In March 2008, the State Department's Inspector General Office did a Review of Department of State Headquarters Cable Drafting and Distribution Process (Report Number OIG-SIA-08-03, March 2008). It's an unclassified report available online. You can read it here.
Nothing striking in that report which was conducted (1) to determine the adequacy of the rules and regulations that govern cable drafting and subsequent distribution and (2) to determine whether these rules and regulations are being followed. Its conclusion:
"This review found the majority of the rules and regulations governing cable drafting to be adequate. [...] It was found that cable drafting rules and regulations are being followed except for those pertaining to the protection of personally sensitive information. Nearly 12 percent of the unclassified randomly selected cables were found to contain personally sensitive information."
This OIG review recommends that:
- The Department of State determine and promulgate through Department Notices and the Foreign Affairs Manual the specific types of information that require protection as personally identifiable information, and
- The Department require that individual cable access user privileges be based upon need-to-know requirements and be supervisory approved.
But here is the part of the report that I find interesting:
As pointed elsewhere in the interwebs, the data sharing was a reaction to the demands of the post 9/11 world. This paper publicly released in 2005 talks about the Net Centric Diplomacy as part of DOD's Horizontal Fusion portfolio (Profiling and Testing Procedures for a Net Centric Data Provider by Derek Pack). The roll out at State presumably happened after 2005. The fact that the OIG reviewed the SIPDIS captioned cables in the Net Centric Diplomacy project some time after its roll out indicate to us that there were concerns about it within the State Department. Since the first part of the review was released in March 2008, we presume that the second part would have been concluded later that year or early in 2009. We spent hours looking online for the second part of the review to no avail.
Before our eyeballs fell out, we decided to ask the OIG directly. Bless their souls, the press folks at the Inspector General's Office actually respond to email inquiries, even from bloggers in tacky pjs.
Douglas Welty, State OIG's Congressional Public Affairs Officer responded to our email inquiry with the following:
"The Office of Inspector General is closely following the current situation involving Department of State cables and WikiLeaks. As a part of our oversight responsibility, and as a follow-up to the March 2008 report you cite below, it would be appropriate for us to initiate a review of lessons learned and processes and procedures implemented to ensure the security of sensitive and classified Department information."
Well, I thought good to know and that's that. But the following day we received a follow-up response from the amazing Mr. Welty:
"I have been doing a bit more research and am able to confirm that there was an OIG report, issued in September 2008, subsequent to the one in March 2008 about which you originally inquired. It was titled "Review of the Process for Sharing Department Cables via the Net-Centric Diplomacy (NCD) Program. However, this was a CLASSIFIED report so it was not posted to our Website nor in any other way made available to the general public."
We went and dug out the Office of Inspector General Semiannual Report to the Congress, April 1, 2008 to September 30, 2008. And it did have the following item on the Review of the Process for Sharing Department Cables via the Net-Centric Diplomacy Program (SIA-08-04):
"The Net-Centric Diplomacy (NCD) program was accomplishing its intended purpose of facilitating the sharing of classified and unclassified cables originating from the Department and overseas posts with other U.S. Government agencies that have Secret Internet Protocol Router Network (SIPRNet) access. Some posts were not sharing cables with other government agencies via the SIPRNet distribution (SIPDIS) caption because of the mistaken belief that posting cables to the NCD database requires SIPRNet access. The Department had not provided adequate guidance regarding the specific types of personally identifiable information that should be excluded from cables posted to the NCD, so as to avoid the potential for violations of the Privacy Act."
Anyway, so there, the OIG did review State's
If you can convince State's OIG to declassify this report, good luck!