Lawfare Daily: Gharun Lacy Talks State Department Cybersecurity

Published by The Lawfare Institute
in Cooperation With
Gharun Lacy has an unusual job. He’s the head of cybersecurity at the State Department, responsible for securing computers and their users in every embassy and consulate and responsible for making sure senior diplomats can communicate securely even in the most forbidding overseas environments. In a wide-ranging conversation, he sat down with Lawfare’s Benjamin Wittes to talk about the challenging work of the Diplomatic Security Service generally and its work in the cyber and technology security area particularly.
To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://
Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.
Transcript
[Intro]
Gharun Lacy:
Our adversaries, if they're going to conduct a physical attack on a diplomatic
facility, there's going to be surveillance that's going to have a technical
security component to it. There's going to be surveillance that's going to have
a cybersecurity component to it. They're going to look to establish patterns of
movements from the individuals through their social media accounts, through
tracking their phones, through looking at their behavior online. So all of that
converges into one unique ecosystem.
Benjamin Wittes: I'm Benjamin Wittes and this is the Lawfare Podcast
with Gharun Lacey, Deputy Assistant Secretary of State and Assistant Director
of the Diplomatic Security Service for cyber and technology security.
Gharun Lacy:
The environment that we are in is so aggressive that having cyber issues is an
inevitability. It absolutely will happen. We wish it didn't, but it will, and
it's the reason we have my bureau and my directorate.
Benjamin Wittes: In a wide-ranging conversation, we talked about
everything from how you secure the Democratic Convention to how you change the
culture of the State Department in cybersecurity.
[Main
Podcast]
So, start by just giving us an overview of what
it is that you do and what you have responsibility for.
Gharun Lacy:
Sure. So, I am an unapologetic evangelist for my bureau within the State
Department. The Bureau of Diplomatic Security that's responsible for the safety
of all of our diplomats, responsible for protecting all of our information and
all of our foreign policy processes and all of our foreign policy facilities
overseas. So, 32 bureaus domestically, over 260 facilities in over 170
countries worldwide. And that's traditionally what you think of when you think
of protection for an entity like that. We think of the Bureau of Diplomatic
Security. We provide the guards, the guns, the barriers, the alarms, all of
that stuff that you need to protect foreign policy overseas.
But
we're also responsible for protecting that information, that data. Foreign
policy runs on data, and as we become more integrated as a data society, we
become more reliant on real-time, fast-moving data to make our foreign policy
decisions. Someone has to protect that data. What makes the job so much fun and
so interesting is that there's no federal agency that has a IT or data
footprint like ours spread across the entire world, right, interacting with
local and host nation governments, interacting with foreign dignitaries on a
regular basis, forward facing to those foreign dignitaries. So it creates a
really unique attack surface from a cyber standpoint. To your point earlier,
what we have seen when it comes to our primary threat actors, the strategic
competition, you know, you think of the big four, Russia, China, North Korea,
Iran. When you look at either kinetic issues or information issues, the
separation is gone. There is no separation between cybersecurity, physical
security.
Benjamin Wittes: And why is that? Why, like, for, for those who think
there are computers and there are people, and, you know, the security of
computers kind of is one thing, and the security of human beings is another? Walk
us through why that's wrong.
Gharun Lacy:
No, sure. So all those things have converged. You're not going to see a
physical attack anymore that doesn't have some elements of cyber
reconnaissance, right? You're not going to see purely cyber reconnaissance that
doesn't have some element of human engineering, right? We're making that
relationship, that traditional spycraft that we think of a spy coming up to an
American at a bar and building a relationship with him and looking to
compromise that individual. That still happens, but now, instead of just
looking to compromise that individual for data that's live there on the spot,
they're looking to gain credentials to get into this person's email. A lot of
that correspondence is going to start to happen digitally through messaging apps.
Our adversaries,
if they're going to conduct a physical attack on a diplomatic facility, there's
going to be surveillance that's going to have a technical security component to
it. There's going to be surveillance that's going to have a cybersecurity
component to it. They're going to look to establish patterns of movements from
the individuals through their social media accounts, to tracking their phones,
to looking at their behavior online. So, all of that converges into one unique
ecosystem. Combine that with the fact that majority of that surveillance, the
majority of that human engineering is going to happen either in an overseas
environment or a digital environment and now you have this convergence where if
you miss the digital component, if you miss the human engineering component,
you're far beyond behind the curve in order to stop the kinetic component.
Benjamin Wittes: All right. So, I want to get into all kinds of aspects
of this stuff. But before we do, I actually want to ask about you. How does one
become the head of the Bureau of Security at Diplomatic Security at State?
