Latest in Podcasts and Multimedia

Cybersecurity & Tech Executive Branch

Lawfare Daily: Gharun Lacy Talks State Department Cybersecurity

Benjamin Wittes, Gharun Lacy, Jen Patja
Monday, September 16, 2024, 8:00 AM
Discussing the Diplomatic Security Service's cybersecurity work.

Published by The Lawfare Institute
in Cooperation With
Brookings

Gharun Lacy has an unusual job. He’s the head of cybersecurity at the State Department, responsible for securing computers and their users in every embassy and consulate and responsible for making sure senior diplomats can communicate securely even in the most forbidding overseas environments. In a wide-ranging conversation, he sat down with Lawfare’s Benjamin Wittes to talk about the challenging work of the Diplomatic Security Service generally and its work in the cyber and technology security area particularly.

To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.

Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.

 

Transcript

[Intro]

Gharun Lacy: Our adversaries, if they're going to conduct a physical attack on a diplomatic facility, there's going to be surveillance that's going to have a technical security component to it. There's going to be surveillance that's going to have a cybersecurity component to it. They're going to look to establish patterns of movements from the individuals through their social media accounts, through tracking their phones, through looking at their behavior online. So all of that converges into one unique ecosystem.

Benjamin Wittes: I'm Benjamin Wittes and this is the Lawfare Podcast with Gharun Lacey, Deputy Assistant Secretary of State and Assistant Director of the Diplomatic Security Service for cyber and technology security.

Gharun Lacy: The environment that we are in is so aggressive that having cyber issues is an inevitability. It absolutely will happen. We wish it didn't, but it will, and it's the reason we have my bureau and my directorate.

Benjamin Wittes: In a wide-ranging conversation, we talked about everything from how you secure the Democratic Convention to how you change the culture of the State Department in cybersecurity.

[Main Podcast]

 So, start by just giving us an overview of what it is that you do and what you have responsibility for.

Gharun Lacy: Sure. So, I am an unapologetic evangelist for my bureau within the State Department. The Bureau of Diplomatic Security that's responsible for the safety of all of our diplomats, responsible for protecting all of our information and all of our foreign policy processes and all of our foreign policy facilities overseas. So, 32 bureaus domestically, over 260 facilities in over 170 countries worldwide. And that's traditionally what you think of when you think of protection for an entity like that. We think of the Bureau of Diplomatic Security. We provide the guards, the guns, the barriers, the alarms, all of that stuff that you need to protect foreign policy overseas.

But we're also responsible for protecting that information, that data. Foreign policy runs on data, and as we become more integrated as a data society, we become more reliant on real-time, fast-moving data to make our foreign policy decisions. Someone has to protect that data. What makes the job so much fun and so interesting is that there's no federal agency that has a IT or data footprint like ours spread across the entire world, right, interacting with local and host nation governments, interacting with foreign dignitaries on a regular basis, forward facing to those foreign dignitaries. So it creates a really unique attack surface from a cyber standpoint. To your point earlier, what we have seen when it comes to our primary threat actors, the strategic competition, you know, you think of the big four, Russia, China, North Korea, Iran. When you look at either kinetic issues or information issues, the separation is gone. There is no separation between cybersecurity, physical security.

Benjamin Wittes: And why is that? Why, like, for, for those who think there are computers and there are people, and, you know, the security of computers kind of is one thing, and the security of human beings is another? Walk us through why that's wrong.

Gharun Lacy: No, sure. So all those things have converged. You're not going to see a physical attack anymore that doesn't have some elements of cyber reconnaissance, right? You're not going to see purely cyber reconnaissance that doesn't have some element of human engineering, right? We're making that relationship, that traditional spycraft that we think of a spy coming up to an American at a bar and building a relationship with him and looking to compromise that individual. That still happens, but now, instead of just looking to compromise that individual for data that's live there on the spot, they're looking to gain credentials to get into this person's email. A lot of that correspondence is going to start to happen digitally through messaging apps.

