GAO Reviews @StateDept’s Efforts to Protect U.S. Diplomatic Personnel in Transit

Posted: 2:34 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

According tot he GAO, many of the worst attacks on U.S. diplomatic personnel—including 10 of the 19 attacks that prompted State to convene ARBs—occurred while victims were in transit.  It recently released its report on the State Department’s efforts to protect U.S. diplomatic personnel in transit overseas. See Diplomatic Security: State Should Enhance Its Management of Transportation-Related Risks to Overseas U.S. Personnel (GAO-17-124).  For this report, GAO evaluated the extent to which State, with regard to transportation security at overseas posts, has (1) established policies, guidance, and monitoring; (2) provided personnel with training; and (3) communicated time- sensitive information.

Summary:

The Department of State (State) has established policies related to transportation security for overseas U.S. personnel, but gaps exist in guidance and monitoring. GAO reviewed 26 posts and found that all 26 had issued transportation security and travel notification policies. However, policies at 22 of the 26 posts lacked elements required by State, due in part to fragmented implementation guidance on what such policies should include. State also lacks a clear armored vehicle policy for overseas posts and procedures for monitoring if posts are assessing their armored vehicle needs at least annually as required by State. These gaps limit State’s ability to ensure that posts develop clear policies that are consistent with State’s requirements and that vehicle needs for secure transit are met.

While State provides several types of training related to overseas transportation security, weaknesses exist in post-specific refresher training. Regional security officers (RSO) receive required training related to transportation security in special agent courses, and nonsecurity staff reported receiving relevant training before departing for posts—including on topics such as defensive driving and the importance of taking personal responsibility for one’s security—as well as new arrival briefings at posts. At most of the 9 posts GAO visited, however, staff had difficulty remembering key details covered in new arrival briefings or described the one-time briefings as inadequate. State’s requirements for providing refresher briefings are unclear, potentially putting staff at greater risk.

State uses various systems at overseas posts to communicate time-sensitive information related to transportation security, but several factors hinder its efforts. RSOs and other post officials are responsible for communicating threat information to post personnel. However, at 4 of the 9 posts it visited, GAO learned of instances in which staff did not receive important threat information in a timely manner for various reasons. In one case, this resulted in an embassy vehicle being attacked with rocks and seriously damaged while traveling through a prohibited area. In addition, while all 9 of the posts GAO visited require that personnel notify the RSO before traveling to certain locations, personnel at more than half of the 9 posts said they were unaware of these requirements or had difficulty accessing required travel notification systems.

State.gov Emails

We should note that family members who do not work for our embassies and consulates do not have state.gov emails. And by the way, they are the ones  who are driving around in their host countries — from homes to schools, to groceries, to playdates, etc — in their private vehicles with diplomatic plates. Excerpt from the GAO report:

RSOs at the nine posts we visited told us they communicated transportation-related threat information to post personnel through various methods, such as post-issued radios, personal and official e-mail, text messages to work and personal mobile phones, and phone trees. However, we learned of instances at four of the nine posts in which personnel did not receive important threat information in a timely manner.  For instance, at one of the posts we visited, the RSO sent a security notice restricting travel along a specific road and warning that recent violent protests in the area had resulted in injuries and even death, but because the notice was sent exclusively to state.gov e-mail addresses, some non-State personnel at the post did not receive it at the e-mail address they regularly used and were unaware of the restriction. The personnel subsequently traveled through the restricted area, resulting in an embassy vehicle being attacked with rocks while on unauthorized travel through the area. While no one was hurt, the vehicle’s front windshield was smashed. The RSO told us that to avoid similar situations in the future, he would add the personnel’s regularly used e-mail addresses to his distribution list for security notices. At another post, focus group participants stated that they did not receive any information from the RSO or other post officials about the security-related closure of a U.S. consulate in the same country and instead learned about the closure from media sources. Participants in focus groups at two other posts stated that threat information is often either obsolete by the time they receive it or may not reach staff in time for them to avoid the potential threats.

OpenNet Accounts

Personnel at more than half of the nine posts we visited cited difficulty using travel notification systems or were unaware or unsure of their post’s travel notification requirements. While three of the nine posts we visited permit personnel to use e-mail or other means to inform the RSO of their travel plans, the remaining six posts require personnel to complete an official travel notification form that is only accessible through a State information system called OpenNet. However, according to officials responsible for managing State’s information resources, including OpenNet, not all post personnel have OpenNet accounts. Specifically, all State personnel at overseas posts have OpenNet accounts, but some non-State agencies, such as the U.S. Agency for International Development, typically only have a limited number of OpenNet account holders at each post; some smaller agencies, such as the Peace Corps, usually have none. One focus group participant from a non-State agency told us that because she does not have an OpenNet account, her ability to submit travel notifications as required depends on whether or not she is able to find one of the few individuals at the post from her agency that does have an OpenNet account. Similarly, the travel notification policy for another post requires that post personnel use an OpenNet-based travel notification system even though the policy explicitly acknowledges that not all post personnel have OpenNet accounts.