What's your background? And like, how'd you get into this racket?
Gharun Lacy:
So that's the funny story. I'm not an IT professional. I'm a mechanical
engineer by trade. And again, one of the, one of the beautiful things about the
way my Bureau of Diplomatic Security works is we take people from nontraditional
backgrounds and, and encourage and push, move them to grow into roles that they
probably never thought they'd had. My background, mechanical engineering from
Howard University, right here in D.C. I was recruited by the State Department
to do the technical security stuff. So, think of James Bond breaks into an
embassy, plants a bug. That still happens, right? And spies on us. Well, my job
initially was to find that bug in the embassy. To find that bug in a hotel room
and make sure that hotel room was safe for the Secretary of State to have a
classified conversation when they travel to a country. To build, maintain, and
design those physical and technical security systems, your barriers, your
cameras, your explosive detection, your alarm systems that protect classified
spaces. That's what I did for 20, 21 years of my career. And combine that with
the foreign service of traveling, spent time, lived in Nigeria. I lived in
Brazil. I lived in Germany. I lived in Belgium. I lived in Baghdad. I lived in
Colombia.
Benjamin Wittes: And in all of these contexts, you're doing basically
counter-recognizance?
Gharun Lacy:
Yes, 100 percent. Counter-surveillance and, and making sure from a technical
standpoint, our facilities are safe for the conduct of foreign policy. About
four years ago, assistant secretary for diplomatic security asked me if I
wanted to take over the Cyber Directorate, from a good friend and mentor who
had built the directorate starting in about 2017. Again, I didn't have the IT
background, but I knew the people. I knew the team that my predecessor had
built, I knew they were good people, and I knew they were patient and would
teach me. So I was able to jump in feet-first, and the one thing about the
cyber world is if you don't know what's happening, it will give you an
immediate opportunity to learn because we are underwater and inundated from a
threat, from a threat perspective. We are constantly, constantly under
bombardment.
So
from there, with the same concept of moving nontraditional people into
different roles is the same concept of how our directorate was built. Our
directorate has the traditional cybersecurity component, what people think of
hands-on keyboards, eyes on glass, monitoring the network. But we also have the
part that I think your audience will be interested in. We also have a federal
law enforcement component. We also have an engineering component that looks at
the physical engineering of hardware and devices. Ahere most people think of
cybersecurity as protecting the data, the ones and zeros over the line, we also
have to make sure that we protect the conversations in our classified
environments from that box that we brought in, that microphone that we're
thinking about a Zoom call. It's still a microphone. And we still have
conversations in this room around that microphone and we want to make sure that
our adversaries are not using the inherent dependency on IT that we've all
developed to pull information out of our facilities.
Benjamin Wittes: Yeah, it's an amazing expansion of the concept of cybersecurity.
So, you and I are sitting in a studio in the Brookings Institution talking
through two microphones, and when we buy these microphones, we are not thinking
about the surveillance capacity of these microphones because we don't have
sensitive conversations. We're, in fact, recording stuff in order to make it
public. So, we think about the audio fidelity. We think about, you know, all
kinds of aspects of the technology and we think about the security of our data.
But the security of our hardware, we're actually intending to conduct
surveillance of ourselves here. And like, if somebody, if the Russians get this
conversation a few days before we make it public on the podcast stream, that's
just not the biggest problem in the world.
Gharun
Lacy: Right.
Benjamin
Wittes: But
if you're thinking about being able to have secure conversations with secure
technology in any hotel room that a U.S. diplomat, you know, cleared above a
certain level may stay in in the world, that's a hell of a problem.
Gharun Lacy:
And that's the progression of our skillset. That's the progression of our
profession. For 20 years, we strove, our goal was to keep microphones and
cameras out of our classified facilities, that was our job. So, for every one
of us that's a technical surveillance countermeasures, kind of, practitioner,
keeping microphones and cameras out of our classified facilities was the job. It
was paramount. Now our phones, now we have to actually look at how do we allow
cameras and microphones into these facilities for the conduct of business,
because it's absolutely the way we do business now. How do we allow them in,
but still do it securely?
Benjamin Wittes: Yeah. Everyone, every single State Department employee,
100 percent of the time is carrying a surveillance device, a means by which
they can receive material that is possibly compromising and a portable porn
studio.
Gharun Lacy:
A hundred percent. A hundred percent.