Our adversaries, if they're going to conduct a physical attack on a diplomatic facility, there's going to be surveillance that's going to have a technical security component to it. There's going to be surveillance that's going to have a cybersecurity component to it. They're going to look to establish patterns of movements from the individuals through their social media accounts, to tracking their phones, to looking at their behavior online. So, all of that converges into one unique ecosystem. Combine that with the fact that majority of that surveillance, the majority of that human engineering is going to happen either in an overseas environment or a digital environment and now you have this convergence where if you miss the digital component, if you miss the human engineering component, you're far beyond behind the curve in order to stop the kinetic component.

Benjamin Wittes: All right. So, I want to get into all kinds of aspects of this stuff. But before we do, I actually want to ask about you. How does one become the head of the Bureau of Security at Diplomatic Security at State? What's your background? And like, how'd you get into this racket?

Gharun Lacy: So that's the funny story. I'm not an IT professional. I'm a mechanical engineer by trade. And again, one of the, one of the beautiful things about the way my Bureau of Diplomatic Security works is we take people from nontraditional backgrounds and, and encourage and push, move them to grow into roles that they probably never thought they'd had. My background, mechanical engineering from Howard University, right here in D.C. I was recruited by the State Department to do the technical security stuff. So, think of James Bond breaks into an embassy, plants a bug. That still happens, right? And spies on us. Well, my job initially was to find that bug in the embassy. To find that bug in a hotel room and make sure that hotel room was safe for the Secretary of State to have a classified conversation when they travel to a country. To build, maintain, and design those physical and technical security systems, your barriers, your cameras, your explosive detection, your alarm systems that protect classified spaces. That's what I did for 20, 21 years of my career. And combine that with the foreign service of traveling, spent time, lived in Nigeria. I lived in Brazil. I lived in Germany. I lived in Belgium. I lived in Baghdad. I lived in Colombia.

Benjamin Wittes: And in all of these contexts, you're doing basically counter-recognizance?

Gharun Lacy: Yes, 100 percent. Counter-surveillance and, and making sure from a technical standpoint, our facilities are safe for the conduct of foreign policy. About four years ago, assistant secretary for diplomatic security asked me if I wanted to take over the Cyber Directorate, from a good friend and mentor who had built the directorate starting in about 2017. Again, I didn't have the IT background, but I knew the people. I knew the team that my predecessor had built, I knew they were good people, and I knew they were patient and would teach me. So I was able to jump in feet-first, and the one thing about the cyber world is if you don't know what's happening, it will give you an immediate opportunity to learn because we are underwater and inundated from a threat, from a threat perspective. We are constantly, constantly under bombardment.

So from there, with the same concept of moving nontraditional people into different roles is the same concept of how our directorate was built. Our directorate has the traditional cybersecurity component, what people think of hands-on keyboards, eyes on glass, monitoring the network. But we also have the part that I think your audience will be interested in. We also have a federal law enforcement component. We also have an engineering component that looks at the physical engineering of hardware and devices. Ahere most people think of cybersecurity as protecting the data, the ones and zeros over the line, we also have to make sure that we protect the conversations in our classified environments from that box that we brought in, that microphone that we're thinking about a Zoom call. It's still a microphone. And we still have conversations in this room around that microphone and we want to make sure that our adversaries are not using the inherent dependency on IT that we've all developed to pull information out of our facilities.

Benjamin Wittes: Yeah, it's an amazing expansion of the concept of cybersecurity. So, you and I are sitting in a studio in the Brookings Institution talking through two microphones, and when we buy these microphones, we are not thinking about the surveillance capacity of these microphones because we don't have sensitive conversations. We're, in fact, recording stuff in order to make it public. So, we think about the audio fidelity. We think about, you know, all kinds of aspects of the technology and we think about the security of our data. But the security of our hardware, we're actually intending to conduct surveillance of ourselves here. And like, if somebody, if the Russians get this conversation a few days before we make it public on the podcast stream, that's just not the biggest problem in the world.

