Broadcasting Board of Governors Information War: Lost
Temple of Cyber Insecurity
By The Federalist
We recall not long ago a boast by Chief Information Officer and Chief Technology Officer André Mendes, a senior Broadcasting Board of Governors (BBG) official, that he had kicked the Chinese out of the agency’s cyber networks.
Despite his claim of alleged success, the Iranian Cyber Army, considered far less sophisticated than the Chinese government hackers, easily managed to hack the main Voice of America (VOA), voanews.com website in 2011 and posted a nasty message against then-Secretary of State Hillary Clinton. She in turn, even while serving as an ex officio BBG board member, called the Broadcasting Board of Governors “practically defunct” in 2013.
This did not prevent current BBG Chairman Jeff Shell to appoint André Mendes as interim BBG CEO and Director in March 2015. In announcing in August 2015 the appointment of former President of Scripps Networks John F. Lansing as permanent BBG CEO and Director, Chairman Shell thanked André Mendes for his service as BBG Interim CEO: “On behalf of the entire Board, I would like to express our deep appreciation for the tireless work of André and his dedicated team. During this transition period, André and his colleagues have worked diligently to produce outstanding results and to spur on forward momentum at the BBG.”
“As President of Scripps Networks, Lansing was responsible for strategic and operational oversight of the $2.5 billion division of Scripps Networks Interactive, including the company’s portfolio of six cable networks – Food Network, HGTV, Travel Channel, DIY, Cooking Channel and Great American Country – and the $100 million Scripps Networks Digital division,” the BBG press release said. “Prior to joining Scripps Networks in 2004, Lansing was Senior Vice President for Television in the broadcasting division of the E.W. Scripps Company, managing the company’s portfolio of 10 network affiliated television stations. Earlier, he held various senior management positions at Scripps-owned affiliates, including WEWS TV in Cleveland, Ohio and WXYZ TV in Detroit, Michigan.”
It was immediately clear from the BBG press release that Mr. Lansing, who excelled in managing TV entertainment channels, had no prior U.S. government service, foreign affairs, foreign news reporting, foreign policy or U.S. public diplomacy experience. Still, in the autumn of 2015, some observers and employees were willing to give him a chance and wait to see what he can do. They have been sadly disappointed, as they have been in Mr. Shell despite some early hopes for significant change. The agency is as defunct now, if not more so, as Hillary Clinton found it to be in 2013. President Obama does not even bother to mention the BBG when he is speaking about countering ISIL and Kremlin propaganda.
Like Mr. Lansing, Mr. Shell, a successful Hollywood movie industry executive, also does not have any prior work experience in areas most vital to US international media outreach, public diplomacy and foreign policy. Instead of carrying out major personnel and structural reforms when they first agreed to take their BBG positions, Mr. Shell and Mr. Lansing have decided to rely on the existing BBG management team. They have made a fatal mistake.
Perhaps these private sector executives never paid attention to the 2014 Office of Inspector General (OIG) audit which warned in no uncertain terms that the Broadcasting Board of Governors Information Security Program had “a significant deficiency” under the management team, which was headed by André Mendes who was later so highly praised by Chairman Shell and made interim CEO and Director.
If someone were inclined to believe claims by André Mendes, Jeff Shell, and John Lansing, one might be less inclined to believe them now with the release of a new 2016 State Department Office of Inspector General (OIG) report. The report was put online by the OIG for public viewing.
Information Report: Description of Policies and Computer Security Controls for Select Broadcasting Board of Governors Covered Systems, Office of Inspector General, U.S. Department of State | Broadcasting Board of Governors, August 2016
We suggest that individuals download the report and read it for themselves. It includes a response to the OIG from BBG CEO and Director John Lansing.
This is a very technical report. We tend to operate from the principle of “keep it simple,” which means looking at the report from a layman’s point of view. However, keeping it simple does not equate with being superficial.
In reading the report, especially the appendices, it is clear that the agency does certain things in the realm of cyber security and doesn’t do others. Of course, the question then becomes among the things the agency doesn’t do, does this create an opening for hostile cyber warfare efforts to intrude, embed and/or alter information technology systems. Such alterations and intrusions could be timed events, not necessarily of the moment of intrusion.
Before we forget:
Mr. Lansing offered an interesting response to the devastating OIG report. His response appears designed to accuse the OIG of a possible cyber security indiscretion. It also appears to be a classic attempt to shift the blame from himself and his immediate subordinates to lower level managers. It’s likely that his immediate subordinates had drafted his response letter. Ironically, in trying to point out that an official below him and below Mr. Mendes, “who ultimately reports to the CIO, is responsible for account management, which includes routinely disabling temporary system accounts and automatically disabling inactive accounts,” Mr. Lansing may have helped the Chinese and the Russian hackers in identifying the person on whom they should focus in any future hacking attempts. We hope the BBG will make the necessary changes to make this admission unusable to any outside hackers.