Benjamin Wittes: So, I want to explore the boundaries of the jurisdiction
here because when most people think of protecting U.S. comms, U.S. technology, U.S.
government infrastructure, they're thinking about NSA, then they're thinking
about DHS on the domestic side. So, where does your authority, where is it
carved out of the sort of those other components? What, like, how does, where
does your authority start and stop?
Gharun Lacy:
Sure. So, our authority is purely for defensive operations, so we solely
operate on U.S. Department of State networks. It does become an interesting
challenge because of the interoperability between our networks and other
agencies in the federal government. We've had multiple instances through
vulnerability assessments, we've stumbled upon another agency's data. We've
stumbled upon a connection to another agency. That's where we immediately pause,
hold on, work through our partners like CISA to make sure that that information
is passed back and forth through the agencies.
But
we're solely focused on U.S. Department of State data wherever it resides. What
gets things way, way more complicated as the federal government becomes more
reliant on private vendors and private companies, our data now starts to
migrate off of our networks and onto other networks that we don't have
visibility and necessarily have control over. Where we in, in Diplomatic Security,
take a look at that problem set, it’s not a technical one, but a people and
relationship issue. We look to develop our relationships, and we have,
especially in Diplomatic Security, we have very strong relationships with our
vendors. Microsoft is one of our primary partners. They sit at the table with
us. We have a great relationship with their incident response team, the people
in Microsoft that do what we do. There's a camaraderie there because we do the
same thing and we do have that clarity of mission. So the exchanges there are
phenomenal. We have other several vendors that whose tools we use, great
relationships. And because our environment is so different and unique, the
vendors love working with us because they get an opportunity to kind of stretch
their tools to really work on them and customize them to a very unique
environment and push the envelope about what these tools can do. And at the
same time, we make sure we leverage that relationship. It's not just about the
tool, but it's about the information. What information do you see from your
side? Every vendor has to have a little curtain where they keep a little bit of
their secret sauce. But we like to say, hey, some of that information is going
to be useful to us, especially in a cyber event. So let's make sure we have the
lines of communication open where we can share those things in real time and
that's relationship build.
In
terms of our intel partners, State Department has no authority for any
offensive cyber operations. That is not what we do, wanna make sure that is
perfectly clear. It's purely defensive operations, but with the intel side,
because our footprint is the most popular footprint for our nation state actors
to attack. We've got a great relationship with our intel community, with the
private cyber intelligence community. We have several private vendors that
provide intel to us and they all have come to appreciate the relationship of
being best friends with DS, who's the bouncer outside the most popular club
when it comes to cyber on a geopolitical scale.
Benjamin Wittes: So one thing that you told me when we met privately,
some weeks ago, that just stunned me was how large the operation is. So give us
a sense of scale, like how many people are you dealing with? What's the scope?
Gharun Lacy:
My directorate is about 365 people, budget of around 136 million a year. The
scope of what we have to protect is that 32 bureaus, 270 plus locations, 170
plus countries, 77,000 plus users, the majority of whom, when you get in the
overseas environment, are locally employed staff, third country nationals. So
not just the scale, but complexity. We have to manage the identity management
of hundreds of nationalities who use our network every day. We have to manage
the data intake from hundreds of foreign ministries, who themselves have
varying levels of cyber maturity.
One
of the jokes that I share with my CIO all the time is, when you look at
phishing emails and what you tell the general public, be very careful about
that email that comes from a foreign person with a strange link in it. You
should always be a little nervous about clicking on that link. Well at the
Bureau at State Department, it's our job to open that email from that foreign
dignitary and click on that link, right? That's the job of the diplomat, of the
foreign policy officer. So it creates this really unique environment where
we're not DoD, we're not the intelligence community, we're not law enforcement,
we're diplomats. Diplomatic security is a law enforcement bureau, but it's in a
diplomatic agency. So we have to marry all those things up. Then to add to
that, I'm an engineer working for a bunch of federal law enforcement agents in
a foreign policy agency. So I don't know of any, I don't know of any other
office or directorate that's built and sits in an environment quite like ours. It
really is unique.
Benjamin Wittes: All right. So let's talk about a case study in the
uniqueness, which is we are talking on the Friday after the Democratic Convention
ended last night. You guys have a role in a convention like that.
Gharun Lacy:
Sure.
Benjamin Wittes: Why? It's a Democratic Party thing. So why, first of
all, why are you there at all? And secondly, what are you doing in Chicago this
week?
