the end of projects has been inadequate. About a quarter of performance audit reports OIG issued from FY 2013 through FY 2015 contained recommendations to do more to ensure sustainability. In one case, we noted an HIV/AIDS project lacked a formal transition plan 3 years after the project began, threatening its continuation. In other cases, OIG has found that a lack of host country support, including the limited capacity of some USAID partners, reduced the likelihood that development goals could be realized and sustained. Recent OIG reports on programs in Afghanistan and Armenia, for example, noted that local partners lacked the ability to effectively support or continue USAID programs.

The capacity of host country governments and local implementers can indeed determine the success or failure of development efforts. In recognition of the need for technical capacity within host country systems, USAID’s Local Solutions Initiative aims to provide direct funding to host governments and to local private and nonprofit entities. Yet, USAID’s risk mitigation efforts in association with this initiative have not been consistent and this constitutes another significant management challenge for the agency as a result. OIG audit and investigative work over the years has provided evidence that agency and partner controls are unable to effectively safeguard funds in many of these cases. The U.S. Government has channeled a sizable share of assistance to Afghanistan and Pakistan through local systems, for example, but not always demonstrated sufficient accountability for these funds. In FY 2015, we issued a report on USAID’s controls over direct assistance in Afghanistan, identifying shortcomings in both its oversight and in how it communicated about employees’ responsibilities and the expectations placed upon Afghan implementers. In Pakistan, a direct assistance program to support municipal services in Khyber Pakhtunkhwa (KP) fell short in part because the mission failed to effectively work with the grantee, KP’s Planning and Development Department, which lacked adequate capacity to implement the program on its own.

Human resources management, decentralized IT and information security:

Two additional challenges facing USAID pertain to the management of its human resources and decentralized management of information technology (IT) and information security. Audit work last year continued to indicate that USAID faces a shortage of experienced, highly skilled personnel familiar with USAID guidelines, standards, and processes. Staff retained under the Development Leadership Initiative pointed to irrelevant training, poor support in preparation for overseas assignments, and being assigned roles that were less than those of other employees as problems facing a major hiring effort in recent years. We also found that staffing shortages have hampered program implementation and oversight in many locations where USAID operates.

On the IT front, OIG has noted the lack of an effective risk management program as well as a substantial number of open recommendations from prior IT-related audits. OIG deems this to indicate a significant deficiency in the security of USAID-wide information systems, including financial systems. An audit relating to the agency’s privacy program for information technology identified new weaknesses and risks related to potential noncompliance with major privacy laws, including the Privacy Act of 1974, as amended.

The full testimony is here (PDF).

 

Related posts:

 

#

State/OIG Issues Report on @StateDept IT Incident Response and Reporting Deficiencies

Posted: 2:03 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

An independent accounting firm hired by State/OIG determined that the State Department’s IT incident response and reporting (IR&R) program was not operating effectively. Specifically, of the 25 cyber security incidents evaluated, Williams, Adley found that five were miscategorized, six were not remediated in a timely manner, one was not identified in a timely manner, one was missing incident information, four were not reported to the U.S. Computer Emergency Readiness Team (US-CERT) in a timely manner, and two were not reported to US-CERT as required.

The deficiencies in the IR&R program occurred primarily because of inadequate communication between the Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS) and inadequate management oversight that would ensure that personnel within the Department’s incident response team fully complied with prescribed categorization guidelines, reporting requirements, and remediation timelines.

Without an effective IR&R program, the Department may be unable to properly identify weaknesses, restore IT operations in a timely manner, and identify and respond to cyber security incidents, which could potentially lead to interruptions of critical operations and hinder the Department’s ability to achieve its core mission.
[…]
Williams, Adley determined that the Department’s IR&R program was not operating effectively for the months of September and October 2014. Specifically, Williams, Adley reviewed the Department’s handling of 25 cyber security incidents out of 303 incidents (CAT 1 to CAT 6) reported during the scope period8 to determine whether the Department complied with its information security policies and procedures.

Screen Shot

According to the audit, remediation of one denial of service attack took over 200 hours, remediation of four malicious code attacks took between 174 hours and 312 hours, and remediation of one probe attack took over 175 hours.

Here’s the proposed solution according to the audit:

DS officials stated that a proposed solution was currently being developed that would improve the responsiveness of and communications between DS and IRM. Specifically, the Department would create a Joint Concept of Operations, via a Memorandum of Understanding, that would enhance the current capabilities of the DS Foreign Affairs Cybersecurity Center. Although the Memorandum of Understanding was in the initial drafting phase as of the date of this report, it is a proposed solution that, when fully implemented, will allow the Department to approve a Joint Security Operations Center concept that will potentially consolidate core IRM and DS cyber security functions and thus strengthen the responsiveness of and communications between IRM and DS. This effort will serve as the first step in improving communications between IRM and DS.

The State Department’s response to the OIG requests that the two recommendations be closed  due to agency actions but also expressed concerns over the OIG’s use of this press article from nextgov cited in the audit:

Screen Shot

WaPo reported about the down email system due to hacking concerns here and we did a blogpost of the incident here (see  State Department’s Computer Systems Hacked, 5th Known Agency Breach This Year?).

