The Foreign Service Journal, September 2005

meeting complained about this. “Many of us travel con- stantly on government business, negotiating all over the world, and we’re forced to establish Yahoo and Hotmail accounts to perform our business from overseas.” In fact, when State’s eDiplomacy Office, which advo- cates the technology needs of the workforce, asked employees in 2003 what they wanted from IT services, their No. 1 request was to access unclassified informa- tion from home or on the road. That capability would also support more telecom- muting. Rep. Frank R. Wolf, R-Va., inserted a provision in the 2006 appropriations bill to penalize agencies that fail to make telecommuting more widely available. Last April, the Government Accountability Office told the House Government Reform Committee that telecom- muting should be seen as “an important and viable option” to help ensure continuity of agency operations. Telecommuters need to enter the unclassified network from computers outside the network, and Wolf’s pressure forced State to rethink its stringent rules for access. Two of the basic ways to protect a network from unauthorized intruders are to encrypt the data — wrap- ping it in code — and to require every person attempt- ing to access the data to verify his or her authenticity. Glen Johnson explains three basic means to verify access: 1) what you know (a password); 2) what you have (a token); and, 3) what you are (biometric means like fingerprints or iris scans). Passwords can be stolen easily, whether by observing someone while they log on or by installing a “key logging” program that records what they type in. The department chose to enable remote access for telecommuters by giving them a token as a second means to prove their identity: a small random-number generator that would give the employee a new, unique access code at each remote log-on. A less expensive and simpler option, providing access to e-mail with an extra password, was not favored for a variety of reasons including internal regulations governing the transmis- sion of SBU information. The pilot program, dubbed ONE (for OpenNet Everywhere), has completed tests by about 100 employ- ees, and will offer remote access to most functions of the unclassified network to somewhat more than a thousand participants by the end of September. In addition to teleworkers, State personnel on detail to other agencies and others with special needs, like frequent travelers, will be eligible for ONE. Bureaus will pay a fee to IRM for the service. In addition, CIO Anania says that use of BlackBerry devices, which can receive and send e-mail in wireless fashion, will be allowed more generally on OpenNet. That follows a year of testing with a few groups of Washington personnel. BlackBerries, commonly used in corporate settings and other government agencies, comply with federal cyber-security standards but are too costly to operate for widespread deployment. Foot-Dragging Improvements like ONE and allowing BlackBerries are coming somewhat late to the State Department, and they will not provide remote e-mail access to all employ- ees. Jerry Gallucci, who directed the Office of eDiplomacy until June 30, said that foot-dragging on the part of cyber-security personnel prevented the depart- ment from making progress toward easier remote access. For example, over the past seven months, department offices reviewed the regulation that prohibits sending SBU information over the Internet. Gallucci said work- ing-level IRM cyber-security experts acted to sidetrack any revision rather than find a way to meet what he judges to be a requirement. “They’re not in that business yet,” he says. According to Gallucci, the assertion of “security con- cerns” has often been used to provide cover for career technical and information security personnel who are unfamiliar and uncomfortable with the newer tech- nologies already in widespread use in the private sector and elsewhere in government. “They fear what they don’t understand,” says Gallucci, and so they block efforts to achieve essential capabilities such as remote access to unclassified e-mail. However, it is also true that the more liberal private- sector cyber-security practices have permitted highly pub- licized leaks of customers’ personal data over the past sev- eral months. In June, CardSystems Solutions, a third- party processor in Tucson, Ariz., that handles payments on behalf of several credit card companies, announced that hackers stole information for as many as 40 million cards. That security breach was the largest in a series of incidents in which online confidential information was exposed. Are State Department employees’ personnel files safer than their credit-card records? Yes, according to Norris, partly because of measures such as State’s insis- F O C U S 56 F O R E I G N S E R V I C E J O U R N A L / S E P T E M B E R 2 0 0 5