Returning to the Chinese, Mr. Mendes was quoted by Federal News Radio as saying in April 2016:
“When I first came on board in 2009, every single server in this agency was controlled by the Chinese cyber army and they could have literally dropped this agency with one key stroke. Fortunately they chose never to do so, but at the same time we knew they were exfiltrating literally gigabyte upon gigabyte of information every day.”
Mr. Mendes was speaking about what he found in 2009. Why then the Iranian Cyber Army had succeeded in hacking the VOA website in 2011 under his watch?
If you are the Chinese or any other practitioner of cyber warfare, this is exactly what you are looking for:
A U.S. government executive who clearly devalues and underestimates your capabilities: someone who is dismissive of the sophistication of the technology and multitude of experts at your disposal.
Perhaps the reality is the Chinese know better than the rest of us what a schlock operation the Broadcasting Board of Governors really is.
They probably also know that the claim made by “an agency official” is laughable on its face.
Let’s put it this way:
The good money is on the Chinese.
More than likely, the Chinese may still be inside the agency’s computers. The Chinese cyber warfare specialists have advanced techniques and technologies and continue to expand and upgrade both.
Probably not so much.
There have been repeated failures of digital storage and audio and video processing infrastructure used by VOA reporters, and a power failure which IBB was unable to fix for many hours and which prevented VOA programs from being transmitted to their audiences abroad. In an e-mail sent to staff last month, Mr. Mendes warned Voice of America journalists covering the Republican convention that “in order to avoid any bandwidth problems,” they must completely discontinue non-business use of high bandwidth video sites like ESPN, YouTube, Facebook, Pandora, Netflix, Hulu, and other such services. VOA journalists were also told to completely discontinue usage of Internet streaming of convention feeds that are available over broadcast TV in the office. The BBG and the Voice of America were digitally and journalistically unprepared for the coverage of US political conventions.
The Chinese have easily hundreds if not thousands of personnel working 24/7 whose sole purpose is not only to infiltrate US Government computers but also to cloak the extent to which their penetrations reach.
Agency officials get an OUTSTANDING in making things so much easier for US adversaries: the Chinese, the Iranians, the Russians. These agency officials just walk themselves right into it.
The kind of vigilance required to protect the agency’s computer systems is well beyond the reach of Mr. Mendes, International Broadcasting Bureau (IBB) deputy director Jeff Trimble, Mr. Lansing, Mr. Shell and the agency as a whole.
How many agency employees are arrayed against the hundreds if not thousands of Chinese People’s Liberation Army (PLA) specialists?
One, two or ten?
Answer: Not enough to bother the Chinese or anyone else.
If the Chinese aren’t still in the agency’s IT infrastructure, more than likely they will be again. Mr. Mendes talks in absolutes. What we know is there is no such thing as absolute IT security.
Here’s another thing.
A Mission to Moscow
In terms of “style,” the Chinese and the Russians are perhaps more interested in mining information than disabling the source of the information. Except in extreme circumstances, it is less valuable to knock out a targeted system than it is to burrow into it, discover vulnerabilities and remain dormant while allowing an apparently strident, narcissistic agency official pontificate in the hallways and conference rooms of the Cohen Building.
Mr. Shell, Mr. Lansing, and Mr. Trimble may have made it easier for the Russian security and intelligence agencies, FSB and GRU, to access their private and government phones, computers and online activities by going recently on an incredibly ill-advised and ill-timed trip to Russia. It seems that some BBG officials and executives think that Russia has been in the last four or five years a slightly lapsed democracy, and that perhaps things will soon return to business as usual. It appears that Mr. Shell was in fact going to Russia to do private business while being accompanied by and receiving guidance and support from Mr. Lansing and Mr. Trimble who were going there in an official US government capacity.
The Russians eventually expelled Mr. Shell, but first they kept him for several hours at the Moscow airport in isolation, presumably with his phone and computer on his person. Did they get access to his electronic equipment, physically or while he may have tried to use it? The Russians allowed Mr. Lansing and Mr. Trimble to enter Russia, presumably to have more time to gather cyber and other intelligence.
The Russians made a strong point that BBG executives have no idea what they are doing, whether it is assessing Russia as a strategic threat to the US, assessing any threats to personal safety and cyber safety of high-level US political appointees such as Jeff Shell, or assessing cyber threats from the Russians, the Chinese, the Iranians, the North Koreans, the Cubans and others.
As often described to us by sources, the incredible incompetence of BBG senior staff, their personnel practices, and the agency’s mishmash IT infrastructure make current and future hostile intrusions all the more feasible.
