The OpSec Blog

Security and privacy information and advice at home and abroad.

Archive for March 2011

RQ: What Was Your Best Day in the Foreign Service?

leave a comment »

A reader sent me a question that made me think for what turned out to be a significant amount of time.  They asked,

What was your best day as an SEO?

After careful thought, the following is a location and PII-neutral and “operationally secure” version of what I believe was my best day as an SEO.

Read the rest of this entry »

CIA Spy Tools Galleries

leave a comment »

Two recent posts on’s Threat Level security blog are of interest.  Both are photo galleries of various exhibits at the International Spy Museum in Washington D.C.  If you’ve never been, I highly recommend it.

Tools of Tradecraft #1

Tools of Tradecraft #2

If your first impression is, “Wow, straight out of James Bond!” you get the general idea.

Written by OSB

29/03/2011 at 20:21

Need to Know: Executive Order 13526

leave a comment »

Executive Order (EO) 13526 is the latest of three recent EOs detailing the procedures and guidelines concerning National Security Information.  It replaces the provisions of previous EOs 12958 (Clinton) and 13292 (Bush).

As far as important documents go, this one is right up there.  The EO dispels the myth that classification levels other than “Top Secret”, “Secret”, and “Confidential.”  There’s no “Ultra Top Secret” nonsense or anything like that.  Section 1.4 Classification Categories is used on a daily basis by your typical SEO when classifying documents to send off to whoever needs it, as all classified information must have a justification.  Section 1.5 details the duration of classification which is usually capped at 25 years from the date of the original classification.

I won’t bother going through the entire document, but it’s a relatively interesting read as far as “things you need to know to do your job” goes.  If everyone was as well-versed in EO 13526 as I was, I wouldn’t have to argue with so many people…

Blogging, the Foreign Service, and Security

with 2 comments

Anonymity on the internet is hard.  As anyone who has read a few posts of mine will know, I’m an SEO.  I’ve been in multiple years.  You might even surmise that I’ve served in multiple locations and in Washington.  I’ve also mentioned a few relatively minor operating procedures that might be deemed sensitive enough to warrant an e-mail asking me to remove or edit the passage in question.  Other than that, I like to think I’ve done a pretty good job maintaining anonymity in blogging about the Foreign Service and about the rather touchy issues of security, privacy, and safety.  Blogging has really matured as a source of information, and Foreign Service blogs give the public and especially prospective employees a unique portal into our little world.  In that sense it is quite a shame that recently a popular Foreign Service blogger decided to close up shop due to an official request.

The details of the blog’s shutdown and the exact circumstances of the incident are a private matter between the Department and the blogger, but I will say that when I saw the post I could smell trouble coming.  There are certain things you simply do not post, period- and this blogger crossed that line in the sand.  I won’t say they should have known better, but I fully support the justification I assumed was cited for removing the post, as it dealt with a rather serious overseas security issue.

When I started this blog I vowed to keep it as anonymous as possible.  I want my personal and professional identity completely separate from my online identity.  I do not want future colleagues and superiors to form opinions about me based on my online identity before they meet me in person (or before my corridor reputation precedes me).  I do not want people popping into my office and leading off with, “Hey, nice post yesterday!” because it makes me feel even geekier than I already am.  Anonymity, in a way, sets me free.

Numerous Foreign Service bloggers choose to put their names, cones, current assignments, even family details out in public.  I clearly do not agree with that approach, but fully support another’s right to do so provided their blog complies with the myriad of FAMs, USCs, FAHs, and EOs we operate under as State employees.  What you lose in anonymity you gain in exposure (perhaps?), possible credibility, and… well, what exactly?  This is the question I pose to my readers, and I hope you’ll take the time to answer (come on, don’t make me look like an even bigger fool!):

Do you blog anonymously?   Why or why not?  What advantages or disadvantages do you gain from your approach?  Where’s the balance?

