USAGM Watch Commentary

The story of a December 2020 phishing attack on the U.S. Agency for Global Media (USAGM) which compromised personal information about Voice of America (VOA), Office of Cuba Broadcasting (OCB) and USAGM employees and retirees, including private individuals and their Social Security numbers, is covered in the United States by IT and Tech sites but not by the tax-funded Voice of America whose reporters and editors are government employees paid by U.S. taxpayers. They may not want to call attention to the failures of their longtime USAGM managers who have been criticized for lax security at the $800 million (FY2020) federal agency. Some USAGM employees have family members living abroad. The VOANews.com website is also viewed in the United States.

Former VOA White House correspondent Dan Robinson and USAGM Watch called public attention to the USAGM phishing story a few days ago.

Robinson told BleepingComputer that he learned that the letters were sent to current employees on April 13th, 2021, four months after the bad actor accessed the data. Some USAGM retirees received their warning letters about two weeks later.

The article on the BleepingComputed website noted that “This long delay could have given the threat actor time to perform further phishing attacks or identity theft on those exposed in the data breach.”

US Govt Agency Suffered From Data Breach After Falling For a Phishing Attack: Breached data include full names and social security numbers of the employees of USAGM. TechDator.Net, Manikanta Immanni, May 5, 2021.

U.S. Agency for Global Media data breach caused by a phishing attack, BleepingComputer, Lawrence Abrams, May 4, 2021.

USAGM Watch Commentary

VOA is often late in posting news reports and sometimes does not to cover news stories in the United States for what appear to be partisan or other political reasons.

READ: Voice of America Delayed For Five Days Posting Story on Senator Menendez Criticism of USAGM CEO OCB Appointment

As reported earlier by USAGM Watch, it is not clear from the agency’s letter posted by a former USAGM employee on the Voice of America Alumni Facebook page when the management discovered the successful phishing attack. The letter does not explain why access to an e-mail account provided access to bulk Personally Identifiable Information (PII). One IT security expert said that USAGM management should not have permitted such access through an e-mail account.

Personally Identifiable Information of current and former USAGM, Voice of America (VOA), and Office of Cuba Broadcasting (OCB) employees who worked for the agency between 2013-2020 has been compromised starting in December 2020, according to the letter sent out by the agency management in late April. USAGM, VOA and OCB workforce includes federal government employees and contractors. USAGM is a federal agency which also manages several non-federal media entities. The USAGM letter does not suggest that the incident affected employees of USAGM’s non-federal entities.

The letter said that the Personally Identifiable Information involved “includes the full names and Social Security numbers of affected employees and may include the names and Social Security numbers of their beneficiaries and dependents.” Recent USAGM retirees confirmed receiving their letters from the USAGM management in the last few days and were asking why it took the agency’s management such a long time to warn them..

US. AGENCY FOR
GLOBAL MEDIA

Return Mail Processing

PO Box 589
Claysburg. PA 16625-0589

April 28, 2021

RE: Important Security Notification. Please read this entire letter.

Dear

The U.S. Agency for Global Media (USAGM) recently discovered an incident that may affect the security of your personal information. This letter provides you with information about the incident, steps we are taking in response, and steps you may take to guard against identity theft and fraud, should you feel it is appropriate to do so.

What Happened? In December 2020, a successful phishing attack was carried out against USAGM. The bad actor gained access to an agency email inbox containing Personally Identifiable Information (PII) of current and former USAGM, VOA, and OCB employees who worked for the agency between 2013-2020.

What Information Was Involved? The PII involved includes the full names and Social Security numbers of affected employees and may include the names and Social Security numbers of their beneficiaries and dependents.

What Are We Doing? We take the protection of your personal information seriously and already have taken aggressive steps to prevent similar occurrences. As soon as the USAGM IT Secunty team detected the unauthorized access, it secured the breached email account and began its assessment of the extent and impact of the data breach. Agency leadership then notified employees of the breach and provided timely information about steps employees could take to protect their identity and credit. USAGM IT also provided employees with tips to identify and prevent future phishing attempts and fast-tracked its rollout of Multifactor Authentication (MFA) to the agency’s Office 365 email, SharePoint, and OneDrive environments. USAGM continues to explore and implement additional tools to detect and prevent the loss of the sensitive and confidential information handled by agency employees.

