Monday, September 26, 2016

Schemes and scams from an unlikely place

U.S. computer networks, government, commercial, and private, are under almost constant attack, many of these attacks coming from abroad. Computer, mail, and telephone scams abound, many also coming from abroad. The standard villains when we hear of hacking attacks against our computer systems are the Russians, the Chinese, and on occasion the North Koreans. When we hear of computer scams, we usually think of the Nigerian groups who are famous for this activity.
There is, however, another source of both these assaults that seldom gets mentioned in the press; India. India, location of many computer self-help desks for U.S. companies, supplier of many IT techs who keep companies here going, is also the source of a lot of vicious computer hacking attacks, and at least one telephone scam that I’m personally aware of.
My son is a computer engineer for a Virginia-based company that provides hardware and software globally. Many of his colleagues are Indian nationals, who he describes as some of the best in the business. But, every coin has two sides. If some of the best programmers and computer engineers come from India, it’s safe to assume that there are also a fair number of black hat hackers who will try to penetrate networks either for the sheer challenge, or to do harm.
I have personal experience with this. This morning, I woke up to find emails from my email provider, and some of my social network accounts informing me that there’d been an attempt to access these accounts from in IP address in India. Fortunately, my firewalls and notification protocols prevented total compromise of my system and accounts, but I had to spend hours that could have been devoted to other tasks, changing all my passwords—a real pain in the . . . neck.
I’m pretty sure I’m not the only victim of this penetration attempt. Another thing that’s come out of India is a phone scam that is really, I mean, really annoying. Your phone rings; caller ID shows a number and the label ‘Wireless Caller.’ If you’re the type to answer calls from unknown numbers, you’ll pick up and hear what gets left on my answering machine; a clearly digital voice of a woman with no discernible accent informs you that the IRS has filed a court case against you and that you must call the number they give you to get the details. I’m not sure what this phishing expedition is looking for, but no way in hell am I calling that number. I’ve reported this to the IRS twice—because I’ve received this call from at least two different area codes and numbers. Not that it’ll help. My son-in-law, who is a postal inspector (the Post Office’s law enforcement arm), informs me that this scam is known to be based in India, but U.S. authorities are unable to track it to a specific address, and even if they did, it’s unlikely the Indian government would cooperate in shutting it down.

So, what am I saying here? The threats to our computer systems are real. Con artists are lurking behind every computer screen or at the end of every phone call, looking for a weakness to exploit. A lot of them come from the places that get the lion’s share of the news, but not all of them.

Sunday, September 25, 2016

How secure are our government computer systems, and does Congress really give a damn?

With all the hyper-partisan noise about Hillary Rodham Clinton’s admittedly unwise use of a private email server during her tenure as secretary of state, an important issue has not been raised in the media among the flurry of coverage of this issue: just how secure are all those government servers that she—and several of her predecessors, for that matter—declined to use?
The furor over Clinton’s use of a private server is a lot of smoke without a flicker of flame. There’s not a scintilla of evidence indicating that the server she used was ever compromised. There is, however, a lot of evidence that U.S. Government computer systems, including those of the Department of Defense (DOD), Department of State (DOD), and other government agencies, have been repeatedly penetrated by hostile hackers, believed to have originated from Russia and China.
In the mid-1990s, for example, it was estimated that on any given day, 5 to 6 DOD computer systems were controlled by hackers. In 1996, DOD’s Milnet computer system (including the Joint Chiefs of Staff and the Defense Logistics Agency) were compromised. In 2006, the DOD’s unclassified email was hacked, shutting the system down for several days; the intrusion was believed to have originated abroad. In response to the early intrusions, plans were laid in 1996 to create a Defense Cyber Command to deal with them, and in 2006, the US Air Force Command was created.
These problems were known to the public, but you can search all you want and you’re unlikely to find much media coverage of the issue; certainly not to the degree that HRC’s email server is covered. For instance, in 1998, a group of hackers testified before congress on just how easy it would be to bring down the Internet. That should have provoked a flurry of frantic media coverage—but, it didn’t.
For that matter, nor did the 2008 compromise of DOD’s classified computer system, or again in 2015 when DOD’s unclassified email system was again hacked.
As for the Department of State, in 2014, the DOS email system was hacked and had to be shut down. At the same time, the White House email system was targeted, but as far as we know that attempt was a failure. As far as we know.
There was a momentary upswing of media coverage when the Office of Personnel Management (OPM) system was hacked twice in 2015 (supposedly by hackers in China), compromising over 25 million social security numbers, and exposing current and former government employees to hostile action and exposure of their personal data.
If congress was really interested in the security of government computer systems, one would assume that these incidents would be the subject of dozens of hearings and inquiries. Maybe someone up on the Hill is interested, but search as hard as you wish, you won’t find any evidence of that interest.
Maybe, after the November elections, when the dust is settled, some member of congress who is serious about doing his or her job will take on this issue. I, for one though, will not be holding my breath waiting for that to happen, because it offers no political advantage. Taking the necessary actions to really secure our government computer networks will require a lot of hard work and serious thought. The poor schmucks who have to work with those systems are working hard to get the job done. But, the politicians who should be providing them with the legislation and resources to get the job done have their ey

