Speaking Out

BY TIMOTHY LAWSON

Recent events, from the conviction of Bradley (now Chelsea) Manning for his role in WikiLeaks, credible allegations that the U.S. has been spying on top European leaders, and Edward Snowden’s revelations regarding the National Security Agency’s PRISM program, to the high-level focus on cybersecurity at last summer’s U.S.-China summit, all call to mind a series of similar uncertainties America faced nearly 240 years ago.

As was true back in 1775, when Benjamin Franklin led a fledgling Committee of Secret Correspondence, today’s Foreign Service still requires secrecy to function effectively. Transparency is important, but the key to protecting U.S. national interests is information security.

Secretary of State John Kerry has rightly acknowledged that while U.S. intelligence efforts have prevented many calamities, in some cases those information-gathering efforts have reached too far. As our national leadership tackles this important issue, those of us in the Foreign Service are, as always, bound by our own institutional responsibility to protect national security information.

While the Bureau of Information Resource Management’s Communications Security and Information Assurance programs are security mainstays, today’s challenges are increasingly complex. For all the undisputed benefits new technology brings, real vulnerabilities remain. These weaknesses jeopardize our foreign policy, development initiatives, consular services and social media outreach, damaging U.S. strategic interests. They can also endanger lives.

From Security to Efficiency to Peril

Thirty years later, I still recall reporting for duty at my second post, Moscow, as a junior FS-8 Support Communications Officer in 1983. The first thing I gazed upon after entering the secure, highly restricted area of the Communications Programs Unit was a row of eight five-drawer Mosler safes, each with its own three-way combination lock that rigorously tested memorization skills.

As at other posts behind the Iron Curtain, Moscow’s CPU safeguarded the embassy’s crown jewels: classified files containing top-secret telegrams, special captioned materials, cryptographic materials, keys and ciphers. Centralized files were cumbersome, but provided a high level of information security.

Notorious U.S. Navy spy John Walker, convicted in 1985 for passing more than a million secrets to the Soviets, was able to do incalculable damage to national security because the Navy’s communications security system used a single key to encrypt communications between hundreds of ships. Moreover, each Navy command and unit maintained individual files, making the potential for even further information loss substantial.

In contrast, the State Department’s “point-to-point” encryption practice, which employed unique encryption links between each post and Washington, coupled with centralized filing systems like the one in Moscow, limited potential damage from a security compromise. Yes, information was tightly locked up and difficult to access—but that was the tradeoff for virtual immunity to accidental loss or intentional release.

As new technology evolution morphed, however, security soon took a back seat to speed and accessibility. Centralized files gave way to computers, floppy disks, databases and local area networks.

The burden of traditional “communications and records” was replaced with new productivity. But those advances altered our culture for handling classified information, once the bedrock of Foreign Service tradecraft. The convenience of new technology trumped imprinted classification stamps, security markings and sealed envelopes.

Fast forward to today when information access has never been simpler. Given the priority assigned to information sharing since 9/11, and the spread of cellphones, tablets, Twitter and other social media systems, the possibilities for diplomacy seem boundless. Unfortunately, security remains relegated to the back burner, despite growing dangers.

Today’s technology offers boundless possibilities for diplomacy. But information security must not be relegated to the back burner in the process.

Making Cybersecurity a Top Priority

Media reports describe construction of a new $400 million headquarters to house a Department of Defense “Cyber Command” at Fort Meade in Maryland. The new entity will reportedly be staffed by 4,000 to 5,000 military and civilian personnel whose duties are to detect, defend against and stop penetration of DOD’s computer systems.

State lacks the resources to construct such a capacity. But there are steps we can take—indeed, must take to restore information integrity and protection, thereby reassuring our friends and allies. Today, three years after the WikiLeaks episode, many foreign interlocutors remain reticent about sharing any sensitive information with our diplomats. This reluctance hampers relationships, causes friction and emboldens our enemies.