#

 

State/OIG Reminds @StateDept of IT Contingency Planning Deficiencies

Posted: 12:59 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Last week, State/OIG issued a Management Assistance Report (MAR-PDF) reminding the State Department of continued deficiencies identified in information technology contingency planning at its overseas posts:

OIG identified IT contingency planning deficiencies in 69 percent (20 out of 29) of overseas inspections performed during FYs 2014 and 2015. The issues identified ranged from information management staff at posts not developing, updating, or testing IT contingency plans to plans that lacked appropriate key stakeholders and contact information as part of emergency preparedness, contrary to requirements set forth in 5 Foreign Affairs Manual (FAM) 1064, 12 FAM 623.7, 12 FAM 632.3, and National Institute of Standards and Technology Special Publication 800-34. This report recommends that the Department take action to ensure that information management personnel are held accountable for IT contingency planning by making this responsibility explicit in their work requirements.

Recommendations from 2011 OIG Memorandum Report Unimplemented

OIG inspection teams continue to report IT contingency planning findings in overseas inspection reports, despite a December 2011 OIG memorandum2 to the Bureau of Information Resource Management with two recommendations addressing the topic. The memorandum identified IT contingency planning issues involving bureaus’ and posts’ lack of attention to developing and testing IT contingency plans as part of their emergency preparedness activities. The Bureau of Information Resource Management stated in compliance responses that it was planning to implement a tracking mechanism and develop a SharePoint site to capture risk scoring compliance for posts and bureaus. However, after 4 years the bureau still lacks a tracking mechanism and a SharePoint site as mentioned in their compliance responses. The September 2015 compliance response noted that the bureau is researching other alternatives to comply with OIG recommendations.

 So State/OIG is trying again with this MAR and a nudge on the Work Requirements of Information Management Staff

A review of Foreign Service employee evaluation reports for information management officers or the most senior information management personnel at embassies and consulates revealed that only 12 percent (32 out of 272) had a stated work requirement to develop and test IT contingency plans. According to 5 FAM 825 and 5 FAM 826, responsibility for the development and testing of IT contingency plans lies with the information management staff overseas.

Recommendation 1: The Bureau of Information Resource Management, in coordination with the regional bureaus, should include the requirement to complete and test information technology contingency plans in the work requirements for information management personnel. (Action: IRM, in coordination with AF, EAP, EUR, NEA, SCA, and WHA).

In related news:

#

@StateDept’s Problematic Information Security Program and Colin Powell’s Wired Diplomatic Corps

Posted: 2:10 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

.

Via the AP:

Clinton approved significant increases in the State Department’ information technology budgets while she was secretary, but senior State Department officials say she did not spend much time on the department’s cyber vulnerabilities. Her emails show she was aware of State’s technological shortcomings, but was focused more on diplomacy.
[…]
Emails released by the State Department from her private server show Clinton and her top aides viewed the department’s information technology systems as substandard and worked to avoid them.

Screen Shot 2015-10-20

click here to view pdf file

The report does not include specific details on the “significant increases” in the IT budget. Where did it go? Why did the Clinton senior staff suffer through the State Department’s antiquated technology without any fixes?

In contrast, here is Colin Powell’s Wired Diplomatic Corps:

Another disturbing aspect of State Department life prior to 2001 was the poor condition of its information technology (IT). Independent commissions warned the organization’s computer networks were “perilously close to the point of system failure” and “the weakest in the U.S. government.” Inadequate funding, concerns over IT security, and simple bureaucratic inertia were all contributing factors. Powell came to an institution in which his employees relied on an antiquated cable messaging system, slow, outdated computers and as many as three separate networks to do their daily work. At several posts diplomats did not enjoy full access to the Internet or the department’s classified network. Such realities were troubling for a new secretary of state, who had served on American Online’s board of directors and considered Internet access an indispensable resource in his own daily life. Powell believed effective twenty-first diplomacy necessitated a modern communications system at State and made its establishment a top priority.

As with embassy construction and security, Powell successfully garnered the financial resources to make substantial quantitative and qualitative improvements in the organization’s information technology. For instance, a secure unclassified computer network with full Internet access was extended to 43,500 desktops during his tenure, making the State Department a fully wired bureaucracy for the first time in its history. This goal was reached in May 2003, under budget and ahead of schedule. Shortly thereafter a modernized classified network was installed at 224 embassies and consulates — every post that the Bureau of Diplomatic Security deemed eligible for such technology. In addition, a Global IT Modernization (GIT-M) program was launched to ensure that all computer hardware is kept state-of-the-art through an aggressive, four-year replacement cycle. Other changes equipped the institution with cutting-edge mainframes, updated secure telephones, and wireless emergency communication systems. Most recently, the State Department began under Powell’s leadership to replace its decades old cable and e-mail systems with one modern, secure, and fully integrated messaging and retrieval system.