Gharun Lacy: Right.

Benjamin Wittes: But if you're thinking about being able to have secure conversations with secure technology in any hotel room that a U.S. diplomat, you know, cleared above a certain level may stay in in the world, that's a hell of a problem.

Gharun Lacy: And that's the progression of our skillset. That's the progression of our profession. For 20 years, we strove, our goal was to keep microphones and cameras out of our classified facilities, that was our job. So, for every one of us that's a technical surveillance countermeasures, kind of, practitioner, keeping microphones and cameras out of our classified facilities was the job. It was paramount. Now our phones, now we have to actually look at how do we allow cameras and microphones into these facilities for the conduct of business, because it's absolutely the way we do business now. How do we allow them in, but still do it securely?

Benjamin Wittes: Yeah. Everyone, every single State Department employee, 100 percent of the time is carrying a surveillance device, a means by which they can receive material that is possibly compromising and a portable porn studio.

Gharun Lacy: A hundred percent. A hundred percent.

Benjamin Wittes: So, I want to explore the boundaries of the jurisdiction here because when most people think of protecting U.S. comms, U.S. technology, U.S. government infrastructure, they're thinking about NSA, then they're thinking about DHS on the domestic side. So, where does your authority, where is it carved out of the sort of those other components? What, like, how does, where does your authority start and stop?

Gharun Lacy: Sure. So, our authority is purely for defensive operations, so we solely operate on U.S. Department of State networks. It does become an interesting challenge because of the interoperability between our networks and other agencies in the federal government. We've had multiple instances through vulnerability assessments, we've stumbled upon another agency's data. We've stumbled upon a connection to another agency. That's where we immediately pause, hold on, work through our partners like CISA to make sure that that information is passed back and forth through the agencies.

But we're solely focused on U.S. Department of State data wherever it resides. What gets things way, way more complicated as the federal government becomes more reliant on private vendors and private companies, our data now starts to migrate off of our networks and onto other networks that we don't have visibility and necessarily have control over. Where we in, in Diplomatic Security, take a look at that problem set, it’s not a technical one, but a people and relationship issue. We look to develop our relationships, and we have, especially in Diplomatic Security, we have very strong relationships with our vendors. Microsoft is one of our primary partners. They sit at the table with us. We have a great relationship with their incident response team, the people in Microsoft that do what we do. There's a camaraderie there because we do the same thing and we do have that clarity of mission. So the exchanges there are phenomenal. We have other several vendors that whose tools we use, great relationships. And because our environment is so different and unique, the vendors love working with us because they get an opportunity to kind of stretch their tools to really work on them and customize them to a very unique environment and push the envelope about what these tools can do. And at the same time, we make sure we leverage that relationship. It's not just about the tool, but it's about the information. What information do you see from your side? Every vendor has to have a little curtain where they keep a little bit of their secret sauce. But we like to say, hey, some of that information is going to be useful to us, especially in a cyber event. So let's make sure we have the lines of communication open where we can share those things in real time and that's relationship build.

In terms of our intel partners, State Department has no authority for any offensive cyber operations. That is not what we do, wanna make sure that is perfectly clear. It's purely defensive operations, but with the intel side, because our footprint is the most popular footprint for our nation state actors to attack. We've got a great relationship with our intel community, with the private cyber intelligence community. We have several private vendors that provide intel to us and they all have come to appreciate the relationship of being best friends with DS, who's the bouncer outside the most popular club when it comes to cyber on a geopolitical scale.

Benjamin Wittes: So one thing that you told me when we met privately, some weeks ago, that just stunned me was how large the operation is. So give us a sense of scale, like how many people are you dealing with? What's the scope?