Monday, September 19, 2016

When Laws and Regulations are not enough

When the Korean War began in June 1950, the United States Army, after five years of occupation duty in Japan, was ill-prepared for combat in the rugged terrain of the Korean Peninsula. It was less prepared, however, for dealing with an enemy that ignored the Geneva Convention and subjected Prisoners of War (POW) to brutal and inhumane treatment. At the end of the war, the American government was shocked when 21 American POWs refused repatriation and took up residence in China, or to learn that one in three American POWs had not only collaborated with the enemy, but had mistreated fellow prisoners.
Despite provisions in the Uniform Code of Military Justice (UCMJ) that made collaboration with the enemy or abuse of comrades criminal acts, it still occurred because American military personnel were not prepared to resist the physical torture and brainwashing employed by their captors. Determined to do something about it, the Department of Defense developed the Military Code of Conduct, a simple six-article code to guide American forces in combat or captivity in the future. With only a couple of changes since promulgated by President Dwight D. Eisenhower’s Executive Order 10631 in 1955, the Code of Conduct has since been the legal, moral, and ethical basis for military conduct, nor replacing, but supplementing the existing laws and regulations.
Why do we need Codes of Conduct?
With the many laws and regulations we have that regulate the conduct of government employees, one might legitimately ask why separate codes of conduct are even necessary. As the Defense Department learned during and after the Korean War, having laws prohibiting conduct is often not enough to enable individuals to make appropriate decisions in situations of uncertainty.
In the last several decades more and more organizations, government and private, have come to the realization that laws and regulations alone are not enough to equip people to do the right thing.
Doctors, nurses, firemen, lawyers, police officers, therapists, and accountants are among the many professions that have a formal code of ethical conduct in addition to the man laws and regulations they must abide by. The diplomatic and government officials of the UK, Canada, Australia, New Zealand, and Nepal, among others, have codes of ethical behavior to complement the laws and regulations that guide their conduct. Sadly, one very important profession is missing from the list of those having formal codes of conduct—the U.S. Foreign Service.
The rationale for codes of conduct is that they enable individuals to make difficult decisions, especially when those decisions edge into the gray areas of ethics and morality. They help protect employees who would otherwise be tempted to compromise their integrity under the influence of unscrupulous individuals. Codes also improve an organization’s external reputation by publicizing the goals and the behaviors that are in line with those goals, establishing clear expectations, and holding members of the organization accountable for their actions.
Following are the commonly accepted traits of a profession:
1.      Performs specialized activities based on possession of advanced specialized knowledge, and the activities are primarily intellectual in nature rather than physical or manual.
2.      Confidential relationship between practitioners and their clients or employers.
3.      A substantial degree of public obligation by virtue of the specialized knowledge practitioners possess and employ in their work.
4.      Practitioners share a common heritage of knowledge, skill, and status.
5.      Work is performed in the general public interest.
6.      Practitioners are bound by a distinctive ethical code in interactions with clients, colleagues, and the public.
Number 6, codes of ethical conduct, is perhaps one of the most important traits of a profession, because it is the organization’s institutional ethics that underpin the other five traits, and it is through a formal, broadly understood code of ethics that organizations earn public trust and support. A commonly understood and accepted code is also critical in building esprit within an organization. Just as the Military Code of Conduct reassures members of the armed services that those serving beside them adhere to a code of honorable behavior, in an organization, having a code of ethical conduct helps members know that their colleagues ‘have their backs.’
Laws and regulations, while necessary are not sufficient
As previously mentioned, the U.S. Foreign Service does not have a formal code of ethical conduct for its members. It stands out among the other Western democracies, and even a few non-western countries in that regard.