Armored Vehicles and the EAC

The FAH establishes a minimum requirement for the number of armored vehicles at each post. The FAH also states that post Emergency Action Committees (EAC) must meet at least annually to discuss post armored vehicle programs and requirements.21 According to the FAM, it is important that EACs provide information on posts’ armored vehicle requirements to ensure there is sufficient time to budget for the costs of such vehicles, including the extra costs associated with armoring them.22

We found that DS may not be meeting the first of these FAH requirements, and EACs are not meeting the second requirement at every post. With respect to the first requirement, DS officials initially explained that under the FAH, every embassy and consulate is required to have a certain number of armored vehicles, but we found that not every consulate met this requirement as of May 2016. These potential deficiencies exist in part because DS has not instituted effective monitoring procedures to ensure that every embassy or consulate is in compliance with the FAH’s armored vehicle policy.

The GAO recommend that the Secretary of State direct Diplomatic Security to take the following eight actions:

  1. Create consolidated guidance for RSOs that specifies required elements to include in post travel notification and transportation security policies. For example, as part of its current effort to develop standard templates for certain security directives, DS could develop templates for transportation security and travel notification policies that specify the elements required in all security directives as recommended by the February 2005 Iraq ARB as well as the standard transportation-related elements that DS requires in such policies.
  2. Create more comprehensive guidance for DS reviewers to use when evaluating posts’ transportation security and travel notification policies. For example, the checklist DS reviewers currently use could be modified to stipulate that reviewers should check all security directives for DS-required elements recommended by the February 2005 Iraq ARB. The checklist could also provide guidance on how to take the presence or absence of these required elements into account when assigning a score to a given policy.
  3. Clarify whether or not the FAH’s armored vehicle policy for overseas posts is that every post must have sufficient armored vehicles, and if DS determines that the policy does not apply to all posts, articulate the conditions under which it does not apply.
  4. Develop monitoring procedures to ensure that all posts comply with the FAH’s armored vehicle policy for overseas posts once the policy is clarified.
  1. Implement a mechanism, in coordination with other relevant State offices, to ensure that EACs discuss their posts’ armored vehicle needs at least once each year.
  2. Clarify existing guidance on refresher training, such as by delineating how often refresher training should be provided at posts facing different types and levels of threats, which personnel should receive refresher training, and how the completion of refresher training should be documented.
  3. Improve guidance for RSOs, in coordination with other relevant State offices and non-State agencies as appropriate, on how to promote timely communication of threat information to post personnel and timely receipt of such information by post personnel.
  4. Take steps, in coordination with other relevant State offices and non- State agencies as appropriate, to make travel notification systems easily accessible to post personnel who are required to submit such notifications, including both State and non-State personnel.

The GAO report notes that the State Department concurred with all its recommendations except one.  State did not concur with the sixth recommendation to clarify guidance on refresher training. In its response, State described a number of efforts that RSOs take to keep post personnel informed, such as sending security messages via e-mails and text messages, and therefore State did not believe additional formal training was necessary.  The GAO acknowledge the efforts but writes:

Nevertheless, participants in 10 of our 13 focus groups either had difficulty recalling certain security policies and requirements or described their security briefings as inadequate. Participants noted that this was, in part, because it can be challenging to remember the content of new arrival security briefings while they are simultaneously managing the process of moving and adjusting to a new post and because of the one-time nature of new arrival briefings. DS headquarters officials stated that most violations of post travel policies are due to personnel forgetting the information conveyed in the new arrival briefings.

This is the third in a series of GAO reports on diplomatic security. For GAO’s previous work on security at residences, schools, and other soft targets, see GAO-15-700 (http://www.gao.gov/products/GAO-15-700) and for the review of security at embassies and consulates, see GAO-14-655 (http://www.gao.gov/products/GAO-14-655).