- “Dysfunctional” (Heritage Foundation scholar Helle C. Dale)
- “Practically Defunct” (Hillary Clinton)
- “Broken” (US statesmen, diplomats, media experts and journalists interviewed by former BBG member S. Enders Wimbush and former Radio Free Europe / Radio Liberty executive Elizabeth M. Portale)
- “Truly Rudderless” or Leaderless (Chairman of the House Foreign Affairs Committee, Rep. Ed Royce)
The end result still is:
- “This Broken Agency is Losing the Info War to ISIS & Putin,” House Committee on Foreign Affairs Blog, February 23, 2016.
These are the cornerstones of how this agency operates.
Mr. Shell and Mr. Lansing were reportedly warned by former BBG members and others familiar with the agency that unless they immediately clean house and carry out major structural reforms, the entrenched BBG bureaucracy will drag them down, embarrass them and make them fail. They chose to ignore this advice. Let’s not forget, however, that Mr. Shell and Mr. Lansing are not bad people. They mean well. They might have even done some good things on the margins of the agency’s operations. But as leaders and executives of a government information agency they are incredibly poorly prepared and poorly suited for the foreign media outreach and foreign affairs jobs they were appointed to or selected for. Mr. Lansing was reportedly recommended for his BBG position by Mr. Shell.
After the Russia trip fiasco and the latest OIG report and Mr. Lansing’s response to it, is there any doubt whatsoever that the BBG bureaucracy once again has emerged victorious and the agency is spinning out of control more than ever before?
Things are also not any better at the Voice of America which before and after the party conventions this summer has posted biased, one-sided reports on all three major US presidential hopefuls: Hillary Clinton, Bernie Sanders, and Donald Trump. New VOA director Amanda Bennett admitted that there is a problem, but problem reporting continues even after her admission. Mr. Shell and Mr. Lansing also clearly lack critical experience to deal with the agency’s many problems. These problems are far beyond what they both are familiar with as successful private sector film and entertainment TV executives. The US is under a major propaganda and cyber threat from a number of hostile players. It is time for a change of guard at the BBG. Nothing illustrates it better than the failed mission to Moscow.
In terms of “style,” what should be keeping Mr. Shell, Mr. Lansing, Mr. Mendes, Mr. Trimble and others awake at night is less the Chinese and more:
Unfortunately, some of these BBG officials have shown that they think it is perfectly safe and appropriate to plan a mixed private business/government business Broadcasting Board of Governors mission to Moscow at this time. The Russians have shown Mr. Shell what they are capable of. He and Mr. Lansing made a terrific blunder listening to their BBG advisors–a blunder which could have easily turned out much worse for Mr. Shell than they could even imagine. He can consider himself lucky and in the future should think twice before accepting any advice from BBG executives. Some really bad things have happened to many good people in Putin’s Russia, including mysterious deaths, poisonings, and outright assassinations.
In terms of cyber attacks, by style, the Russians are also more inclined to “knock out” systems. They’ve done it elsewhere, Ukraine in particular and in “tinkering” with systems controlling pipelines to Eastern Europe. That’s how the Russians play it. When it is in their interests to do so, they could and would crush the agency to cyber rubble.
The Chinese appreciate finesse. The Russians like to pummel you. And when you have bragging executives inside the Cohen Building, they will pummel you with added authority and enjoy every moment of it. The Russians have a healthy contempt for weakness and stupidity. They respect strength and competence.
Mr. Shell, Mr. Lansing and BBG executives they rely on for advice don’t seem to pay attention to Russian behavior in other quarters, such as beating up of a U.S. diplomat by a Russian security guard near the US Embassy in Moscow. This happened before they decided to go on their mission to Moscow. What a foolish idea.
Does it also not occur to Mr. Shell, Mr. Lansing, Mr. Trimble and Mr. Mendes that an old KGB spy and operative like Vladimir Putin and his KGB cronies may have already planted a few FSB agents among the agency’s personnel, especially among hundreds of contractors and contract firms the BBG management has employed over the years, many of them hired in violation of US government rules and regulations? Do all of these contractors hold top secret US government security clearances? We doubt that they do. Being underpaid, mistreated and exploited, some of them filed a $400 million anti-discrimination lawsuit against the BBG in a federal court. It’s an invitation for trouble. It’s a very dangerous and unhappy situation brought about by the very BBG executives whom Chairman Shell has praised as “exceptional leaders and set the stage for important agency reforms,” as officials “who can also make change happen,” and as “impressive public servants.”
Well, they did get him as far as the Moscow airport.
The Russians are not likely to be impressed by empty talk from BBG Chairman. Nor will they be impressed with BBG CEO John Lansing’s statement, in which without revealing key material facts and obscuring the highly questionable purpose of the BBG mission to Moscow, he called Mr. Shell’s expulsion from Russia “blatant aggression.”