To help protect your identity, we are offering complimentary access to Experian IdentityWorks for one year.

If you believe there was fraudulent use of your information as a result of this incident and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent. If, after discussing your situation with an agent, it is determined that identity restoration support is needed, then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus, and assisting you with contacting government agencies to help restore your identity to its proper condition).

END OF USAGM LETTER

USAGM Watch Commentary

When the attack occurred the agency CEO was still Trump appointee Michael Pack. The security systems were put in place or were overseen by the previous management team which is now back in charge of the agency.

Damage assessment may have taken some time and it is not clear when it started.Pack was busy defending himself from lawsuits filed by USAGM executives and managers, including current Biden-appointed acting USAGM CEO Kelu Chao. The senior managers who criticized Pack claimed “whistleblower” status. Following Pack’s departure after the change of the administration in January 2021, Chao, a longtime VOA manager, has been in charge of the agency as acting CEO.

We do not know whether the hacking attack reported by the current agency management four months after it occurred was a result of outside or inside action, but former CEO Michael Pack made a number of allegations against some of the USAGM managers whom he had suspended and who have been subsequently returned to their former senior management positions by Kelu Chao.

The suspended managers denied Pack’s allegations which centered on security clearances for USAGM federal employees and contractors. Some of the longstanding security deficiencies at USAGM are described in a report issued in July 2020 by the Office of Personnel Management (OPM).

Pack’s take on the agency’s management under some of the current managers as well as his predecessors in top agency and VOA jobs can be glanced partly from an undated position paper written when Pack was still at the helm at USAGM. The USAGM position paper written under Pack said in part:

In the face of all this, USAGM under previous senior management continued to issue invalid access, security clearances, and suitability determinations. The agency was taking fingerprints, but neglecting to submit them to the appropriate authorities – or, in other instances, failing to take fingerprints, altogether. It was accepting aliases and fake social security numbers. It was not requiring the disclosure of foreign travel and foreign contacts. And on many occasions, USAGM was hiring individuals who left entire fields of background-check forms blank. Even the number of employees with secret and top-secret clearances was unknown.

U.S. AGENCY FOR GLOBAL MEDIA

[Undated Position Paper – written during Michael Pack’s tenure as USAGM CEO]

SECURITY ISSUES

WHAT WAS FOUND

Soon after Michael Pack became the first Senate-confirmed CEO of the U.S. Agency for Global Media (USAGM) in June 2020, the agency’s new senior management learned that previous senior management had repeatedly failed to adhere to national security protocols and essential federal government personnel security practices for at least a decade. The actions – and, in many cases, inactions – of the individuals responsible for producing this crisis placed U.S. national security in danger and imperiled USAGM’s ability to fulfill its legal mandate of advancing U.S. foreign policy.

Specifically, new USAGM senior management became aware that both the U.S. Office of Personnel Management (OPM) and the Office of the Director of National Intelligence (ODNI) had conducted multiple assessments of USAGM between 2010 and 2020. Those assessments, identified myriad deep-seated and persistent security problems that were either initially caused by or left largely unaddressed by previous senior management. Indeed, previous senior management and the now- defunct Broadcasting Board of Governors had not remediated these problems. In August 2020, at CEO Pack’s direction, USAGM released OPM’s most recent assessment, which had been completed the previous month, in July 2020.

The aforementioned assessments revealed that, by the time CEO Pack started his tenure, at least 1,500 employees at USAGM – around 40 percent of the agency’s entire workforce – had been improperly vetted, including dozens of individuals given security clearances at the confidential level or above and/or access to federal government systems and facilities despite having invalid background investigations, adjudicative actions, and government access cards.

Because of this record of egregious security violations and deficiencies, USAGM became one of only two federal agencies in the past 20 years to have its delegated suitability-determination authority revoked by OPM. Likewise, due to repeated failures stemming from an unacceptable level of systemic and institutional negligence, ODNI revoked USAGM’s authority to adjudicate security clearances. Such severe remedies in such stark terms against an entire federal government agency is virtually unprecedented.

Moreover, USAGM had cleared the more than 1,500 employees even though the agency’s delegated authority to conduct investigations lapsed back in 2012—due to what was already a list of numerous and egregious security violations and deficiencies. This delegated authority was never reinstated and USAGM management failed to take decisive action to resolve this issue during the entire ten-year period of assessments, despite the fact that the issue was repeatedly brought to its attention by career USAGM security professionals.

