The current scandal roiling over the use of a private e-mail server by former Secretary of State Hillary Clinton is just the latest in a series of scandals surrounding government e-mails. And it’s not the first public airing of problems with the State Department’s IT operations—and executives’ efforts to bypass or work around them. At least she didn’t set up an office in a restroom just to bypass State Department network restrictions and do everything over Gmail.
However, another Obama administration appointee—the former ambassador to Kenya—did do that, essentially refusing to use any of the Nairobi embassy’s internal IT. He worked out of a bathroom because it was the only place in the embassy where he could use an unsecured network and his personal computer, using Gmail to conduct official business. And he did all this during a time when Chinese hackers were penetrating the personal Gmail inboxes of a number of US diplomats.
Why would such high-profile members of the administration’s foreign policy team so flagrantly bypass federal and agency regulations to use their own personal e-mail to conduct business? Was it that they had something they wanted to keep out of State’s servers and away from Congressional oversight? Was it that State’s IT was so bad that they needed to take matters into their own hands? Or was it because the department’s IT staff wasn’t responsive enough to what they saw as their personal needs, and they decided to show just how take-charge they were by ignoring all those stuffy policies?
The answer is probably a little bit of all of the above. But in the case of former ambassador Scott Gration, the evidence points heavily toward someone who wanted to work outside the system because he just couldn’t stand it.
Take this IT and flush it
Shortly after his arrival in Nairobi, Gration “broadcast his lack of confidence in the information management staff” of the Embassy, the State Department Office of the Inspector General noted in an inspection report on the embassy that precipitated Gration’s resignation:
Because the information management office could not change the Department’s policy for handling Sensitive But Unclassified material, he assumed charge of the mission’s information management operations. He ordered a commercial Internet connection installed in his embassy office bathroom so he could work there on a laptop not connected to the Department email system. He drafted and distributed a mission policy authorizing himself and other mission personnel to use commercial email for daily communication of official government business. During the inspection, the Ambassador continued to use commercial email for official government business.
Gration’s demands and “flouting of direct instructions to adhere to Department policy “ put the IT staff at the embassy in Kenya in the position of having to choose between making their boss happy and following State Department regulations and government information security requirements. When they failed to respond to Gration’s demands in a timely fashion, he escalated things by “publicly berating members of the staff, attacking them personally, loudly questioning their competence, and threatening career-ending disciplinary actions,” the IG’s office reported. “These actions have sapped the resources and morale of a busy and understaffed information management staff as it supports the largest embassy in sub-Saharan Africa.”
Apparently, Gration’s impatience with IT extended to not using his secure email and the “front channel” secure diplomatic cable system. The Inspector General’s inspection team observed that “the Ambassador does not read classified front channel messages. No one in the mission screens incoming cables for the Ambassador relevant to Kenyan and US interests in the region. The OIG team also observed that the Ambassador very infrequently logs onto his classified account, which would allow him to read cables and classified emails.” In the end, the IG team recommended that somebody check his accounts for him and screen messages for relevance.
In other words, Gration was the end user from hell for an understaffed IT team in a politically sensitive outpost. “He has willfully disregarded Department regulations on the use of commercial email for official government business,” the IG report noted, “including a front channel instruction from the Assistant Secretary for Diplomatic Security against such practice, which he asserted to the OIG team that he had not seen”—because he never used his secure network account.
What could have possibly motivated that sort of behavior from a man who had clearly dealt with secure government IT systems in the past as an Air Force major general? In part, it may have been that regardless of how competent the IT team at the Nairobi embassy was, State Department information systems might make working out of a bathroom look good to anyone accustomed to more corporate IT.
Why State Department IT can’t compete with a laptop in a bathroom
Being an Information Management Specialist in the US Foreign Service can be a challenging and thankless job. At the Nairobi embassy, supporting all that was (and continues to be) complicated by “local infrastructure that suffers from almost daily electricity and communication outages,” the Office of the Inspector General reported. “And the American staffing in the information management section has remained the same despite large increases to overall mission staffing in the last 2 years and a constant flow of visitors that averages 200 people on any given day.”
On top of that, there’s the issue of what embassies are given to work with. State’s Global OpenNet, the intranet that provides the backbone for department-wide e-mail and instant messaging, is dependent on aging Microsoft communications infrastructure, including Microsoft Office Communicator for unified voice and video communications. The State Department is in the middle of a roll-out of a new Office desktop environment (Office 2010), and that’s broken unified communications for some users in the process—since Lync clients won’t be supported until later this month.