Gharun Lacy:
Yeah. So that's a little bit outside the cyber realm, but we have an Office of Domestic
Operations that does protection activity for foreign dignitaries. Most times
when you think of protection for Secret Service, State Department does more
details than the Secret Service when it comes to foreign dignitaries. Secret
Service covers heads of state, State Department covers just about everyone
else. So, foreign ministers, ministers of trade, ministers of commerce, you
name it. If the threat environment for those foreign ministers is there, we're
going to pick up that protection detail. We work protection details for the foreign
minister in Israel. We recently worked a detail for the Dalai Lama. We work
details for the royal family of the of the U.K. If it's a foreign dignitary
that has a high threat profile, Bureau of Diplomatic Security nine times out of
ten is going to pick up that protection. At the DNC, there were several foreign
dignitaries there to visit the DNC. Same with the RNC. So, when those
dignitaries come in, if the threat profile warrants it, Bureau of Diplomatic Security
is going to pick up a protective detail and make sure that they can move and
interact with the various elements of our government safely and securely.
Benjamin Wittes: All right, so let's talk about what you're worried
about. You, you've described a just impossibly large attack surface and an
almost total integration of that attack surface with things like protective
details and, you know, the other components of what you guys do, everything
from providing, you know, security details to people going to the DNC, to
making sure that when, you know, a, U.S. diplomat is in a hotel room, he can
have a secure conversation. I mean, that seems like an impossible.
Gharun Lacy:
We only do that for the Secretary of State. We do it for no one, if we had to
do it for every diplomat, we would be inundated. It's next, it's one of the
more difficult platforms and it's only done for the Secretary.
Benjamin Wittes: Gotcha.
Gharun Lacy:
Yeah. Because that's a, it's fun, but it is hard work.
Benjamin Wittes: So when you look at your job now, particularly in the
cyber arena, and say this is the problem or these are the problems that are
keeping me up at night. What's the list looking like?
Gharun Lacy:
Interesting. It's a good question. So again, I'm like I said unapologetic
evangelist for the Bureau of Diplomatic Security. My bureau has an extreme
clarity of mission. We know exactly what we're doing and we know exactly why
we're doing it at all times. That gives us a lot of clarity in our activity and
how we do it. I'll be honest with you, one of the things that adds complication,
I'm not sure if it's a bad thing, but we have a very, very active White House
right now. And within the cyber world, there's a whole host of executive
orders, binding operational directives, FISMA compliance. There's a whole host
of frameworks and compliance guide rails that come out from various levels of
federal government, from the White House, from the National Institute of
Standards and Technology, from OMB. And it's a great place to be because the
focus of the federal government is really on doing their best to perpetuate a
safe cyber environment for the federal government.
The
interesting thing about that, though, is when you have to push that, those
types of directives and mandates across the entire federal space, they have to
be written to the lowest common denominator. And where I see a lot of
disconnect, not specifically in the State Department, but in the other agencies
involved in the cyber ecosystem, is there are times when the focus becomes more
on compliance. And the focus becomes more on the framework than it actually is
on the spirit of why you need the compliance in the framework. So for some,
they'll say, hey, if I check these 20 boxes that I got from OMB, I'm secure.
Well, I just described an environment with the State Department's environment,
those 20 boxes are not even going to come close to being able to actually
securing the data that gets processed in an environment as diverse and uneven
as the State Department's.
Benjamin Wittes: So it's good enough for the National Park Service, but
it's not close enough to good enough for you guys.
Gharun Lacy:
Correct. Correct. And I won't say good enough, I think tailored and structured.
The majority of those guidance are written for agencies that may not be as
mature as the State Department. Out of necessity and out of our environment,
we've grown a very mature program, a program that looks forward at threat
environment and is threat driven and threat and intel driven, right? Park Service
may not be so, and that's not a bad thing.
Benjamin Wittes: Yeah, they just don't need to be.
Gharun Lacy:
Right, they haven't needed to be in the past, right? But when you look at where
the threat environment's going, and we talked a bit about the blending of
physical and cyber, the focus on the federal government right now, critical
infrastructure, that is a classic example of where physical and cyber combine. I
can get online, I can manipulate a power generator at a power facility and
cause that generator, if I cycle it on right or wrong or send the wrong type of
amperage to it, I can cause that generator to catch on fire, right? So from a
cyber means I've affected something in the physical world that is causing a
problem. And that is why the federal government has done the right thing and
looked at all of those smaller agencies that can be disrupted and look to push
guidance. That's great. But when you have larger, more complex ecosystems in
one agency, again, that guidance doesn't always necessarily speak to it. And
that's where you have to make sure you have a bureau like Diplomatic Security
that is solely focused on the tactical defense.