These impressive technological changes were complemented by the creation of a new 10-person office for e-Diplomacy in 2002. The unit was established to support State’s information revolution by finding ways to increase organizational efficiency through information technology, making the newly installed systems user-friendly, and continuing to identify new ways to send, store and access information. Furthermore, IT security was enhanced considerably. One department report indicated that by August 2004, 90.4 percent of State’s operational systems had been fully authorized and certified, earning the department OMB’s highest rating for IT improvement under the President’s Management Agenda (PMA). In part, achievements of this type were facilitated through Powell’s hiring of 530 new IT specialists (while controlling for attrition). Through an aggressive recruitment and retention program based on incentives and bonuses, the department’s vacancy rate for such positions, which was “over 30 percent five years ago, [was] essentially eliminated.” As with congressional relations and embassy construction and security, State’s information technology was enhanced significantly under Powell’s leadership.

Read in full here via American Diplomacy — The Other Side of Powell’s Record by Christopher Jones.

So, among the more recent secretaries of state, one stayed home more than most. Secretary Powell knew the IT systems were substandard and he went about making the fixes a priority; he did not hand it off to “H” to lobby Congress or simply talked about the State Department’s “woeful state of civilian technology.” 

Below is a clip from OIG Steve Linick’s Management Alert for recurring information system weaknesses spanning FY2011-FY2013.  The actual FISMA reports do not seem to be publicly available at this time:

Screen Shot 2015-10-20

The FISMA audit dated October 2014 says:

[T]he Chief Information Security Officer stated that the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA), received a budget of $14 million in FY 2014, an increase from $7 million in FY 2013.6 A majority of the budget was used for contractor support to improve FISMA compliance efforts.

We identified control deficiencies in all [Redacted] (b) (5)  of the information security program areas used to evaluate the Department’s information security program. Although we recognize that the Department has made progress in the areas of risk management, configuration management, and POA&M since FY 2013, we concluded that the Department is not in compliance with FISMA, OMB, and NIST requirements. Collectively, the control deficiencies we identified during this audit represent a significant deficiency to enterprise-wide security, as defined by OMB Memorandum M-14-04.

We have been unable to find the FISMA reports during all of Rice, Clinton and Kerry tenures. We’ll keep looking.

#

 

Be On The Lookout Alert: State/OIG’s Inspection Reports FY2015 (Corrected)

Posted: 12:43  am EDT
Corrected: 1:19 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

The Office of Evaluations and Special Projects (ESP) in the Office of Inspector General (OIG) was established in 2014 “to strengthen OIG’s oversight of the Department and BBG, and to improve OIG’s capabilities to meet statutory requirements of the Whistleblower Protection Enhancement Act of 2012.”  ESP is also responsible for special evaluations and reviews, including responses to congressional inquiries. The work of this new office reportedly complements the work of OIG’s audits, investigations, and inspections by developing a capacity to focus on broader, systemic issues.

Note: We are correcting this post to indicate that the following reports are done by OIG’s Office of Inspection (ISP). That directorate is focused on three broad areas set forth in the Foreign Service Act of 1980: policy implementation, resource management and management controls. The following reports fall under OIG/ISP’s Special Projects and Areas of Emphasis. 

With the end of the fiscal year just two weeks away, here is a recap of the scheduled evaluations by OIG’s Office of Inspection for FY2015 (pdf). The start date of these evaluations was this fiscal year but the final reports may not necessarily be released this month.   We don’t know when these reports will be available and if all will be available publicly, but we’re on the lookout for them. State/OIG says that “our folks are committed to posting them and making them public as soon as we can.”

Cross-Functional: Program Evaluation | Inspectors will determine whether Department bureaus and missions have conducted program evaluations of foreign assistance programs, consistent with OMB Memorandum M-11-29 and the Foreign Affairs Manual (FAM), 18 FAM 300.

Executive: Annual Statement of Assurance on Management Controls | Inspectors will determine whether Chiefs of Mission and Assistant Secretaries understand statement-of-assurance guidance; conduct reviews consistent with guidance; and demonstrate their support for controls verbally and through other means, communicating the importance of ethical behavior and management controls.

Political/Economic: Foreign Assistance Oversight  | Inspectors will determine whether oversight responsibilities are clearly reflected in the position descriptions, work requirement statements, and evaluations of grant officer representatives or contracting officer representatives that spend more than 25 percent of their time overseeing foreign assistance programs.

Public Diplomacy: Social Media Guidance and Clearances | Inspectors will determine whether missions have a strategic plan to guide missions’ use of various types of social media and the level of policy content in that media with respect to target audiences.

Consular: Eligible Family Member Employment in Consular Sections  | Inspectors will examine the effectiveness of eligible family member employment in consular sections and its impact on mission morale.

Information Technology: Key-Loggers  | Inspectors will determine if missions and bureaus have controls in place to detect the existence of key-loggers on mobile computing devices used with the fob.

Security: Regional Security Officer Access to Threat Information  | Inspectors will determine whether Regional Security Officers have access to all required sources of threat information, as recommended in the classified Benghazi Accountability Review Board report.

Security: Department of Defense Support for Embassy Personnel Emergencies  | Inspectors will determine whether DoD is complying with Benghazi Accountability Review Board recommendations related to supporting mission personnel in emergencies.

#