Coming as I did from a military background, I noted this lack early in my 30 years in the Foreign Service, but didn’t find it particularly troubling until about midway through my career. During one of my assignments I observed two incidents and their disparate handling that highlighted the problem of relying on laws and regulations alone to control behavior. In the first incident, an American embassy staffer became romantically involved with a local. When an effort to end the relationship resulted in the local staging a rather noisy demonstration in front of the chancery, the American employee was immediately sent home by the ambassador, using the ‘loss of confidence’ authority that all chiefs of mission have. Some months later, foreign mercenaries were present in the country, and the ambassador published a written policy stating that only three officials in the embassy were to have any contact with them. An American staffer (not one of the three the ambassador authorized) began a romantic relationship with one of the mercenaries, going so far as to allow him to spend the night in embassy-controlled quarters, during which stays an armed member of the local military would station himself outside the compound gate. In this case, the ambassador, fearing the employee might sue the State Department or the ambassador for intruding on her ‘private’ life, took no action and ordered the DCM to take no action—to allow the employee, who was transferring in three months, to leave quietly.
Why, one might wonder, would two similar actions be dealt with in such a disparate manner? In neither case was a law or formal regulation—in the State Department, the formal regulations are in the Foreign Affairs Manuals (FAM)—was broken. In the second case, one might term the ambassador’s policy a ‘regulation,’ but for the sake of argument, let’s say it didn’t quite rise to that level. What was violated, in both cases, was local policy and common sense. But, one employee was punished by being ejected from the country, while the other was allowed to leave quietly. Why? It was a judgement call, of course. In the first case, the employee took the punishment quietly, while in the second, it was judged that the employee might rock the boat and file a grievance. While I can understand the decision-making process at work here, it struck me at the time, and still does, that this wasn’t a fair and equitable way to deal with these situations. The regulations were interpreted differently for two nearly identical violations.
This was brought home even more forcefully for me recently when I read about the case of the State Department employee who was punished for refusing to obey an order to violate the Federal Acquisition Regulations (FAR). I’m not directly familiar with this case, but what appeared in media accounts left me fuming.
According to numerous reports, State Department employee Timothy Rainey was instructed by his supervisor to pressure a contractor to rehire a fired subcontractor, an action that would have violated the FAR. When Rainey refused to comply, he was given a negative performance evaluation and relieved of his contracting duties. Rainey filed a complaint with the Merit Systems Protection Board (MPSB), claiming that the Department punished him inappropriately for his refusal to obey instructions that violated federal rules. The MPSB disagreed, finding that the ‘right to disobey’ provision of the Whistelblower Protection Act, which protects federal employees from retaliation for refusing to obey an order that would require the employee to violate a federal law, didn’t apply in this situation because he hadn’t been ordered to specifically  violate federal law. The U.S. Court of Appeals agreed with the MPSB decision, finding that rules and regulations are not laws. The irony in this case is that the MPSB, in coming to its conclusion, cited a Supreme Court decision in favor of a TSA employee who’d been fired for leaking that TSA had cut air marshals on long-distance flights to save money. In this case, the court found that the employee was entitled to whistleblower protection because he’d violated a regulation, not a law.
The foregoing highlights the weakness inherent in a system to enforce ethical conduct that relies on legal interpretations alone. What it illustrates is that actions can be ‘legal’ according to the law, but ‘wrong’ in so many other ways.
Let’s take another look at the military’s experience in the Korean War. The UCMJ is quite explicit in its prohibition of certain behaviors. The seven main articles in the UCMJ that govern conduct in combat or captivity are:
            Article 90: Willfully disobeying a superior commissioned officer
            Article 92: Failure to obey an order or regulation
            Article 93: Cruelty and maltreatment
            Article 99: Misbehavior before the enemy
            Article 100: Subordinate compelling surrender
            Article 105: Misconduct as a prisoner
            Article 104: Aiding the enemy
Yet, despite all these statutes, one in three American prisoners of war collaborated with the enemy; many PWs physically abused their fellow prisoners. What explanation is there for this? The finding of the committee that was established by the Secretary of Defense after the war was that the regulations and laws were insufficient to encourage the desired behavior; that what was needed was some over-arching code that inspired service members to act in ways that complied with the laws and regulations without necessarily being related to a specific law or regulation. The Code of Conduct was designed to encourage not just ‘legal’ behavior, but ‘right’ and ‘honorable’ behavior.