I am
so grateful for our brother sister bureaus in the State Department. We have the
Bureau of Diplomatic Technology where they are focused on the compliance. They
are focused on, how does that particular guidance from the White House
translate to our environment. I am so happy that they're there because there's
no way we could split that focus. There's no way they could focus on the
guidance and translating that to the department and focus on the actual
tactical defense. So the division of labor is the part that makes it easy for
us at the department. Across the federal government where that division isn't
quite as clear or the capabilities and maturity is not there is one of the things
that concerns me, particularly because we're so integrated with our other
federal partners. The push to share information, especially in the geopolitical
context of strategic competition, it's more important now than it's ever been
for us to be moving information between State Department, between Commerce,
between Treasury, between the Park Service, right? It's so important for us to
be passing information back and forth that pertains to the domestic elements
and how they are affected by geopolitical events. And that's why it is
important to have those frameworks to bring everyone up to some level of
baseline.
Benjamin Wittes: Yeah. So when I, you know, think about like major State Department
information compromises, like the 250,000 cables that were given to WikiLeaks,
those didn't come off of state department servers. They came off of DoD
servers. On the other hand, you know, I'm thinking about the, like, the IG
reports around the Hillary Clinton email stuff and the, you know, Jim Comey's,
the FBI statement around that. There is, you know, a long term, concern, you
know, about the sort of culture of information handling in the State Department.
And you guys are, are kind of a weird corner of that because you're part of the
State Department, but you're also responsible for corralling that culture,
which has not always been you know, the most careful with, you know, its job is
to share information in some sense, but it, you know, there's a lot of people
in the IC who wring their hands about the way the State Department manages
information. And so I'm just curious as a security person in that environment
and one who is evangelical about the mission of, of your bureau, like, how do
you manage that, where you have a million diplomats running around and some
people are dumping stuff on DoD servers so that Chelsea Manning can give them
to, you know, to Julian Assange. What, like, there's an internal control aspect
of that as well.
Gharun Lacy:
I am so glad you brought that up. Absolutely. One of the things that we've been
very successful at over the past five, six years or so is changing that
messaging. You talked about one of the things that, what are some of the
difficult things about this profession? Behavior change. Like changing human
behavior is hard. It's extremely hard. Where we have been fortunate over the
past couple of years is we've had leadership that has come in and been willing
to carry the cybersecurity message, from Secretary Blinken on down. Secretary
Blinken has a digital modernization agenda for the State Department, the State
Department's modernization agenda. And it lays out not just how we're going to
better use our information, how we're going to use modern tools, how we're
going to use data to inform decisions. But it also lays out at its core how
we're going to protect those tools, how we're going to protect that data.
One
of the jobs that I share with the Bureau of Diplomatic Technology, I have an
awareness program in my directorate. Their only job is to maintain an awareness
program that trains our users and personnel, right? Bring awareness to them
about what they do online and how it affects the security of their primary
business, which is conducting foreign policy. What we've had to learn over the
years is that the common view of security is that, okay, everybody, that's
your, that's your broccoli, that's your vitamins. Nobody likes taking them. But
I think where we've made the shift is particularly on my side, is being able to
articulate security as a business accelerator. We do have a history of issues,
cyber issues, that have happened at the State Department, and it's allowed us
to take those stories and put in real terms for our users what happens when we
are negligent. We can absolutely lay out the consequences that have happened
over the years from the department when we have not been as vigilant as we
should have been. Every single ambassador, every single ambassador, before they
go overseas to take their post, they have a briefing from my folks about the
need for cybersecurity, a little bit of the history of cyber at State
Department.
Benjamin Wittes: How would you characterize that history of cyber at the
State Department?
Gharun Lacy:
I would say it's a reflection of the environment. I think the idea that State
Department has had a problem over the years is not quite accurate. Truth is
always in the middle. Obviously, we're not as good as I like to say that we
should have been, but when you take, it's like somebody saying, hey, it's
raining outside, your window’s leaking. Cool. I think the problem that we've
had is with the characterization of the narrative. The State Department isn't
the house in the rain. The State Department is the house that's completely
submerged underwater. The environment that we're in is so aggressive that
having cyber issues is an inevitability. It absolutely will happen. We wish it
didn't. But it will. And it's the reason we have my bureau and my directorate.
We are those guys and gals that will put the knife in our teeth and dive into
the fire. Right? That is our job. Our job is to be there when the inevitable
does happen and take care of it. I look at it like a firefighter, right? Nobody
wants that house to be on fire. Nobody wants that to happen. But if there is
smoke, you want some firefighters that are really experienced at putting out
fires.