President Barack Obama’s Executive Order 13636 offers a remedial starting point. This directive calls for improved protection of critical information infrastructure. With that in mind, I offer two recommendations to address pressing State Department deficiencies:

• Increase security of existing classified networks. Media reporting leaves no doubt that our nation’s focus on information security, communications security and classified networks has seriously weakened. To counter this worrying trend within the Foreign Service, more resources must be directed toward supporting Information Programs Center operations.
        This should include a renewed focus on emergency communications training for handling vital reports, particularly now that the Bureau of Information Resource Management has abandoned its Warrenton Training Center facility. Fortunately, the IPC structure remains central to the core reporting function of the Foreign Service, and chiefs of mission, deputy chiefs of mission and management counselors should all show strong support for this vital operation.
• Make cybersecurity a management priority by setting performance metrics. The process of prioritizing cybersecurity will necessarily be led by ambassadors and other Senior Foreign Service officers, but it is most critical for Chief Information Officers. Yet the last CIO to work inside one of State’s Information Programs Centers, which handle so much of this critical responsibility, did so 13 years ago.
        Since then, nearly all CIOs have come from unclassified Information Systems Centers. None have IPC experience. (While it may be purely coincidental, the WikiLeaks catastrophe and other data leaks all occurred during this period.) Clearly, State should require IRM personnel to acquire hybrid experience, through stints inside IPCs and ISCs, as a prerequisite to assume CIO leadership positions. This would promote senior cybersecurity awareness and crown a 27-year odyssey in search of a unified IRM organization that encompasses the classified and unclassified domains.

Other Initiatives to Consider

Strengthening IPC operations and building more security awareness into the senior IRM leadership are key requirements. But other initiatives deserve consideration, too.

Take, for example, the Russian Federal Guard Service’s recent switch from digital systems to typewriters and paper (reportedly in response to the Snowden affair). That shift certainly does not mean that we should return to the best practices of a quarter-century ago, when those of us in Moscow issued “Mickey Mouse” magic slate erasable writing pads to Secretary of State George Shultz and other high-level visitors. But it is worth recalling that evidence of Soviet eavesdropping was first reported by an alert IPC officer.

The Diplomatic Courier Service, which proudly traces its origins as a secure communications system back to the days of the Committee of Secret Correspondence, might play a novel role in confronting today’s security challenge. Especially sensitive, but not perishable, information could be sent via courier if selected cables are captioned “DCS CHANNEL.” Creation of such a new telegraphic channel would result in slower delivery but enhanced protection. This envisions a kind of asymmetrical “mobile firewall” strategy.

The Bureau of Diplomatic Security also needs to urgently review the operational shift since 9/11 from “need to know” to “need to share.” Information collaboration certainly has value, but it must be smart—and regulated. Whether sharing information via social media or for joint strategic planning with other agencies, we must protect it.

A recent Office of the Inspector General report stated that without greater control and oversight of the Netcentric Diplomacy Application, which permits sharing classified cables via the Secret Internet Protocol Router Network, another WikiLeaks-like disaster is not just possible, but likely. Until that vulnerability is eliminated, information-sharing through that application should immediately cease.

The Past as Prologue

IRM officers are a proud group of professionals with the expertise and commitment to achieve all the technological objectives to make E.O. 13636 a reality—given the resources. An elite team of diplomatic couriers stands ready to do its part, as well. But implementing new approaches to IRM program strategy, along with a new CIO security focus, will demand resolve—and the courage to help divine the future.

A renewed State Department commitment to enhancing information security can be a microcosm for what’s possible across America’s increasingly digital landscape. In 1775 Benjamin Franklin recognized that the new nation would need to enshrine openness and trust among its values. But he also persuaded the Continental Congress to keep “secret journals” of his committee’s actions to help secure America’s liberty.

Our first diplomat knew that securing liberty would at times demand secret diplomacy. For today’s Foreign Service, that past must be prologue.