Gharun Lacy: My directorate is about 365 people, budget of around 136 million a year. The scope of what we have to protect is that 32 bureaus, 270 plus locations, 170 plus countries, 77,000 plus users, the majority of whom, when you get in the overseas environment, are locally employed staff, third country nationals. So not just the scale, but complexity. We have to manage the identity management of hundreds of nationalities who use our network every day. We have to manage the data intake from hundreds of foreign ministries, who themselves have varying levels of cyber maturity.

One of the jokes that I share with my CIO all the time is, when you look at phishing emails and what you tell the general public, be very careful about that email that comes from a foreign person with a strange link in it. You should always be a little nervous about clicking on that link. Well at the Bureau at State Department, it's our job to open that email from that foreign dignitary and click on that link, right? That's the job of the diplomat, of the foreign policy officer. So it creates this really unique environment where we're not DoD, we're not the intelligence community, we're not law enforcement, we're diplomats. Diplomatic security is a law enforcement bureau, but it's in a diplomatic agency. So we have to marry all those things up. Then to add to that, I'm an engineer working for a bunch of federal law enforcement agents in a foreign policy agency. So I don't know of any, I don't know of any other office or directorate that's built and sits in an environment quite like ours. It really is unique.

Benjamin Wittes: All right. So let's talk about a case study in the uniqueness, which is we are talking on the Friday after the Democratic Convention ended last night. You guys have a role in a convention like that.

Gharun Lacy: Sure.

Benjamin Wittes: Why? It's a Democratic Party thing. So why, first of all, why are you there at all? And secondly, what are you doing in Chicago this week?

Gharun Lacy: Yeah. So that's a little bit outside the cyber realm, but we have an Office of Domestic Operations that does protection activity for foreign dignitaries. Most times when you think of protection for Secret Service, State Department does more details than the Secret Service when it comes to foreign dignitaries. Secret Service covers heads of state, State Department covers just about everyone else. So, foreign ministers, ministers of trade, ministers of commerce, you name it. If the threat environment for those foreign ministers is there, we're going to pick up that protection detail. We work protection details for the foreign minister in Israel. We recently worked a detail for the Dalai Lama. We work details for the royal family of the of the U.K. If it's a foreign dignitary that has a high threat profile, Bureau of Diplomatic Security nine times out of ten is going to pick up that protection. At the DNC, there were several foreign dignitaries there to visit the DNC. Same with the RNC. So, when those dignitaries come in, if the threat profile warrants it, Bureau of Diplomatic Security is going to pick up a protective detail and make sure that they can move and interact with the various elements of our government safely and securely.

Benjamin Wittes: All right, so let's talk about what you're worried about. You, you've described a just impossibly large attack surface and an almost total integration of that attack surface with things like protective details and, you know, the other components of what you guys do, everything from providing, you know, security details to people going to the DNC, to making sure that when, you know, a, U.S. diplomat is in a hotel room, he can have a secure conversation. I mean, that seems like an impossible.

Gharun Lacy: We only do that for the Secretary of State. We do it for no one, if we had to do it for every diplomat, we would be inundated. It's next, it's one of the more difficult platforms and it's only done for the Secretary.

Benjamin Wittes: Gotcha.

Gharun Lacy: Yeah. Because that's a, it's fun, but it is hard work.

Benjamin Wittes: So when you look at your job now, particularly in the cyber arena, and say this is the problem or these are the problems that are keeping me up at night. What's the list looking like?

Gharun Lacy: Interesting. It's a good question. So again, I'm like I said unapologetic evangelist for the Bureau of Diplomatic Security. My bureau has an extreme clarity of mission. We know exactly what we're doing and we know exactly why we're doing it at all times. That gives us a lot of clarity in our activity and how we do it. I'll be honest with you, one of the things that adds complication, I'm not sure if it's a bad thing, but we have a very, very active White House right now. And within the cyber world, there's a whole host of executive orders, binding operational directives, FISMA compliance. There's a whole host of frameworks and compliance guide rails that come out from various levels of federal government, from the White House, from the National Institute of Standards and Technology, from OMB. And it's a great place to be because the focus of the federal government is really on doing their best to perpetuate a safe cyber environment for the federal government.