 

#

Advertisements

Daily Press Briefing Needs IT and FOIA Specialists on HRC Emails, Plus HAK Files Go to Court

Posted: 1:25 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

Clip via PostTV

[protected-iframe id=”5bc752fe6db00036072fab3bf7198c29-31973045-31356973″ info=”http://www.washingtonpost.com/posttv/c/embed/4c950cba-c367-11e4-a188-8e4971d37a8d” width=”480″ height=”290″ frameborder=”0″ scrolling=”no” webkitallowfullscreen=”” mozallowfullscreen=”” allowfullscreen=””]

Argghhhh! Whaaat?

Email System

The State Department has multiple automated information systems. All employees, including locally employed staff and contractors (apparently with the exception of Secretary Clinton and who knows how many others), have state.gov email addresses for use in their unclassified workstations.  But not everyone has classified access and in some places, you have to go to a controlled location just to read your classified email.  Here is a quick description from publicly available documents:

    • OpenNet is the Department’s internal network (intranet), which provides access to Department-specific Web pages, email, and other resources.
    • ClassNet is the Department’s worldwide national security information computer network and may carry information classified at or below the Secret level.
    • SMART-SBU or just “SMART” replaces existing Department of State unclassified email and cable systems with a Microsoft Outlook-based system.
    • SMART-C is the Classified State Messaging and Archive Retrieval Toolset

 

No one “scans” emails for classified material?

The real question seems to be — well, if all her email communication was conducted through a private email  server —  how can we be sure that no classified and sensitive information were transmitted using her private email account?  We can’t, how can we?

However, for ordinary employees with badges and logins, an Information System Security Officer (ISSO) has “read access to the employee’s mailbox to ensure that no messages contain classification levels higher than that allowed on the authorized information system” (see 12 FAM 640-pdf). Which seems to indicate that ISSOs as a matter of course, “scan” State Department electronic mailboxes and files to ensure that there are no material there beyond “Sensitive But Unclassified” in the unclass system, for example.


Moving on to fumigation

Anyways — remember the WikiLeaks fallout? At that time, federal employees and contractors who believe they may have inadvertently accessed or downloaded classified or sensitive information on computers that access the web via non-classified government systems, or without prior authorization, were told to contact their information security offices for assistance.

If the unthinkable does happen, their unclassified computers required the equivalent of um… let’s say, digital “fumigation.” But who does that for private email servers?

The office that handles FOIA requests is the Office of Information Programs and Services (A/GIS/IPS/RL) under the Bureau of Administration. The Department also has its own chief information officer. Can we please have the State Department’s IT and FOIA experts talk about this from the podium?  Please, please, please, pretty please, this is getting more painful to watch every day.

 

[grabpress_video guid=”7ebdc05049ec1cf964f05708abe166946e545cb4″]

 

In related news — when you see reports that US embassies have been cited multiple times by State/OIG for use of  “personal email folders,” we suggest you take a deep breath.  That’s not/not the same as the use of personal private emails like Yahoo or Gmail. What those OIG reports are probably referring to are the personal storage folders, also known as  .pst files in Microsoft Outlook on the employees’ hard disk drives. Why would you want to save your emails in the personal folders of your computer?

Because a .pst file is kept on your computer, it is not subject to mailbox size limits on the mail server. By moving items to a .pst file on your computer, you can free up storage space in the mailbox on your mail server.

 

Just because you have classification authority, must you?

Below is an excerpt from the State Department Classification Guide | January 2005, Edition 1 (pdf via the Federation of American Scientists)

High Level Correspondence. This includes letters, diplomatic notes or memoranda or other reports of telephone or face-to-face conversations involving foreign chiefs of state or government, cabinet-level officials or comparable level figures, e.g., leaders of opposition parties. It should be presumed that this type of information should be classified at least CONFIDENTIAL, though the actual level of classification will depend upon the sensitivity of the contained information and classification normally assigned by the U.S. to this category of information. Information from senior officials shall normally be assigned a classification duration of at least ten years. Some subjects, such as cooperation on matters affecting third countries, or negotiation of secret agreements, would merit original classification for up to 25 years.

One thing to remember here, and it’s an important one — the secretary of state is the highest classification authority at the State Department.

CFR 2005 Title 22 Volume I Section 9-10:

(a) In the Department of State authority for original classification of information as ‘‘Top Secret’’ may be exercised only by the Secretary of State and those officials delegated this authority in writing, by position or by name, by the Secretary or the DAS/ CDC, as the senior official, on the basis of their frequent need to exercise such authority.

But why would the USG’s classification guide or classification authority even apply to an email server that apparently is not owned nor physically possessed or maintained by the State Department?


