A Sorry State

As the US wages war, antiquated IT endangers the vital foreign policy mission of the State Department. Can a multimillion-dollar modernisation effort make a difference?

The US State Department at a Glance

SECRETARY: Colin Powell. STAFF: 16,600 American employees. TOTAL BUDGET, 2001: $US7.3 billion. SCOPE: 260 embassies and consulates in 170 countries. RESPONSIBILITY: To conduct foreign affairs for the United States. CIO: Fernando Burbano, equivalent to an assistant secretary. IT STAFF: 2000. IT INVESTMENTS, 2001: $US582 million.

CHALLENGE: To maintain secure and public networks worldwide under difficult physical and political conditions.

The US State Department's IT infrastructure is so antiquated and cumbersome that some fear it is dangerously inadequate for the task of representing US interests abroad. Diplomats who send e-mail inside one embassy building have to wait for the correspondence to make a slow trip to Washington, DC, and back, and those at distant embassies have no good way of sharing information about, say, the spread of disease or plans for dealing with a bombing. The network carrying classified information is obsolete, and many employees don't even have Internet access on their desktop.

Long before September 11, a congressional panel studying the 1998 US embassy bombings in Africa concluded that communication among the State Department's 260 posts around the world was inefficient for dealing with and preventing terrorist attacks. But in spite of congressional criticism and Secretary of State Colin Powell's push for a major IT overhaul when he took office, much of the multimillion-dollar modernisation remains to be completed.

Yet, at a time when the US is fighting a shadowy enemy and relying on diplomacy to keep a fragile coalition from collapsing, the need for IT excellence couldn't be more urgent.

The department has three IT priorities: Internet access for every desktop, new connectivity for classified information and rollout of an information-sharing system for 40 governmental agencies that operate overseas. September 11 has given these plans a jolt.

"We're trying to accelerate [the modernisation], but once it's accelerated there's only so much you can do,"says State Department CIO Fernando Burbano. The State Department's 2002 budget includes $US217 million for modernisation, passed by Congress and signed into law in late November 2001. "You see more support for the government, not just for us. There's increased support for funds directly related to the war,"Burbano adds.

The question is, Will the infusion from taxpayers make a difference at this notoriously bureaucratic agency?

Litany of Woes

Historically, the department has never had much pull up on Capitol Hill. "The State Department is held in very low esteem by almost everyone in town,"according to James Lindsay, a scholar at the Brookings Institution in Washington, DC. The department's focus, for the most part, is on foreign governments and not the people who count with legislators: voters.

It doesn't help that the department is widely perceived as an impenetrable bureaucracy, set in its analogue ways. "The Department of State has never been oriented towards information technology,"says Frank Carlucci, who was a foreign service officer from 1956 to 1980 before becoming Secretary of Defence and National Security Adviser under President Reagan. In February 2001, Carlucci led an independent task force that used words like obsolete, cumbersome and dilapidated to describe the State Department's general infrastructure, which includes the information infrastructure.

Employees share Internet connections on computers not hooked up to the network. All the department's official electronic correspondence passes through a cable system, a World War I relic that delivers 28.5 million ASCII telegrams worldwide each year. Although telegrams are now delivered through an e-mail interface, users say it's difficult to mark them for delivery and receipt. An overtaxed communications line that connects embassies to headquarters is often down. Embassies house offices for many other government agencies, but when a State employee based overseas sends an e-mail to, say, a Defence Department employee whose office is 15 metres away, the e-mail is routed through Washington.

Communication between citizens and State Department officials can be even more vexing. E-mail access at some overseas posts is so sporadic that foreign governments and citizens often can contact Washington more easily than they can get through to people at the local American embassy. For example, this past US summer the Web site for the embassy in Bogotá, Colombia, warned visitors for at least seven weeks that employees would not be able to respond to e-mails because of technical problems.

More dangerous is the threat to national security. The State Department's global network, which carries classified information - confidential, secret and top secret exchanges - is so cumbersome that users may avoid it altogether. "Even when you just want to send an e-mail, you have to punch all these buttons,"says Frank Urbancic, US Consul General in Istanbul, Turkey. Describing his Wang minicomputer and its angry purple screen flashings, Urbancic says: "If you press the wrong one, you lose the whole thing. It's not at all user-friendly. I will never admit that I do this, but the temptation is always there for the staff to talk on [an insecure] phone about things that would be better not talked about."

The way Gartner electronic government analyst Christopher Baum sees it, "Anything involving the State Department is a national security issue. When the communication aspect of the Department of State breaks down, that's when you have to get the Department of Defence involved. Fundamentally, security and communication is what the department is all about, and they need to have an infrastructure to support this."

Burbano, a longtime federal employee who became CIO in 1998, sees IT modernisation as not only removing the barriers to efficiency and security but also as an enabler of "e-diplomacy"across the globe. He and his staff picture officials at US embassies having electronic access to action plans for dealing with terrorist bombings, floods, riots or anything else. They also imagine employees at multiple agencies in multiple countries using an electronic workplace to track the spread of foot-and-mouth disease or, worse, anthrax and other diseases unleashed by terrorists or in bio-warfare.

Three key projects will turn this vision into reality.

1 Internet access on every desktop: "I want every State employee to have access to the Internet,"stated Powell when he took office in early 2001. To avoid security risks, employees currently take turns accessing the Web from shared computers not connected to the State Department's network. Powell wants to add a secure Internet connection to 30,000 unclassified desktop computers. The pilot program for the Internet platform was completed in April 2001, and the department's 2002 budget includes $US110 million to extend the program departmentwide. Burbano says it should take 18 months to complete (for more on access versus security, see "Acceptable Risk", right).

