Tuesday, March 10, 2015

ATR: Thoughts on Email

The media is abuzz with stories about a certain former US Secretary of State using her own email server to send and receive official email related to her office. There is certainly plenty of fodder here for political accusations at each party and I'd rather not get into that here. My focus is on information governance and records management, so let's focus there.

From the time that I was but a wee little records manager, I learned that the basic definition of a "record" included language akin to "...recorded information, regardless of physical form or characteristics...". In slightly later days, the litany of types of records included as examples of records was amended to include "machine readable" or "electronic" records. The foundation for this definition has historically been the United States Code and the Code of Federal Regulations. This is not something new. The laws and regulations have been on the books for decades. They were purposely written to ensure that the advancement of technology did not negate the effect of the law or rule.

Part of the problem over the past 20 years is that the pace of technology has outstripped the ability to manage the information created by technology. Whether in the public sector or in the private sector, email volumes have grown exponentially. The US Federal government, particularly as embodied by the National Archives, has been stymied in efforts to manage electronic records. I can recall efforts from the mid-1990's to get a handle on electronic records in the US government.

The Code of Federal Regulations (36 CFR 1220 et seq.) has been quite clear that a Federal Agency is responsible for managing its records. There's no provision for storing paper records in your basement or electronic records on a server that you built in your garage. While certain agency policies have been cited relative to third parties hosting email, I don't think that was ever intended to allow a government employee to deploy file or email servers. I would expect that the intent of those allowances was for services hosted by Microsoft or Google or some other appropriately contracted and vetted service provider.

A variety of state and Federal officials have been dragged into this frenzy because it became known that they had personal email accounts during their terms of office. From my reading, it appears that some of them have admitted to using personal email accounts for official business. Importantly, though, this usage has not been exclusive and has not been on email servers that they housed in their residence or under their direct control. I can certainly understand that a politician may want to use a third party email system for purely political or personal purposes. They may also take great pains to keep that information apart from their official actions. So from that standpoint, I don't fault the former Secretary's interest in keeping her personal (and political) email separate from her official email. In that regard, she was well within the provisions of US law and regulations. But by mixing her official correspondence with personal correspondence on a server that she (and her apparently personal staffers) controlled, I'd suggest that the law was broken with regard to maintaining official government records in accord with 36 CR 1220.32, "Agencies must create and maintain authentic, reliable, and usable records and ensure that they remain so for the length of their authorized retention period." By removing the email from the server and printing it out -- and not maintaining a full audit trail of what was deleted (although interestingly, there seems to be knowledge of the number of emails deleted), I would suggest that it is very difficult to prove the authenticity or reliability or any of the emails produced in paper form.

Now let's turn to information security. It's safe to say that every Federal agency head and Cabinet-level appointee is a likely target of nation-state-sponsored hackers. Most historians are quite familiar with the Zimmermann Telegram, which is one of the earliest examples of "hacking" electronic communications by a nation-state. The former Secretary stated that the email server was secure because her home was protected by the US Secret Service. Well, that may have protected the server from a physical attack, but it stands to reason that there were plenty of hackers who could have had an interest in that server and "owned" it quite easily. After all, the State Department's own network had been successfully penetrated. We'll take the former Secretary's word that she was cautious about not transmitting Classified information with her email, but suffice to say that her communications with other officials likely contained strategic direction and discussions based upon Classified intelligence. If nothing else, a hacker would have been likely to easily collect foreign policy decisions ahead of their release as well as insider discussions and debates about foreign policy. As we have seen with other emails released by hackers, email exchanges between ranking government officials can be quite direct and revealing when no one appears to be watching. It may be many years before we know what access hackers had and what secrets they had access to.

While the violation of various elements of the US Code and the Code of Federal Regulations is bad enough (as well as the likely sanitizing of the historical record), the bigger issue is the breach of security. I would hope that someone with access to the highest levels of the US government; who likely had access to the most highly classified information; who should have been briefed on the ongoing threats to national security by nation-state-sponsored hackers, would have (or certainly should have) known that she was a high value target and acted accordingly. Even if the minion who set up her email assured her that it was properly protected, it seems reasonable that a thinking person would have had second thoughts about her own cyber security when she learned about successful state-sponsored APT attacks against some of the country's most protected government agencies and private companies.

