Donald R. Reid
Senior Coordinator for Security Infrastructure, Bureau of Diplomatic Security
Keynote Address before the Armed Forces Communications and Electronics Association, Bethesda (MD) Chapter
Thank you very much for the opportunity to talk about an organization that I have found amazingly dynamic and resilient. The Diplomatic Security Service is entering its 25th year doing what it was originally charged to do – providing a safe and secure environment for the conduct of U.S. foreign policy. Created in the wake of the 1983 marine barracks bombing in Lebanon, the principal missions of DSS are the protection of people, facilities and information. While that job has always been exceedingly challenging, when I think about next year’s transformation in Iraq from a military operation to a diplomatic and nation-building effort, the implications for the Bureau of Diplomatic Security are enormous. More on that thought a bit later.
Often, an organization can become defined by external events, and for DS the single date, August 7, 1998 -- when we lost our embassies in Dar es Salaam, Tanzania and Nairobi, Kenya -- was just such a day. Those bombings echoed events in Lebanon at our founding and reconfirmed that terrorism likely would be the greatest continuing threat posed to our diplomatic efforts around the world. I have been asked to talk about Diplomatic Security’s defensive efforts in the cyber age, and we do face some interesting challenges. The Diplomatic Security Service is a major law enforcement organization and certainly the one with the largest overseas presence. While I will address diplomatic security’s cyber challenges, I also want to mention some of the ways diplomatic security employs technology to meet its global terrorism, criminal, and security threats.
Our overseas embassies and consulates, some 285 of them, have been characterized by some as “fortress America” for their physical security requirements seemingly being at odds with the art of diplomacy. But the dangers our people face demand solutions that work. In just the last two years, we’ve seen our missions in Istanbul, Sanaa, and Peshawar subject to suicide attacks and bombings; our embassy in Belgrade set afire; and, consulate employees gunned down in Ciudad Juarez. While the physical security improvements we use today are impressive, those leveraging technology are equally so. Every overseas embassy and consulate has sophisticated alarm systems, access control devices and extensive digital camera coverage both inside and outside our missions. The duty Marine Security Guard has a complete display of on-going activity in the mission. The data from these devices is also sent encrypted over the Internet to our state of the art, 24/7 Command Center in Northern Virginia.
From this Command Center, we might detect an alarm activation at one of our “lock and leave” posts where, lacking the around-the-clock presence of a Marine Security Guard, we can troubleshoot from Washington. If one of our larger posts having a Marine presence comes under attack by terrorists, standing procedures call for staff to congregate at pre-designated safe havens within the mission. In these situations, the Marines and Regional Security Office staff are fully engaged in taking appropriate defensive measures. The Diplomatic Security Command Center can become an additional set of “eyes and ears” for the regional security officer (RSO) by remotely activating the cameras and advising the RSO on what developments are taking place outside his mission. At a minimum, our recording and storing of the digital data facilitates after-action analysis of what actually happened.
The armed attack on our consulate in Peshawar last April is illustrative. Three vehicle-borne improvised explosive devices were used in an attempt to breach the consulate perimeter. The militants were armed with AK-47s, rocket-propelled grenades, hand grenades and suicide vests. The attack did not succeed, but in Washington we were able to assemble an impressive digital rendering of just how the attack unfolded – ready for morning threat briefings at the State Department! Of course, more deliberate analysis of the video tape, the physical crime scene, witness observations, and more helped us better understand the escalating sophistication of these attacks in Pakistan. Consequently, we can adjust our response and operating procedures to tighten defenses if (or when) faced with future attacks.
Our political and economic officers, our public diplomacy professionals, and others in the embassy whose core functions lie outside the hardened walls of the mission generally must travel to meet with their host country counterparts. In many areas of the world, that travel can encounter improvised explosive devices, roadside blockades, unofficial checkpoints, and more unknowns. In many of those non-permissive regions, diplomatic security has deployed life-safety technology generically referred to as “Blue Force Tracker” (as in “friendly” force). This is GPS-enabled emergency 9-1-1 alerting technology (I call it “On-Star on steroids”) that is installed in our vehicles and aircraft and is simultaneously monitored at the embassy, the military’s tactical operations center, and our DS Command Center so all have a common situational awareness of all friendly forces. If someone comes under attack while traveling, gets involved in a threatening situation, or similarly becomes disabled, they can activate the beacon and if necessary an extraction team can be dispatched.