No one is coming out of this smelling like roses

The 67th secretary of state exclusively used private email during her entire tenure at the State Department. She left the State Department on February 1, 2013.  The official word is that in October 2014 — to improve record-keeping or something — the State Department “reached out to all of the former secretaries of state to ask them to provide any records they had,” Secretary Clinton reportedly sent back “55,000 pages of documents to the State Department very shortly” after the letter was sent to her. “She was the only former Secretary of State who sent documents back in to this request,” said Ms. Harf.  This storyline is not even walking quite straight anymore according to the NYT’s follow-up report of March 5.

What appears clear is that the USG cannot possibly know the answer to the endless questions surrounding these emails since it does not have possession of the private email server used in the conduct of official business. But somebody must know how this set-up came to be in 2009.  What originated this, what security, if any  were put in placed?

As if we don’t have enough  disturbing news … have you seen this?

 

But 56th took his files with him!

In related news,  the National Security Archive  filed suit against the State Department this week under the Freedom of Information Act to force the release of the last 700 transcripts of former Secretary of State Henry Kissinger’s telephone calls (telcons). The Archive’s appeal of State’s withholding dates back to 2007.

.

 

The 56th secretary of state had reportedly removed the telcons, along with his memcons and office files, from the State Department when he left office at the end of 1976. According to the FOIA-released declassification guide for the State Department “information that still requires protection beyond 25 years should be classified for only as long as considered necessary to protect the national security.”

But … but …it’s been almost 40 years, heeeellloo!

Where are we again? Oh, utterly distressed by this whole thing.

 

 

Related post:

Don’t read WL from your workstation, if read elsewhere make sure you wash your eyes or you go blind….

 

Related items:

It could be very long time before Hillary Clinton’s State Department e-mails see the light of day (WaPo)

12 FAM 640  DOMESTIC AND OVERSEAS AUTOMATED INFORMATION SYSTEMS CONNECTIVITY (pdf)

Leaked Guccifer emails did say “confidential” but the purported sender of those emails was no longer in USG service and presumably, no longer had any classification authority.

 

State Dept Re-attached to the Internet, and About Those “Unrelated” Embassy Outages

— Domani Spero
[twitter-follow screen_name=’Diplopundit’ ]

 

A few hours ago, we posted this: State Dept Spox on outages at embassies: “separate”, “unconnected”, “unrelated” — wowie zowie!

It looks like the State Department was re-attached to the Internet sometime this morning. Although as of this writing, go.state.gov is still down for “temporary maintenance.”

Screen Shot 2014-11

Screen capture of http://go.state.gov, still current as of 11/19/2014

Here’s what we’ve learned about the embassy outages:

The Consular Consolidated Database is apparently unaffected, as are visa and passport services.

EXCEPT that Consular Sections were unable to accept credit card payments because those are connected to the Internet, which was unavailable from the State Department’s OpenNet.

Here’s how OpenNet is described in the FAM:

OpenNet is a physical and logical Internet Protocol (IP)-based global network that links the Department of State’s Local Area Networks (LANs) domestically and abroad. The physical aspect of the network uses DTS circuits for posts abroad, FTS-2001-provided circuits, leased lines, and dial-up public switch networks. This includes interconnected hubs, routers, bridges, switches, and cables. The logical aspect of the network uses Integrated Enterprise Management System (NMS) and TCP/IP software, and other operational network applications. OpenNet is a Sensitive But Unclassified (SBU) network, which supports e-mail and data applications.

We understand that the American Citizen Services (ACS) Units, in particular, were not able to process payments by credit cards. Since the Internet connection issue had been reportedly resolved earlier today, we hope that this has resolved itself, too.

As to visa services, those are connected to the Global Support Strategy (GSS) contract, and 99% of fees would have been collected through the GSS contractor, not at post.

EXCEPT that most GSS contractors do scheduling via their own 3rd party websites, which would not be able to be accessed from OpenNet. If visa scheduling had delays, that would be because posts had to find a non-OpenNet Internet connection to update scheduling slots, as necessary.

A note on the GSS:  The GSS contracts provide support services for nonimmigrant and immigrant visa operations at United States consulates and embassies abroad, including but not limited to public inquiry services, appointment services, fee collection services, biometric enrollment services, document delivery services and data collection services.

So when the State Department spox said that these outages were not connected and were unrelated, well —

Congratulations! You sound nice at the podium but what the heck were you talking about?

* * *

Oops! What’s this? Updated at 1552 PST Nov 19:

Screen Shot 2014-11-19 at 3.44.20 PM

* * *