Benjamin Wittes: Do you assume that the State Department's unclassified
systems, that the big four cyber threat actors are in those systems? Or do you
assume that you’re manning a periphery and keeping them out? What's your
working assumption on a day to day basis?
Gharun Lacy:
To not have an assumption. We absolutely have to take the data as it comes to
us every single day. What we know for a fact is they're always at the
perimeter. They're always knocking. They're never not trying. And it's one of
the concepts, I think, one of the places where our federal government has
helped us, the concept of zero trust is that concept of saying you will have
breaches. It will happen. The job now is to, yes, you do your best to keep them
from happening. Nobody wants them to happen, but you also structure yourself
from an architectural standpoint so when they do get in, they only get into
that one place and that one room and you contain it, right? It is a dichotomy
of thought, so to speak, because as we become so data integrated and data
connected, we want to maintain that. But at the same time, we want to make sure
that we're segmented off from a threat perspective so that if they get to one
place, they get to one place and one place only.
What
we operate under, I wouldn't call an assumption, we operate under the knowledge
that these adversaries are never going to stop. They're never going to stop.
They're never going to change administration. They're never going to shift and
be friends with us. They're always, always, always going to come after our
data. So, the only mantra that we have is that however good we are today is not
good enough and we always have to continue. We're going to be in this arms race
in perpetuity and we need to embrace that race, right? We need to embrace that
constant improvement because the adversary is doing the same thing.
Benjamin Wittes: And what about the classified side? Where is it? How
high up the classification chain do you have to go before you guys are no
longer responsible for, you know, it becomes a sort of NSA defensive thing, not
a, DIPSEC defensive thing.
Gharun Lacy:
Sure. No, for in the Department, you know, we're responsible with protection on
the unclassified network and our secret level network. Our good close partners
in the Bureau of INR are responsible for the protection of the TS fabric for
the State Department and they are good partners. I actually spent a good
portion of the day yesterday with their CIO, Mr. Jimmy Hall. He's a good
friend.
Benjamin Wittes: And just to be clear, INR is?
Gharun Lacy:
They are the intelligence element inside of State Department. So just like
State Department has a law enforcement bureau inside of the State Department,
State Department has an IC element inside the State Department and that's the
Bureau of INR.
Benjamin Wittes: So, I want to return to the question of like what you're
what your biggest day to day worries are. You've described, you know, a
constant set of perimeter attacks, and then the need to manage breaches when
they happen. You've talked about a workforce training that is trying to change
the culture a little bit, make people more, more aware of defense and cyber
threats. You've talked about a very dynamic interaction with other governments,
other U.S. agency components and industry. How do you sleep at night? I mean,
like, you're describing just an impossible thing. So when you bolt up at two in
the morning, worried about something, what is it?
Gharun Lacy:
So usually it won't be me waking up. It'll be a call. What brings me a lot of
comfort is the quality of those 365 people in this team. I never worked with a
more dedicated, creative, and mission driven bunch. They care so much and
they're so good at what they do. So, yeah, but when we do jump up, you know,
obviously it's the nation state actor, the holy grail, which you never want to
see is that the nation state actor has gotten into your classified, classified
data and has pulled some type of essential foreign policy national security
information and is using it and weaponizing it against us, right? That is
something that we never want to see. That's the nightmare scenario. Your
unclassified network is your unclassified network for a reason. It's why people
only process unclassified information. Now, with that interconnectivity, you
always worry about the aggregation of a million pieces of unclassified
information being put together.
Benjamin Wittes: You could learn a huge amount about how the State
Department works on a day-to-day basis without touching a single piece of
classified information if you have enough data about the rest of that.
Gharun Lacy:
Correct.
Benjamin Wittes: Especially the cafeteria.
Gharun Lacy:
I was posted in Brussels, Belgium, and I used to hang out in the cafeteria at
NATO headquarters. Phew. That scares me. When we talk about what scares me, that
scares me. But yeah, so, so many nuggets floating around that we have to
protect. One of the things that does where we've placed a lot of emphasis, and
if you ask me this question, maybe a year or two ago, this would have been my
answer is: because we have so many different priorities across the department,
32 different bureaus, each of them with their own distinct missions, each of
them with their own distinct risk tolerances and distinct IT capabilities.
There can be pockets of your information and pockets of your network that you
don't know exist that you don't have visibility on. For whatever reason over
the last 15 to 20 years, they were stood up out of a business necessity over
here without your tools, without your knowledge, you know, without the
documentation to show that it's there. That would have been the concern for me
maybe a year and a half ago, two years ago.