This device has been a real technology success story for us. Initially each unit cost about $15,000, could only operate over classified communications channels, its use had to be disguised, and its operations were complex. Over the years, we have dramatically reduced its size and cost, operate it encrypted over commercial lines, and can share the technology with our foreign and allied partners. Most importantly, however – it works! Back when the vice president was Senator Biden, he traveled with senators Kerry and Hagel to Afghanistan. On a helicopter flight to Bagram air base, the party encountered severe weather and were forced to touch down on top of a snow covered mountain. Communications did not work and the blue force tracker was activated. Several hours later an extraction team was able to get the party to Bagram.
At the monitoring center itself, we have three dimensional, geospatial displays of the terrain and the ability to embed historical threat information related to specific geo-coordinates. This greatly assists in the planning of any vehicle movement outside of a safe zone. This BFT technology can be deployed for other diplomatic purposes also, such as use by election monitors deployed in a number of countries.
Another capability we employ for vehicle movements in high-threat environments are mounted digital cameras. We store their data for significant periods of time and find that they add significantly to our understanding of unexpected events. For example, in July 2009 then-ambassador to Iraq Christopher Hill’s motorcade encountered a roadside improvised explosive device. No one was injured, but the captured camera footage was very helpful in identifying investigative clues for follow-up.
Let me quickly mention just a few more examples of how diplomatic security uses technology.
Earlier I had mentioned the challenge ahead as the military pulls its remaining forces out of Iraq by the end of next year and when Diplomatic Security inherits full security responsibilities for the remaining U.S. presence. We will have the need for mine-resistant, ambush-protected vehicles (M-RAPs), an air fleet of fixed wing and helicopter aircraft, a counter-improvised explosive device capability, a counter-rocket, capability and many more sophisticated security requirements not normally in our kit bag. Perhaps the best description of this challenge that I’ve heard is the humorous remark that 166,000 military troops are being replaced by 85 diplomatic security agents! Clearly, to provide the most secure environment for our diplomatic efforts in Iraq will call on us to rely even more on our contractor partners.
Perhaps not as visible, though, is our companion need for logistical and other support that will not be provided by U.S. contractors, but by Iraqi and third country national employees. Much of that support will transition from existing DoD contracts, but one challenge Diplomatic Ssecurity will face will be to ensure these potential employees are vetted to our standards. We have seen examples in Iraq and Afghanistan of how determined our adversaries can be in trying to breach our compound security. In Iraq, we will leverage DoD biometric automated toolset infrastructure and expand its use as necessary to meet our needs. Operational since 2003, this capability and its legacy data will be critical to our success as we make difficult vetting and access decisions.
Much of the threat we face that I have discussed thus far is externally driven. But, clearly we in the State Department have a not insignificant insider threat potential. In addition to our thousands of Foreign Service, Civil Service, and U.S. contractor employees, the State Department employs tens of thousands of foreign service nationals and locally employed staff around the globe. Many of these employees have access to our “. gov” network and each poses the potential for being an inside threat, whether witting or not.
At this point of my talk, I’d like to focus on the cyber threat and share with you some of our experiences over the years. As I have indicated, Diplomatic Security does an impressive job providing physical protection for our people, facilities, and information. And, when the State Department designed its communication architecture years ago, some very bright people insisted all communications be long-hauled back to the states and only two access points to the internet be established. That decision has served us well over the years. Yet, we also know any access to the internet establishes the necessary link for vulnerabilities to be exploited.
Some of you are aware that, at the State Department, the Chief Information Officer and the Assistant Secretary for Diplomatic Security both have mutually supporting responsibilities for the security of our networks. Diplomatic Security is responsible for 24/7 monitoring of the networks, responding to incidents, establishing cyber security policy, analyzing the threat, and more.
One day in May of 2006, two seemingly insignificant events occurred. The first was the arrival of a new deputy CIO who set about becoming familiar with his duties. The second was a spoofed e-mail being sent to a number of employees at a variety of posts in our East Asia Pacific region. The e-mail contained an attachment entitled “Senator Feinstein speech on Taiwan” and one of the recipients was a foreign service national librarian at one of the recipient posts. She opened the email, clicked on Senator Feinstein’s speech…and the deputy CIO’s day went south!
