The Foreign Service Journal, September 2005

credibility to her certification. Last February, Rep. TomDavis, R-Va., issued an annual report card on federal agencies’ cyber-security practices, raising the State Depart- ment’s mark from an F to a D+. Davis remarked that the agency nearly garnered a C rating. Norris said the score does not reflect recent progress, and she expects a higher rating next year. In the future, cyber security may see increasing consolidation at the federal level. In the spring of 2005, OMB kicked off the Information Technology Security Line of Business task force. This task force is working to identify problems and propose solutions to strengthen the ability of all agencies to foresee and manage information security risks, and to implement improved, consistent and measurable information security processes and controls across government. In addition, the task force seeks opportunities for savings or cost-avoidance through reduced duplication and economies of scale. Extra-Agency Communications Pose Extra Security Challenge “We’re part of a big network,” Secretary Rice noted when asked about cyber security at an employee Town Hall meeting June 3. “And the irony is that the more open the architecture, the more you are susceptible to the kinds of problems that you are talking about,” she added. From the country teams in embassies to a huge com- munity of domestic government workers involved in for- eign affairs, State conducts business with other agencies daily and around the clock. As a member of the intelli- gence community, the department is involved in the national effort to share information more effectively in the global war on terrorism. Employees who work with other agencies know that efficient and safe connectivity is often lacking. Government-controlled lines link some agencies, but not in a comprehensive fashion. As a result, a lot of message traffic travels over public communication lines, including the Internet. Glen Johnson, who directs the Office of Verification Operations in the Bureau of Verification and Compli- ance, is one of the leading IT sec- tor managers in the department. He follows standards set by DS and IRM. Johnson says that his greatest challenge is not protecting his bureau’s internal systems, where highly classified national security information resides, but securing transactions on the Web. He faced that challenge when he was named director of the Iraq Transition Management Staff, which replaced the Coalition Provisional Authority with a U.S. embassy to Baghdad one year ago. The major players, State and Defense, each had an elaborate plan for the transition, covering every aspect from construction to medical services to staffing require- ments. State’s plan was 100 pages; Defense’s weighed in at 600. Both documents were Sensitive but Unclassified. To harmonize the plans and to coordinate the transi- tion operations, Johnson enabled the main players from State and Defense to communicate electronically through collaboration software purchased from Groove Networks. Using Groove, the department set up a pro- tected virtual work space that project personnel could access over the Internet to send each other e-mail and documents, and to mark up each other’s drafts. Because technical problems prevented the National Security Council and USAID from participating, they received the important documents in hard copy. But Groove is no cyber-security silver bullet. To be used generally, the program would have to be installed individually on each network computer, and the usage fee is high. Trade-offs Between Security and Usability Many businesses and government agencies allow employees access to their corporate data from outside the office with a password, but State does not. Because State’s unclassified network carries material labeled SBU, containing, for example, personal financial and medical information, current regulations require multiple layers of security — requirements that exceed those of most institutions and that have defeated attempts to provide remote access to large numbers of employees. A questioner at Secretary Rice’s June Town Hall F O C U S S E P T E M B E R 2 0 0 5 / F O R E I G N S E R V I C E J O U R N A L 55 “The kinds of things you see in the newspapers are not theoretical threats. They are happening on our network every day.” — Chief Information Officer Jay Anania