The
good news is that was a concern and collectively we have attacked it over the
last 18 months in partnership with our good friends in Diplomatic Technology,
in partnership with our good friends in the Center for Analytics, in
partnership with some of the larger bureaus that are extremely capable, like
the Bureau of Consular Affairs that operates a huge network segment. We've gone
after the visibility in those little corners that we couldn't see. Happy to say
that the progress in that regard has been going outstandingly well, and that's
where we've had to continue to ramp up our capacity as we get visibility into
those areas, that's a lot more data coming at us. And we have to be able to
sift through that data, make sure that we understand what's happening and make
sure we can respond or make sure we can start to see the deviations in trend
that may not necessarily be an incident, but may be pointing at an incident
that may happen soon.
Benjamin Wittes: One thing that you have come back to several times in
this conversation is the role of the State Department leadership in, in driving
some of this change. I'm curious whether in your judgment, you're a career guy,
you're not a, you know, you're not part of the administration, except in the
sense that you're in a, you're in a leadership role. How much of this is, in
your judgment, Tony Blinken, Biden administration set of initiatives, and how
much of it is institutional change that, you know, is longer term than that and
will, you know, continue in a hypothetical administration, next administration,
whether it's a second Donald Trump administration or a Kamala Harris
administration. Are you, do you think of this as something that this
administration is very committed to, or something that this just is change that
the State Department is going through that's important?
Gharun Lacy:
I think it's a reflection of how the department is built. Again, clarity of
mission. We know why we do everything. Foreign policy has always driven where
we've gone from a defensive and a protective standpoint. So if you look at the
progression over the last decade or so, the focus on counterterrorism through
the last 10, 15 years or so, right? It was a focus on counterterrorism. That's
how our protective mission was built. It was built for expeditionary diplomacy.
It was built for how do we protect people in some very hard environments like
Iraq and Afghanistan while they conduct foreign policy? So if you look at the
structure of the support, the support activities, which we absolutely are.
Remember, we're, our job is to support the conduct of foreign policy, not
execute security for the sake of security. But our job is to make sure that our
foreign service officers and our diplomats can have the face to face
conversations that they need to have. So as the nature of those conversations
change, we change our protective stance.
As the
U.S. shifted from a focus on counterterrorism, which was extremely kinetically
based, kinetic defense, the ability to go out into some very hard environments,
and now shifted to strategic competition with those big four actors. When you
say strategic competition, China really starts to rise to the top. Then the
tactics that we adjust to, to make sure that we can facilitate foreign policy
in a strategic competition environment has to change. Strategic competition is
almost all about data. Who has the information? Who knows the talking points? Who
has the upper hand in a negotiation? Who can compel a third or fourth party to
partner with them? That's all information and relationship based, and that's
where that focus and shift has happened. So I think that the way the department
is built to adjust to changes in foreign policy really dictates how we do the
job.
The
beauty, again, of our bureau is that we're nonpolitical. It doesn't matter the
administration. It doesn't matter the policy from the White House. Our job
still remains predominantly the same. Protect the people. Protect the property.
Protect the secrets so that they can conduct foreign policy, the tactics that
we adjust to and how we move is so, well, not solely, but predominantly based
on the environment. One of the questions that we ask and bring to the table
when it comes to cyber? We ask a certain question that most cyber defenders
most typical cyber practitioner has it in their skill set but ours is
prominence while we have such a strong intelligence component: who? The who for
us is so important. Who's coming after us and why? We use that information to
help us determine how. The actors are get really smart about hiding their
tactics, so we want to know who's coming after us and why and let that help
guide how they're coming after us and how we defend against it. But the beauty
of it from the State Department, we are apolitical, right? Whoever's in office,
whoever, whatever the foreign policy is, we're going to protect it. We're going
to facilitate it. We're going to keep it safe.
Benjamin Wittes: A couple of non-cyber questions before we wrap up. There
have been, as you know, a lot of concerns about incidents involving U.S.
diplomats and intelligence personnel who have been hit with mysterious
syndromes that are frequently believed to be the result of some kind of
directed energy weapon. As far as I know, nobody has definitively identified
what has happened to whom and where, but you do have a lot of people who seem
to be claiming this. And some of whom who are clearly impaired as a result of
something that happened. How do you protect U.S. diplomats against an
unspecified threat, you know, that we don't understand and we don't know who's
doing it, but seems to be quite serious when it happens?