2 Classified connectivity program: The State Department is charged with maintaining secure networks in 170 countries, which have wildly varying infrastructures and sometime hostile climates. Today, 28 per cent of the department's posts have obsolete classified systems, and 40 per cent have no classified systems at all.

The obsolete systems are from Banyan, a Massachusetts-based company now known as ePresence that no longer sells or supports its Banyan products. The new infrastructure, based on Pentium PCs and a VPN, will give every post in the world access to the classified network and classified e-mail, with the kind of user-friendly interface that modern companies are accustomed to. Also, the upgrade will create a classified intranet that according to Burbano will give the intelligence community - including employees at the State and Defence departments - a secure, efficient way to communicate.

The project has an estimated $US200 million price tag, $US107 million of which is built into the department's 2002 budget. At the urging of Congress, Burbano is trying to speed up this program in particular and hopes to complete it by the end of 2003, rather than 2004 as originally planned. The first posts to be connected will be the 50 that still use obsolete Banyan LANs.

3 Foreign affairs systems integration: Mandated by a congressional report following the 1998 US embassy terrorist bombings in Africa, the Foreign Affairs Systems Integration (FASI) program includes an interagency collaboration system that would give overseas government agencies and nongovernment organisations an electronic workplace. The State Department is coordinating the effort, which would also enable it and other agencies to directly exchange e-mails. "This is the interesting one,"Burbano says - and the new Office of Homeland Security seems to agree. By mid-October, Burbano already had two meetings with Homeland Security Director Tom Ridge's office about whether FASI could be a model for the kind of information-sharing system Ridge needs to build for the nation.

The FASI prototype will be piloted in Washington, DC, and at embassies and consulates in Mexico City and New Delhi in September 2002. Developing the prototype and running the pilot is expected to cost $US17 million, funding that was part of the State Department's 2001 budget. Once the pilot program is complete, other agencies will pay their own way.

For Burbano and his team, "there's a lot of low-hanging fruit", says Michael Burkett, analyst for aerospace and defence at Boston-based AMR Research, when asked about the State Department's chance for success."If you go into a company that's archaic, you know you can make a big impact quickly on the obvious stuff. You couldn't help but come out a winner at least for the initial phase."

Beyond that, however, things are less certain. The logistics of global implementations are mind-boggling enough. For instance, Burbano has to put together a team of American contractors who can pass the department's security muster and are ready to travel the globe doing training and installation. Add to that the political, financial and cultural difficulties of the modernisation, and the department may be in for a rough time.

There's also a lingering belief inside and outside government that fossilised bureaucracy and mismanagement - not funding, not technology - are the real reasons for the department's problems. State Department diplomat Fred Cook, minister counsellor for administrative affairs stationed in Mexico City, wonders whether department bureaucrats, used to operating in a certain way, would use such a system as FASI. He's even more sceptical of whether other agencies would share information with the department.

Burbano counters that user training, a line item in the budget, will dissolve scepticism. Yet the roots of resistance to change run deep. Former Secretary of Defence Carlucci remembers the shock he got when he went to work at the State Department in the 1950s.

"My first job was to correct a computer printout,"he recalls. "I said: 'Well, wouldn't it be easier to make sure the data going into the computer was accurate in the first place?' And I was castigated."

But with the urgency imposed by the war on terrorism and the need to hold together the fragile coalition built by President Bush and Burbano's boss, Colin Powell, there will be far more serious consequences if the State Department falters or fails in its mission. vAcceptable Risk Can the State Department give its employees access to the Internet and still keep its secrets?

I want every state employee to have access to the Internet.

So went Secretary of State Colin Powell's battle cry for improving the morale and efficiency of his troops upon taking office in early 2001. It may seem like a retro goal for the year 2002, but the US Department of State has always had one good excuse for not having cutting-edge technology: security. In the late 1990s, the department's OpenNet platform gave 30,000 users around the world access to a department intranet and e-mail but not to the Internet. The department was following a strict policy of risk avoidance, but now officials say it's time for a change.

"Risk avoidance is to stick your head in the sand and say: 'We'll be safe if we never use the Internet',"says State Department CIO Fernando Burbano. "We're doing risk management now. We know how to add the additional security and how to tighten things up."That means penetration testing in which white-hat hackers (the good guys) look for holes in the system. It also means that users won't have all the risky bells and whistles most businesspeople enjoy, such as the ability to run ActiveX and JavaScript on their Web browsers.

Thanks to the $US110 million that Powell has earmarked to fund Internet access, users will no longer have to jostle for Internet time on standalone computers. Instead of shuttling between three computers, they'll use only two: one for classified information, and another for unclassified and "sensitive but unclassified"information. (Well, sort of. Many users have one monitor and keyboard and use an electronic switch to toggle between classified and unclassified CPUs. The classified hard drive is removed and locked in a safe while not in use.) Burbano says that by adding on to the OpenNet platform rather than supporting a third computer for every user, the department slashed its price per seat from $US5400 to less than $US1000.

The attitude adjustment from one of risk avoidance to risk management will be a big leap for some - especially considering the newly urgent threat of cyberterrorism, plus the department's history of embarrassing security lapses. In 2000, the State Department had to remove from its systems software written by a citizen of the former Soviet Union, and a laptop containing classified information disappeared from headquarters.

In spite of the danger and spotty track record, security experts say the department needs to start dealing with security issues rather than just trying to avoid them. "State needs Internet connectivity with the world to do its job effectively,"says Dorothy Denning, author of Information Warfare and Security and a professor of computer science at Georgetown University. "You can't be a participant in today's society without opening yourself up to security risks."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Sarah Scalet

Latest Videos

More videos

Blog Posts