In the face of all this, USAGM under previous senior management continued to issue invalid access, security clearances, and suitability determinations. The agency was taking fingerprints, but neglecting to submit them to the appropriate authorities – or, in other instances, failing to take fingerprints, altogether. It was accepting aliases and fake social security numbers. It was not requiring the disclosure of foreign travel and foreign contacts. And on many occasions, USAGM was hiring individuals who left entire fields of background-check forms blank. Even the number of employees with secret and top-secret clearances was unknown.

The violations and deficiencies impacted every known element of personnel and information security. The damage done to U.S. national security cannot be easily calculated. The disregard for the many warnings ranks among the worst holistic federal government security failures in the modern era.

U.S. national security is jeopardized every time there is a single security violation. In this case, an entire agency – one that reaches more than 350 million people around the world on a weekly basis – allowed for lax and even non-existent security protocols for an entire decade. USAGM’s longstanding failure to effectively vet its personnel, ranging from interns to contractors to grantees to full-time federal employees, made it vulnerable to those with nefarious intent toward the United States. The thousands of individuals that USAGM improperly cleared over the past ten years possessed access not only to high-level federal government employees and sensitive information, but also to the powerful tools of U.S. civilian international broadcasting that shape America’s global narrative.

WHAT WAS DONE—AND WHY
CEO Pack immediately directed USAGM to work closely with its federal partners to ensure that OPM’s and ODNI’s findings were swiftly and appropriately addressed. Because of the nature of the findings, he further requested meetings with the Chairmen and Ranking Members of USAGM’s Congressional committees. He also ordered a comprehensive inquiry into USAGM operations because he was concerned that the failures identified by OPM and ODNI compromised the agency’s ability to fulfill its mission, undermined the work of the federal workforce, and threatened U.S. national security. At CEO Pack’s further direction, USAGM has initiated a system in consultation with agency partners that will cure the aforementioned security violations and deficiencies. Decisive action was required to protect the United States, the integrity of USAGM, and the safety of the agency’s journalists at home and abroad.

WHAT SHOULD BE DONE MOVING FORWARD
USAGM must further implement the system set in place in consultation with agency partners to efficiently and effectively remediate these security failures. Continuing to move forward, USAGM must follow the law and guidance of OPM, ODNI, and other federal entities.

END OF USAGM SECURITY ISSUES Michael Pack POSITION PAPER

USAGM Watch Commentary

Same Former and Current USAGM Management

“Significant problems have befallen the agency since CEO Michael Pack arrived and I have deep concerns about the trajectory USAGM is on,” Grant Turner, one of the whistleblowers, said in September 2020 testimony at an oversight hearing held by the House Foreign Affairs Committee, the article in The Hill noted.

“I know many of you share these concerns. Like you, I am worried about the credibility and the goodwill of our networks being destroyed. It has taken literally decades to build this trust with our audiences. Tragically, it can be destroyed far more quickly,” Grant Turner warned the lawmakers. He was before and is now again a senior USAGM executive.

A press release on the USAGM official website, dated August 4, 2020, announced that Michael Pack released a report by the U.S. Office of Personnel Management’s (OPM) Suitability Executive Agent Programs. The press release said that the report “reveals severe and systemic security failures at the agency, many of which have persisted for years.” The position paper written at USAGM under Pack said about the former management that “disregard for the many warnings ranks among the worst holistic federal government security failures in the modern era.” The USAGM and VOA managers who were in charge dispute such characterizations of their performance and in turn criticize Pack, as current acting USAGM CEO Kelu Chao has done during his tenure and after his departure.

USAGM PRESS RELEASE

CEO Pack releases OPM report detailing long-standing USAGM security failures

August 4, 2020

WASHINGTON, D.C. — U.S. Agency for Global Media (USAGM) CEO Michael Pack has released a report that reveals severe and systemic security failures at the agency, many of which have persisted for years. This latest report was produced by the U.S. Office of Personnel Management’s (OPM) Suitability Executive Agent Programs, which conducts program reviews of Executive Branch agencies’ personnel suitability and vetting programs.

READ ON USAGM Watch: Voice of America Fails to Post Story on Phishing Attack Against VOA Employees and Private Citizens