Does the U.S. Foreign Service need a code of ethical conduct?
The Department of State and the other agencies employing members of the Foreign Service, have a number of regulations regarding ethical behavior. The State Department, for example, has the Foreign Affairs Manual (FAM), in particular, 11 FAM: Legal and Political Affairs, which sets out prohibited conduct and financial disclosure rules for all State Department employees. In addition, State has published ethical guidelines on a number of occasions, and a number of bureaus, such as Consular Affairs and Diplomatic Security have established ethical guidelines for personnel assigned to their areas of responsibility.
All of these are laudable and necessary, but, in my view, not sufficient. The FAM regulations, despite the court ruling, are legally-based and define prohibited behavior. Moreover, the standards of conduct, or prohibited behavior, are contained in a thick document that is not that easy for employees to access and that is virtually inaccessible to the public. The various bureau codes are fine, insofar as they pertain to performance of duties in those specific areas, but Foreign Service personnel serve across all bureaus of State, in the other foreign affairs agencies, and on assignment to other federal, state, local and international organizations. This calls for a code of conduct that applies to all Foreign Service personnel, in all situations.
I’d like to say that the aforementioned Rainey case is an isolated incident, but my observations over thirty years tell me otherwise. Despite the volumes of legislation and regulations, there continue to be situations that are in ethical gray areas; cases of inequitable treatment and inappropriate behavior that not only threaten to undermine the morale of the service, but in some cases erode the public’s faith in the Foreign Service as an institution.
A well-designed diplomatic code of ethical conduct, on the other hand, could provide clear ethical standards for diplomatic practitioners, and a reference point that those outside the diplomatic profession could use to assess the performance and behavior of American diplomats. It allows the individual to know what’s expected as acceptable behavior, and provides a guide to making decisions that’s in line with the goals of the organization. By setting clear expectations, it protects the individual practitioner from exploitation by unscrupulous people, and establishes core aspirational values to guide individuals at all levels of the institution. The external reputation of the institution is enhanced when everyone is held accountable by a commonly shared code of ethics.
Who should develop the Foreign Service code?
In my conversations with Foreign Service colleagues on this subject, it has been pointed out on several occasions that the Department of State has published codes of ethical behavior a number of times over the past decade, and moreover, several bureaus within State (Consular Affairs and Diplomatic Security, for instance) have codes of conduct, so the Foreign Service as an institution has no need of one.
With all due respect, I believe they are wrong. While the various ethical codes promulgated by the Department of State are valuable, and laudable, the Foreign Service is an institution established by law, and while the vast majority of Foreign Service personnel do work at State, the Foreign Service is separate from State. Foreign Service personnel also work at the U.S. Agency for International Development (USAID), Commerce, Agriculture, Animal and Plant Health Inspection Service (APHIS), and the Broadcasting Board of Governors (BBG). Like lawyers, doctors, and other professionals, all personnel have to abide by the rules and regulations of the agency or organization for which they work, but other professions also have a unifying professional code of professional conduct. In the military, the activities of army, navy, and air force personnel are quite different, but the Military Code of Conduct is an ethical code that binds them all, regardless of rank or service.
The most effective codes are those that members of the profession feel ownership of. It would seem logical, therefore, that a code of ethical conduct for the Foreign Service should originate from within the Foreign Service itself, and the most logical home for such an effort is the body that represents the entire Service, the American Foreign Service Association (AFSA).
The groundwork for such an effort has already been laid. In 2012, AFSA established the Professionalism and Ethics Committee (PEC), subsequently renamed the Committee on the Foreign Service Profession and Ethics. This ad hoc committee was made up of volunteers dedicated to enhancing the Foreign Service as a profession and promoting the ethical conduct of the nation’s foreign affairs. Having just retired after 30 years in the service, I was honored to be named the first chair of this committee. With the assistance of the Institute of Government Ethics (IGE), we undertook a number of initiatives. One of the first was a survey of AFSA members in 2013, asking them, among other things, to identify the core values they feel are associated with the Foreign Service as a profession.
While a number of traits were mentioned in survey responses, the four that were overwhelmingly chosen as reflecting the highest standards of public service were:
Honesty – Being truthful, transparent and balanced.
Respect  - Giving full consideration to competing perspectives, exercising service discipline, respecting laws, customs, and practices of the United States and the host country, and engaging in a civil and courteous with all persons with whom we interact.
Responsibility – Putting the U.S. Constitution, U.S. interests, and policy objectives before self-interest, and utilizing all resources in the public’s best interest.
Fairness – Acting solely according to the merits of the case at handing and impartially serving, to the best of my ability, the elected administration.
These four traits represent the views of the AFSA membership as reflected in responses to the 2013 survey. While these are the core values as members of the Foreign Service see them, they in no way contradict the values, regulations, or laws of the organizations we serve. On the contrary, they reinforce them, and signal our aspiration to hold ourselves to an even higher standard. Like the physician who abides by the rules of the employing hospital, but at the same time honors the Hippocratic creed to ‘do no harm,’ the Foreign Service should aspire to be the epitome of a front-line force protecting the nation, its people, and its values.