I’m sure you know the rest of the story. Once the attachment was opened, a backchannel communication path to a server in China was established. As the intruder began surveying our network, our Washington-based monitoring center picked up on the activity, alerted the new deputy CIO, and reported the intrusion to U.S. CERT. Over the next few hours and days we saw evidence of the intruder moving laterally in our systems, yet taking no action to exfiltrate any of our data. Still, the activity was compromising a growing number of posts in the region and we could not identify the source or stop the movement. Diplomatic Security has highly skilled computer security officers at key regional offices around the globe and we dispatched the one closest to the intrusion to assist in identifying the initial infection vector and obtaining a copy of the malware.
Within four days we had 24 posts in the region infected and the deputy CIO was faced with the decision to cut these posts off from the Internet or continue to monitor what was not yet malicious activity. He decided to permit continued Internet access for all posts, but additionally he directed that at any point there was evidence of exfiltration of data, we were to sever the Internet connection immediately. By this time, our Regional Computer Security Officer had arrived at the initial infection post and obtained a copy of the malware. In Washington where we had now established a 24/7 task force operation within the Secretary’s Emergency Response Center, we received the suspect malware and shared it with the anti-virus community. We were shocked to then learn we were dealing with two zero-day exploits and called on a very skilled contractor partner to assist in designing a temporary protective wrapper for our systems. About three weeks into this event we saw the first signs of data exfiltration and the deputy CIO “pulled the Internet plug” on two-dozen posts in the region. This, of course, dramatically impacted these posts’ daily activities, especially with respect to processing thousands of visas. Over the next two weeks we worked with the posts to cleanse their systems, perform a series of mitigations, and validate their work before they were reconnected to the internet and permitted to start up normal business activities.
Today, like everyone else, we face cyber threats to our networks and access attempts to our systems that are constantly changing. Spear phishing campaigns remain a staple of what we see every day. We have watched them mature and grow more aggressive. In parallel, our cyber security awareness programs have become more creative and our cyber defenses more tactical in nature. Let me give you a generalized sense of what I’m talking about.
I briefly mentioned that I had a cyber threat analysis capability, but I’m sure I didn’t crow that it won NSA’s Frank Rowlett Award for Information Assurance because of the leading-edge work it does. If you recall, the initial vector to the East Asia Pacific intrusion I just described was a spear phishing email. For State, these types of computer network operations number in the thousands each and every day against our networks and we employ many and varied layers of protection against them. For example, our 24 by 7 network monitoring center can engage in full packet capture of network traffic. My threat analysis folks analyze this data for known and emerging patterns and trends. They have long-established relationships with the greater computer network defense community and we have great interface with appropriate law enforcement entities. We have now reached a point where our data informs several types of predictive analysis which in turn support our tactical awareness programs. Let me give you an example.
At the State Department, we have seen spear phishing focus on employees in particular professional fields (for example, economics officers, political officers, or public diplomacy professionals). Our tactical awareness program reaches out individually to these employees, educates them to the nature of these attacks, the network access the adversary hopes to gain, the information they likely want access to, and the indicators this activity is purposely directed. Of late, we have seen a correlation between a spike in targeted spear phishing campaigns seemingly related to upcoming foreign policy forums. We have had great success in reducing the potential damage from spear phishing because of the analytical investment we have made.
We face additional challenges because of the constantly changing cyber environment. Take for example the rise in the use of social networking sites and its effects. Facebook alone has over 500 million visitors, fully 70% of which are from outside the United States. The Department of State has embraced the use of social networking sites as a communication vector but as the “Robin Sage Experiment” clearly indicated, social networking sites can be used as an information gathering tool by people who are not who they claim to be. Social networking sites and aggregators are open source information gathering gold mines that allow bad actors to refine spear phishing emails. At the State Department, our employees who are fully sensitized to these campaigns have reliably reported a shift by some adversaries toward using personal email accounts as a potential attack vector to breach the “fortress walls.”
Again, thank you for the opportunity to share just a little bit about an amazing organization and thanks for your time.