Google’s Guide to Management Success

with 2 comments

Last week Google announced the results of a study on how to build more effective managers (NYT article, list of good behaviors).  The following is the list of Eight Good Behaviors and how they apply to my day to day job as an Security Engineering Officer (SEO).  While I’ll use SEO examples just because that’s what I know, you can really apply these to any specialty, cone, or upper-level position in the Foreign Service.  I wish that some of my (former) bosses and former friends’ bosses would take some of these to heart…

To follow along, Google’s advice will be bolded, with sub-items indented in an unordered list.  My commentary will be italicized.

1. Be a good coach

  • Provide specific, constructive feedback, balancing the negative and the positive.
  • Have regular one-on-ones, presenting solutions to problems tailored to your employees’ specific strengths.

I completely agree with having a good “mentor” (the FS word for “coach”) or mentors throughout your career.  SEOs are thrust into the management scene fairly early on in their careers; it’s not uncommon for junior SEOs to supervise multiple other direct hires, local staff, or contractors in their first tour.  Given that they’re fresh out of training, it’s hard to mentor an STS who has been on the job for 15 years and a Seabee who has fixed more locks than you can shake a stick at.  That’s where you seek the advice of a more senior SEO on what to do.  I haven’t met an SEO yet not willing to help out a junior colleague.

2. Empower your team and don’t micromanage

  • Balance giving freedom to your employees, while still being available for advice. Make “stretch” assignments to help the team tackle big problems.

One of the worst experiences as an SEO I can remember was on my training temporary duty (TDY) in which the well-meaning Officer In Charge (OIC) at the post I traveled to stood over my shoulder while I was trying to do something I had never done before.  I resolved never to do that to one of my people if I ever made it that high.  As a manager I emphasize that I trust the expertise of the people working for me, and that I’m always available to lend whatever assistance I can.

3. Express interest in team members’ success and personal well-being

  • Get to know your employees as people, with lives outside of work.
  • Make new members of your team feel welcome and help ease their transition.

This really should go without saying.  I can promise you that at small posts this is not an option- you know everybody’s business (and everyone knows yours) whether you want to or not.  The Foreign Service also does an incredible job of welcoming new employees whether in orientation or fresh off the plane in a new place.

4. Don’t be a sissy: Be productive and results-oriented

  • Focus on what employees want the team to achieve and how they can help achieve it.
  • Help the team prioritize work and use seniority to remove roadblocks.

This is a nice idea, but it’s not how things work in the Foreign Service or in DS.  “The team” doesn’t decide what they want to do- you do (or your boss does)!  If you don’t like that, tough it out- you were hired for your ability to see the big picture and adjust resources as appropriate.  You need to integrate your team’s strength into the overall plan, and put people on course if they’re astray.  While you should never close the door to employee input, as the SEO you’re going to have the final say (unless the Regional Security Officer (RSO) or Ambassador stops you, which is rare because they usually turn to you for technical security advice).

5. Be a good communicator and listen to your team

  • Communication is two-way: you both listen and share information.
  • Hold all-hands meetings and be straightforward about the messages and goals of the team.  Help the team connect the dots.
  • Encourage open dialogue and listen to the issues and concerns of your employees.

Communication skills are not only essential when dealing with the engineering team, you’re going to have to deal with lots of other embassy employees on a daily basis to do your job.  The General Services Officer (GSO) and Facilities Manager (FM) own the building and embassy grounds.  The Financial Management Officer (FMO) controls the cash.  The RSO will make your case to the Ambassador with, if you do it right, their blessing (usually enough to get the Ambassador to sign off).  An embassy is one large team- nobody can do their job well without involving multiple others.

6. Help your employees with career development.

This sort of goes back to #1.  The mentor program in DS is excellent- volunteers are enthusiastic, knowledgeable, and usually bend over backwards for their apprentices.  You also make a good friend in the middle management, a relationship which can pay off handsomely if they rise into the upper echelons.  As an SEO, you owe it to your Seabees and Security Technical Specialists (STS) to write excellent Employee Evaluation Reports (EERs) that will get them promoted.  This is a great situation- rarely will an SEO be in a position to write an EER for a colleague who might compete against them for promotion in a reasonable amount of time.  There’s no conflict of interest and everyone’s happy (in theory)!