I call upon AFSA, therefore, to step up and do what a professional association is designed to do; take the necessary actions to enhance the status of the Foreign Service as a profession and of AFSA members as practitioners of diplomacy. Establishing a code of conduct is but one of the things needed to achieve that goal, but it would be a useful first step

Wednesday, September 7, 2016

Why doesn't the media swarm all over the Trump Foundation?

The editorial drumbeat continues, with calls for closing the Clinton Foundation even from those media outlets that support Clinton—because even though no wrongdoing has been proven, the ‘optics’ are bad. Okay, enough! Let’s call a timeout on this story and do a comparable bit of editorializing and handwringing about the Trump Foundation. What’s the Trump Foundation, you ask? You weren’t aware of it? I’m not surprised, given the paucity of coverage it’s gotten from the mainstream media. Well, let me fill you in on this little-known aspect of Donald Trump that American media, for the most part, finds less interesting than his crude, arrogant behavior.
The Donald J. Trump Foundation, founded in 1987, ostensibly to funnel Trump’s charitable giving to veterans groups and other needy organizations, was headquartered in New York. Good luck in finding them on the Internet. There’s lots about Eric Trump’s foundation (Eric is the Donald’s son), and tons of stories about the Foundation’s claims, and some of its problems, but no direct link to the Foundation itself. Strange for a charitable organization that got the bulk of its donations from individuals.
Here, though, is what you can learn if you type ‘Trump Foundation’ into a search engine:
-         As of December 31, 2014, the Foundation had assets of $1.3 million dollars, received gifts of $497,400, and gave $591,450 in donations. No details on the nature of those donations (was in cash, or as has been reported, free golf and other perks?).
-         When the Florida Attorney General’s office was considering a fraud suit against Trump University, Florida AG Pam Bondi solicited a campaign donation from Trump (he denies having spoken to her). She subsequently received $25,000 from the Trump Foundation, a violation of the law, as charitable foundations are not allowed to make political contributions. When this was outed, Trump reimbursed the Foundation from his personal funds, and the Foundation paid the IRS a $2,500 fine. Bondi got to keep the money rather than, as the law requires, giving it back to the Foundation. Oh, and shortly after receiving the ‘donation,’ she decided that there was no case against Trump University.
-         Trump has received millions of dollars from Saudis renting his expensive properties in New York, being used for the Saudi delegation to the UN.
-         Since he has yet to release his tax returns, there are still unanswered questions about the nature of his business relationships with Russia.
These are just a few of the background questions about Trump that the mainstream media has failed to deploy battalions of reporters to dig into, as they do each time something about Clinton comes up.