The State Department’s handling of IT has been a sore point for some time. In 2011, according to an Inspector General report , the department was still struggling to properly implement Federal Information Security Management Act (FISMA) and Office of Management and Budget mandated requirements for information security. Since then, State Department unclassified e-mail has been the target of multiple data breaches , including one by some reports has been ongoing since last fall.
In an audit of information security for the State Department’s Office of the Inspector General published in October 2014, the outside team from Williams Adley and Co. reported “significant deficiency to enterprise-wide security,” and cited a failure to properly manage IT security risks. “Since [fiscal year] 2010, this has been a perennially recurring problem across many Department systems and is undoubtedly systemic in nature, requiring global measures in attempt to remedy this deficiency.”
Many of the problems cited in the audit and other reports have their roots in State Department culture, a particular hothouse of wider federal government culture that is institutionally oriented toward picking people who fit into a specific type for entry into Foreign Service Officer training. Based on conversations with people who have worked at the State Department, the culture there is, while largely patriotic and professional, also fairly change-resistant and homogenous.
And even when they try to change that by bringing in smart people from the outside world, the hiring process can actively discourage the best-qualified candidates—because the Foreign Service wants lifers. People with outside experience from industry are infrequently brought in, As former ambassador John Price, now a resident scholar at the University of Utah, pointed out in an essay entitled “The State Department Culture Needs to Change,” and talented people who are typecast in a specific role are usually trapped there and unable to advance.
Prepare to be processed
State, like other government agencies, pays internal IT people abysmally compared to the private sector, when the department actually hires them. And that’s not that often—most IT positions in embassies are filled by people from the countries they are in, and Information Management Specialists in the Foreign Service are essentially expected to be super-generalists capable of taking on any IT or telecom-related task.
An embassy IT team is responsible for multiple classified and unclassified networks, Internet infrastructure that can include local web servers, social media operations, secure and unclassified voice and video communications for the embassy and senior staff residences, radio communications, the embassy’s Diplomatic and local postal mail and “pouch” service. Anything that brushes up against sensitive or classified data has to be handled by Americans, so Foreign Service IMSs are called upon to do the impossible with limited resources, tight budgets, and all the other usual stress-inducing factors that come with the usual IT job magnified by global politics.
But if that doesn’t put you off, if you are willing to move anywhere in the world, can get a Top Secret clearance, get through the Foreign Service selection process to be considered for employment (which, based on the experiences of some I know now in the Foreign Service, can take years), then you can actually be considered for an opening. However, there are currently none—the last vacancy announcement closed in December—and if you’ve applied before, you have to wait a year after the last posting closed to apply again.
In the event that there’s an Information Management Specialist slot open and you’ve cleared all the other hurdles, and you can do everything there is to do in IT (from pulling wires and doing desktop support to managing an IT, telephony and mailroom staff of foreign nationals), you can pull down as much as$63,702 a year plus benefits (plus a differential bonus for particularly dangerous places). But probably, you’d make something closer to the $43,000 range. By comparison, the expected salary for a certified Unix sysadmin with a Top Secret clearance in Maryland is around $75,000—no wire-pulling required.
Privileged users
All that aside, Gration’s insistence on running his own IT was part of a bigger pattern of telling the chain of command at the State Department to stuff it and basically doing whatever he wanted. “The Ambassador’s leadership example has negatively affected mission staff perceptions of his role as Chief of Mission and raised questions about his objectivity,” the OIG reported.
For example, when Gration decided that morale was low, he created his own survey to find out why. When the answer turned out to be him , “he told embassy employees that senior officers had done a bad job of explaining his objectives,” the OIG team reported. “He subsequently sought—but did not obtain—access to individual survey responses that would have violated the anonymity of the respondents.”
Gration also attempted to have a monument to the victims of the 1998 Nairobi embassy bombing altered without State Department approval, and using government funds. He frequently railed against Washington and encouraged staff not to follow administration policy directives.
At the end of the day, it would seem, Gration was just a high-maintenance user with feelings of entitlement that went far beyond those associated with his responsibilities. But, as with Clinton, Gration was the boss—and the boss got what the boss wanted.
No comments:
Post a Comment