Saturday, May 10, 2014

OTR: Trains, Planes, Fire Trucks and Computers

It's likely no surprise to my friends that I like all of the things that I mention in the headline of this post. If the mailman pays attention to what he puts in my mailbox, I imagine he must wonder about what I do. There's Airways Magazine, Air & Space, Aviation Week and Space Technology, Trains, the Rail & Wire, Fire Apparatus Journal, some security magazines, and a handful of business magazines.

I suppose that when it comes to these things, I've never quite grown up. I didn't get the "car guy" gene that my brother has, or the boat-owner gene that my father had.

I've been a member of the Illinois Railway Museum for a few years now. I go out there a few times every summer, ride the trains, take some pictures, and get my train geek on. I haven't volunteered out there up to now because, quite honestly, I'm not that handy and taking up welding at my advanced age might be a little beyond me. Besides, I'm pretty sure the family won't let me out of the house wearing striped bib overalls. Nonetheless, I'm heading out there in the morning to see if I can lend some of my knowledge, and perhaps some of my writing ability, to the Museum.

I've observed some challenges, and I think I could help, but I need to see where they want help and how that matches with my time and ability. I get the distinct impression that the long term members value sweat equity over intellectual contributions as the true measure of the volunteer.

I think this is my favorite locomotive out at the Museum. When I was a kid, I had a Tyco HO railroad layout and the train set's engine was in the same colors.

Friday, March 28, 2014

OTR: Whatever Happened to Letter Jackets?

Sometimes I have to remind myself that 2014 is as far removed from the beginning of my high school days as those days were removed from the beginning of WWII. This is one of those times.

My younger daughter and I were doing the Spring Break college tour death march this week. At some point, I commented on the lack of letter jackets among the kids also doing the tours. I found it interesting that of the four letter jackets that I did see, three were worn by female marching band members and the fourth was the only true athletic letter jacket that I saw (worn by a young man). I commented that I didn't think I had seen anyone at her school wearing a letter jacket and I got one of those looks that a parent gets from a teenager when you are clearly beneath contempt for bringing up ancient history. ("The '80's called. They'd like you back. Please go.")

Looking across a number of college campuses this week made me reflect on what has changed. Back in the Stone Age, we carried book bags emblazoned with the school's name. It occurred to me that trying to describe one of these to my daughter was going to be impossible -- she has always known backpacks. Next to my gym uniform, the book bag was one of the first things purchased with the school name on it. It was all but required. I'm not sure what people without the official school book bag used. For that matter, I don't recall what I used in college to tote around my books to class. It seemed like I had to replace that book bag every year because the weight of the books I was carrying tore it up. I know I had an old brief case and a salesman's case, but I don't think I used those every day in college.

At one school, we looked in a museum display case and I saw my late 1970's TI-30 calculator. We were the first class to be able to generally afford calculators in class, and we were also the last class to be taught how to use a slide rule. I toted around the Handbook of Chemistry and Physics for two years, along with a mathematical tables book. I suppose every kid today has an app on his or her phone containing the same information, if they still use that sort of stuff.

I do remember ordering my letter jacket. It was the end of Freshman football and we could only then order our jackets. I seem to recall that it was a relatively expensive purchase for my parents -- perhaps around $100. We ordered it a bit larger than I would normally wear. Weeks went by until it arrived. It was glorious. Deep red wool with real leather sleeves (in white). The school name emblazoned across the back. And it was strangely reversible. You could turn it inside out and wear it with a slight bit on anonymity, although, curiously, my name was stitched on the pocket. It wasn't long before my graduation year was sewn on the jacket, then a minor letter and, finally, the varsity letter! (I still have the jacket, although it long ago stopped fitting me. The girls have never seen fit to wear it to school -- even on a Throwback Thursday.)

I have to wonder if letter jackets went the way of the dodo when our culture started awarding trophies to every kid who participated in a sport.

As I look back across over 30 years, I have to wonder if the adults of the late 1970's were thinking the same things that I am today. Were they feeling, "Plus ça change, plus c'est la même chose"? Hard to say, although in the late '70's, I wasn't listening to Glenn Miller with the same enthusiasm that my kids listen to Michael Jackson and the Beatles.

Monday, March 18, 2013


Effective immediately, I am no longer a Certified Records Manager (CRM). If you should happen to see an announcement for a presentation that I am making and it shows me as a CRM, that is no longer the case, so please disregard the designation.

I suspect that I may overlook a few places here and there and there is no intent to mislead anyone or disrespect the credential or the ICRM. After 20 years, it became something of a habit, so I have to unlearn that.