The interesting thing about that, though, is when you have to push that, those types of directives and mandates across the entire federal space, they have to be written to the lowest common denominator. And where I see a lot of disconnect, not specifically in the State Department, but in the other agencies involved in the cyber ecosystem, is there are times when the focus becomes more on compliance. And the focus becomes more on the framework than it actually is on the spirit of why you need the compliance in the framework. So for some, they'll say, hey, if I check these 20 boxes that I got from OMB, I'm secure. Well, I just described an environment with the State Department's environment, those 20 boxes are not even going to come close to being able to actually securing the data that gets processed in an environment as diverse and uneven as the State Department's.

Benjamin Wittes: So it's good enough for the National Park Service, but it's not close enough to good enough for you guys.

Gharun Lacy: Correct. Correct. And I won't say good enough, I think tailored and structured. The majority of those guidance are written for agencies that may not be as mature as the State Department. Out of necessity and out of our environment, we've grown a very mature program, a program that looks forward at threat environment and is threat driven and threat and intel driven, right? Park Service may not be so, and that's not a bad thing.

Benjamin Wittes: Yeah, they just don't need to be.

Gharun Lacy: Right, they haven't needed to be in the past, right? But when you look at where the threat environment's going, and we talked a bit about the blending of physical and cyber, the focus on the federal government right now, critical infrastructure, that is a classic example of where physical and cyber combine. I can get online, I can manipulate a power generator at a power facility and cause that generator, if I cycle it on right or wrong or send the wrong type of amperage to it, I can cause that generator to catch on fire, right? So from a cyber means I've affected something in the physical world that is causing a problem. And that is why the federal government has done the right thing and looked at all of those smaller agencies that can be disrupted and look to push guidance. That's great. But when you have larger, more complex ecosystems in one agency, again, that guidance doesn't always necessarily speak to it. And that's where you have to make sure you have a bureau like Diplomatic Security that is solely focused on the tactical defense.

I am so grateful for our brother sister bureaus in the State Department. We have the Bureau of Diplomatic Technology where they are focused on the compliance. They are focused on, how does that particular guidance from the White House translate to our environment. I am so happy that they're there because there's no way we could split that focus. There's no way they could focus on the guidance and translating that to the department and focus on the actual tactical defense. So the division of labor is the part that makes it easy for us at the department. Across the federal government where that division isn't quite as clear or the capabilities and maturity is not there is one of the things that concerns me, particularly because we're so integrated with our other federal partners. The push to share information, especially in the geopolitical context of strategic competition, it's more important now than it's ever been for us to be moving information between State Department, between Commerce, between Treasury, between the Park Service, right? It's so important for us to be passing information back and forth that pertains to the domestic elements and how they are affected by geopolitical events. And that's why it is important to have those frameworks to bring everyone up to some level of baseline.

Benjamin Wittes: Yeah. So when I, you know, think about like major State Department information compromises, like the 250,000 cables that were given to WikiLeaks, those didn't come off of state department servers. They came off of DoD servers. On the other hand, you know, I'm thinking about the, like, the IG reports around the Hillary Clinton email stuff and the, you know, Jim Comey's, the FBI statement around that. There is, you know, a long term, concern, you know, about the sort of culture of information handling in the State Department. And you guys are, are kind of a weird corner of that because you're part of the State Department, but you're also responsible for corralling that culture, which has not always been you know, the most careful with, you know, its job is to share information in some sense, but it, you know, there's a lot of people in the IC who wring their hands about the way the State Department manages information. And so I'm just curious as a security person in that environment and one who is evangelical about the mission of, of your bureau, like, how do you manage that, where you have a million diplomats running around and some people are dumping stuff on DoD servers so that Chelsea Manning can give them to, you know, to Julian Assange. What, like, there's an internal control aspect of that as well.