7. Have a clear vision and strategy for the team

  • Even in the midst of turmoil, keep the team focused on goals and strategy.
  • Involve the team in setting and evolving the team’s vision and making progress towards it.

My favorite boss summed up an SEO’s job in five words: “Keep people alive.  Protect information.”  If an SEO is doing something unrelated to those ideals, they are not doing their job right.   In a stressful situation I’ve never had a problem keeping my team focused on the task at hand, and everything we do makes progress towards those intangible goals.  (Since last March he told me he had gotten it down to four words; “Nobody dies.  No Wikileaks.”)

8.  Have key technical skills so you can help advise the team

  • Roll up your sleeves and conduct work side by side with the team, when needed.
  • Understand the specific challenges of the work.

Guess what?  You don’t have a choice whether or not to learn the technical skills needed as an SEO.  If you don’t, your employees are going to resent you as the paper-pusher.  If you don’t, you will not get promoted.  If you don’t, your corridor reputation will suffer.  SEOs are managers- but if you’re not capable of doing even just a B+ job (compared to a Seabee or STS)  on any of the technical systems we deploy overseas, I would suggest that you are no longer qualified to do your job.

Well there you have it- a jumbled and fairly incongruous summary of management from an SEO’s perspective.  Google also lists “Three Pitfalls of Managers” which I won’t spend time going over- basically all you have to do is put a “Don’t” in front of #1-8 above and you have a good idea of what they’re getting at.

Got any good management tactics from a previous or current job you’d like to share?  Leave one in the comments.

Most Desired Employers- DOS #4

leave a comment »

The Department of State was recently ranked fourth in a poll of “young professionals” (college graduates with 1-8 years of work experience) behind Google, Apple, and Disney, as reported by the Wall Street Journal.

Government agencies, such as the National Aeronautics and Space Administration, the Federal Bureau of Investigation and the Central Intelligence Agency, also ranked in the top 10. That might be in part because the federal government hasn’t laid off as many employees as the private sector has, Ms. Do said.

Plus, “Those government agencies can articulate a reason for being that gives employees a sense of purpose,” said Jon Picoult of brand consultant Watermark Consulting. “For young people looking to make a difference in the world, they have a good story to tell.”

While I suppose it’s nice to think about, I’m not sure what this poll is actually asking.  What is the point of asking who someone’s dream employer is?  Perhaps a qualifier should have been added to the question; “For a job relevant to your major, who would your most desired employer be?”  Last I checked there weren’t a whole lot of history graduates (one of the most popular college majors) working for Google or Apple.  In any case, it’s nice to see that State has such a positive image amongst these “young professionals.”  I remember a time when State did not have such an image, and there will probably be periods in the future in which this is the case.

Security Firm RSA Attacked

leave a comment »

RSA, designers of the SecureID authentication tokens, was reportedly the victim of a sophisticated cyberattack on Thursday (New York Times, Ars Technica, RSA Open Letter).  While they’ve determined (so far) that the SecureID tokens have not been directly compromised, the attack is just the latest in a string of highly sophisticated assaults on US-based companies involved in protecting National Security information.

This could have direct implications for the State Department, which was in the final stages of implementing the SecureID tokens for global mobile access to the unclassified Department network.

As a Security Engineering Officer not currently assigned as a Regional Computer Security Officer (RCSO), I don’t have much of a stake in this.  Cyber security is not part of our daily job; Information Resource Management (IRM) with the assistance of the RCSOs do a good job protecting State Department networks from attack.  I will say that two-factor authentication, a common security best practice, does not mean much if one factor is broken (such as the SecureID token).  I am sure IRM (…and numerous other government agencies) is following the story closely as it develops.