The treatment accorded to Mr. Shell was indeed brutal, but it was entirely predictable and could have been avoided if Mr. Lansing and his BBG advisors have shown a minimal amount of common sense and good judgement. Even the State Department spokesman was far more honest about the circumstances of the bungled “private” trip to Moscow by the BBG Chairman than what Mr. Lansing, CEO of the agency that claims “to inform, engage, and connect people around the world in support of freedom and democracy,” said in his statement to the public. A VOA report on the incident was equally vague, short on critical information, and ultimately misleading.
As we said before, the Putin business mafia has contempt for weakness. The BBG delegation in Moscow did not show support for brave independent journalists in Russia but rather exposed their poor thinking and weakness.
Recently, two Russian fighter aircraft “buzzed” a US Navy destroyer. They came in low, fast and close. That’s how the Russians play it. No fear.
Take a look:
These were Russian practice attack runs, by the way.
And if you are anyone inside this particular agency, you should be very afraid of what the Russians are up to in cyber space. If they’re coming, you’ll know it.
Also, let’s not forget the most successful cyber attack against the agency (from as much a public relations standpoint) wasn’t the Chinese or the Russians. It was the Iranians. They were able to take control of agency computers and embarrass it publicly by seizing control of agency websites and putting up a screen of the Iranian flag wafting in the cyber breeze with an AK-47 alongside and messages to then-Secretary of State Hillary Clinton to back off.
And they maintained that control for hours.
And there’s more.
From the report:
“BBG officials stated that senior agency management made a risk-based based decision not to implement data loss prevention and digital rights management solutions across the agency.”
Message to foreign, third-party, non-state cyber warfare actors and hackers:
“It’s party time at the BBG!”
Indeed, it has been under the longtime BBG executives who are still assisting and advising BBG Chairman Jeff Shell and BBG CEO and Director John Lansing.
“BBG officials stated that senior agency management made a risk-based based decision not to implement data loss prevention and digital rights management solutions across the agency.”
To summarize, it is an open invitation by BBG officials to be attacked constantly, repeatedly with an expectation that someone will breach the agency’s alleged firewalls and start a lucrative data mining operation.
We’re not only talking about the agency and its employees but also entities that the agency deals with. All kinds of information appear to be up for grabs with this roulette wheel game of chance being played by senior agency officials.
In its own way, this is a clear indication of how low on the priority list this agency is within the rest of the US Government. If it were important enough one would believe the agency would not be allowed to get away with
“…a risk-based based decision not to implement data loss prevention and digital rights management solutions across the agency.”
But that’s the thing: after years of mismanagement by part-time private sector board and incompetent BBG bureaucracy, this agency is no longer important in Washington. President Obama does not even mention the Broadcasting Board of Governors when he speaks about the need to engage in the information war with ISIL terrorists or the need to counter Russian propaganda. The so-called “work” the agency does is no longer viewed as being effective. That’s all folks. It doesn’t matter if employee data is mined by some hacker.
In the world of cyber warfare, agency employees are collateral damage.
Throughout this report we see phrases like
“Williams Adley (the auditing contractor working with the OIG) was not able to thoroughly review and verify the policies provided by BBG was sufficient to secure PII data.”
In the summary of the report, we read the phrase,
“…BBG officials stated that the multi-factor authentication was not completed due to insufficient funding…”
A typical agency canard: cry poverty and plea that the Congress throw gobs of US taxpayer money at the agency and all its problems will go away.
No. They won’t.
As incredible as it may seem, the BBG budget ($777 million in FY 2017 Budget Request) is actually larger than what U.S. taxpayers were paying in inflation-adjusted dollars for the Voice of America and the US propaganda agency during World War II and higher than what the US was spending on VOA and Radio Free Europe and Radio Liberty during much of the Cold War.
If anything, with more public money available to it, the unreformed BBG will only get worse because more often than not the money is used by its bureaucracy to camouflage the agency’s systemic failures. One of the ways BBG executives like to confuse the American public is by claiming that the Russians spend more on propaganda than the US. In fact, the Russians spend less money on their foreign propaganda than the BBG spends for media outreach abroad. BBG executives include in the propaganda figure the money spent on state media channels in Russia. Using this logic, the US can never outspend any country that has public media unless the budgets of private US media and entertainment sector are included, in which case the US vastly outspends everybody else. The truth is that during the Cold War, the US had a tremendous impact with its taxpayer-funded information programs abroad while spending much less money in inflation-adjusted dollars than the BBG currently spends for the same purpose.
Indeed, the Congress would be highly remiss in its fiduciary responsibilities to throw more money at this agency as it continues and accelerates itself into irreparable implosion.
At best, at the end of the day, this agency is a monument to incompetence and bureaucratic stalling. It has allowed itself to become over-extended and in the process virtually eliminating any meaningful mission impact.
The best thing the Congress can do is:
The Congress needs to get this agency out from under its corrupt bureaucracy and put it in the hands of meaningful, competent adult supervision.