I, for one, would love to read that reporting.

Sunday, September 4, 2016

Why won't the mainstream media dig into Trump's history?

 Ever since it became clear that Hillary Clinton was the front-runner, and eventually the nominee of the Democratic Party for this year’s presidential election, we’ve been treated to a steady diet of her shortcomings, thankfully, only a few Whitewater references, but a never ending string of articles and editorials about her emails, Benghazi, and the Clinton Foundation. What I look for every day, but have yet to see; is the same degree of media scrutiny of her opponent’s checkered past. Except for the occasional article, the mainstream media seems uninterested in examining the skeletons in Donald Trump’s closets—at least not to the same degree they do Clinton.
He’s just a crude, ego-driven trust fund kid, you say, with no regard for the finer social graces, you say? With Clinton, the things in her background go to the issue of trustworthiness. Aw, come on, I reply. Let’s look at some of the bones buried deep in the Trump closet, and you tell me they don’t have anything to do with whether or not he can be trusted.
First, there are his business interests. If the Clinton Foundation is a conflict of interest problem, how can Trump’s far flung business interests, some of them with faint connections to organized crime, not be a potential conflict of interest? If taking money from donors to a charitable foundation exposes you to possible manipulation, what does profiting from the actions and influence of mob do?
From his connection with Roy Cohn, the lawyer who worked with Senator Joe McCarthy during his Red Scare witch hunt, and who himself had reputed associations with organized crime figures to reported mob involvement in the construction of his Atlantic City casino, Trump has long been on the periphery of activities that the mob had a hand in. Trump was even a character witness for Cohn during hearings that led to his disbarment in 1986, shortly before he died. Except for a September 2, 2016 article in The Wall Street Journal, I’ve seen no mainstream media coverage of this.
While the media covered Trump’s meeting with African Americans in Detroit on September 3, there hasn’t been the constant drumbeat of coverage of the actions of him and his father, Fred Trump, to deny rentals to blacks in their New York the 1970s, or the Justice Department discrimination lawsuit, which was settled out of court. The amount of settlement is unknown as the deal was sealed. Still, there should be enough publicly available information to make this an interesting story, especially with his recent efforts to ‘reach out’ to the black community.
There was, for a time, a lot of coverage of the lawsuit against Trump in regards to Trump University, an organization which many former students claim bilked them out of their cash and offered nothing in return. Most of this coverage, though, was generated by Trump himself, when he went after the judge on the case, claiming that he couldn’t be objective because he’s ethnically Mexican-American. That got front-page coverage for a few days, and then disappeared except for the occasional reference buried deep in other articles.
I’m not saying that the media shouldn’t cover Clinton’s problems. If they can find facts to support their claims—and, not just cherry-picked information that supports a preconceived belief—more power to them. I am saying that the equal time rule should apply here. The lack of coverage (or maybe a more accurate thing to say is, the paucity of coverage) of Donald Trump’s skeletons could lead the unaware to think that he was somehow less untrustworthy than his opponent; that his skirts are ‘cleaner.’ You have to dig to find that this is not the case.

If journalistic integrity means anything, both candidates should be covered with a certain amount of equity. Don’t throw mud in just one direction. If the only thing that matters is readership, then Trump’s history will guarantee that too. Or, is his history of suing anyone who offends him with what they write scaring them off?