Gharun Lacy:
Sure. Now, that is an absolute challenge. In my prior role to being here in
cyber, I actually worked in our countermeasures directorate where we worked on
that problem set the way we approached it, because we're engineers, is how do
we get the data right? We absolutely need to understand what the environmental
causes for some of the- One, working with some of the smartest people in the
federal government. What is the what? What are the symptoms that we absolutely
can't account for? And then how do we gather the data that's going to help us?
I think for us, the primary thing that we look at is making sure that our
personnel are informed, to make sure that we're being transparent with our
staff, transparent with our workforce.
Not
going to get into too much detail here, but make sure that we've also gathered
the environmental information to the best of our ability and have the
capability to gather whatever environmental information we can. That was the
focus of my countermeasures directorate and the focus of that activity was to
make sure that we could put some quantifiable data around this and at least be
able to eliminate certain things. There are definitely other elements in the
federal government that have taken on a different approach looking at different
factors, different variables. But for us, again, it was always protective. What
are the elements in the environment that we can quantify and that we can look
for changes and deviations in?
Right
now, we have a very mature, very well thought out response plan where if we
have an individual that has, you know, reports certain symptoms, we go through
a whole process. There's equipment that we move. There are services that we
provide to the individual. It is laid out. It's a good SOP, to make sure that
the individual can gain the information that they need to feel comfortable, and
that we can gain the information we can to give them the most data that we can
at the time about what did happen in the environment or what we've seen in the
environment since. Unfortunately, being retroactive about what happened at the
exact time an individual faced symptoms is next to impossible to do. But what
we can do is from the time we've got that report, we can make sure that we've
pushed equipment to place, to make sure that we are recording what's happening
in the environment, and looking to see if there's anything there that we can
provide them with information on. The process now has matured over the past
couple of years and is a good process. And we make sure people understand that
process is one of the ways we can try to give them at least a little bit of
level of comfort until that smoking, that smoking gun, so to speak, is discovered.
And, you know, we actually have the physics behind what has happened, there's
always going to be, we're still going to be in this kind of state of limbo.
Benjamin Wittes: Finally, I want to ask about a different side of the
protective function, which is, you know, you guys protect a bunch of embassies
and visiting dignitaries who don't always behave very well. You know, there are
famous incident involving the president of Turkey in this building whose thugs
kind of beat some protesters outside. Similar things have happened in near the
Turkish embassy at different times. And you know, I have, in one of my other
lives, I do some provocative protests at the Russian embassy. You guys have
been uniformly fabulous in, in dealing with that stuff. But I've seen the
Russians do some stuff that is you know, frankly illegal and not playing fair
by the, you know, standards of U.S. norms and laws and interactions with
protesters. And I'm curious, you know, when you guys are protecting people who
are behaving real badly, what's the, you know, what's the obligation? What's
the protocol for, you know, you guys are providing a security detail for a
diplomat who, or for a dignitary who's got his own bodyguards who don't respect
protesters, what do you do?
Gharun Lacy:
So, that's where the relationships that we build across state and local law
enforcement come into play. For every detail that we have running for a
dignitary, Bureau of Diplomatic Security is in contact with the cognizant local
authorities, D.C. Metro Police, good partners. Wherever we have facilities
where we have to do our protection details, we also make sure that we are
closely coordinated with our local and state law enforcement elements in that
same location. And that's where that's where that line is drawn, right? You
know, a dignitary commits a crime in Washington capital region, then we would
rely on our D.C. Metro partners to actually take care of that issue again. And
that's where the authorities, kind of, our authority in that moment is to
protect that individual, but of course, all law enforcement has the
responsibility of protecting life, safety of anyone that's involved in that
moment. But when you talk about the crime persecution component of it, that's
where we rely on our local and state law enforcement bodies to really be in
that sweet spot where the handoff happens and they take over.
Benjamin Wittes: Thank you so much for taking the time to talk to us
today.
Gharun Lacy:
Absolutely. No, absolutely. Lot of fun.
Benjamin
Wittes: The
Lawfare Podcast is produced in cooperation with the Brookings Institution.
You can get ad-free versions of this and other Lawfare podcasts by
becoming a Lawfare material supporter through our website,
lawfaremedia.org/support. You'll also get access to special events and other
content available only to our supporters. Please rate and review us wherever
you get your podcasts. Look out for our other podcasts including Rational
Security, Chatter, Allies, and the Aftermath. Our
latest Lawfare Presents podcast series on the government's response to
January 6th. Check out our written work at lawfaremedia.org. The podcast is
edited by Jen Patja. Our theme song is from Alibi Music. As always, thank you
for listening.