Gharun Lacy: I am so glad you brought that up. Absolutely. One of the things that we've been very successful at over the past five, six years or so is changing that messaging. You talked about one of the things that, what are some of the difficult things about this profession? Behavior change. Like changing human behavior is hard. It's extremely hard. Where we have been fortunate over the past couple of years is we've had leadership that has come in and been willing to carry the cybersecurity message, from Secretary Blinken on down. Secretary Blinken has a digital modernization agenda for the State Department, the State Department's modernization agenda. And it lays out not just how we're going to better use our information, how we're going to use modern tools, how we're going to use data to inform decisions. But it also lays out at its core how we're going to protect those tools, how we're going to protect that data.

One of the jobs that I share with the Bureau of Diplomatic Technology, I have an awareness program in my directorate. Their only job is to maintain an awareness program that trains our users and personnel, right? Bring awareness to them about what they do online and how it affects the security of their primary business, which is conducting foreign policy. What we've had to learn over the years is that the common view of security is that, okay, everybody, that's your, that's your broccoli, that's your vitamins. Nobody likes taking them. But I think where we've made the shift is particularly on my side, is being able to articulate security as a business accelerator. We do have a history of issues, cyber issues, that have happened at the State Department, and it's allowed us to take those stories and put in real terms for our users what happens when we are negligent. We can absolutely lay out the consequences that have happened over the years from the department when we have not been as vigilant as we should have been. Every single ambassador, every single ambassador, before they go overseas to take their post, they have a briefing from my folks about the need for cybersecurity, a little bit of the history of cyber at State Department.

Benjamin Wittes: How would you characterize that history of cyber at the State Department?

Gharun Lacy: I would say it's a reflection of the environment. I think the idea that State Department has had a problem over the years is not quite accurate. Truth is always in the middle. Obviously, we're not as good as I like to say that we should have been, but when you take, it's like somebody saying, hey, it's raining outside, your window’s leaking. Cool. I think the problem that we've had is with the characterization of the narrative. The State Department isn't the house in the rain. The State Department is the house that's completely submerged underwater. The environment that we're in is so aggressive that having cyber issues is an inevitability. It absolutely will happen. We wish it didn't. But it will. And it's the reason we have my bureau and my directorate. We are those guys and gals that will put the knife in our teeth and dive into the fire. Right? That is our job. Our job is to be there when the inevitable does happen and take care of it. I look at it like a firefighter, right? Nobody wants that house to be on fire. Nobody wants that to happen. But if there is smoke, you want some firefighters that are really experienced at putting out fires.

Benjamin Wittes: Do you assume that the State Department's unclassified systems, that the big four cyber threat actors are in those systems? Or do you assume that you’re manning a periphery and keeping them out? What's your working assumption on a day to day basis?

Gharun Lacy: To not have an assumption. We absolutely have to take the data as it comes to us every single day. What we know for a fact is they're always at the perimeter. They're always knocking. They're never not trying. And it's one of the concepts, I think, one of the places where our federal government has helped us, the concept of zero trust is that concept of saying you will have breaches. It will happen. The job now is to, yes, you do your best to keep them from happening. Nobody wants them to happen, but you also structure yourself from an architectural standpoint so when they do get in, they only get into that one place and that one room and you contain it, right? It is a dichotomy of thought, so to speak, because as we become so data integrated and data connected, we want to maintain that. But at the same time, we want to make sure that we're segmented off from a threat perspective so that if they get to one place, they get to one place and one place only.

What we operate under, I wouldn't call an assumption, we operate under the knowledge that these adversaries are never going to stop. They're never going to stop. They're never going to change administration. They're never going to shift and be friends with us. They're always, always, always going to come after our data. So, the only mantra that we have is that however good we are today is not good enough and we always have to continue. We're going to be in this arms race in perpetuity and we need to embrace that race, right? We need to embrace that constant improvement because the adversary is doing the same thing.

Benjamin Wittes: And what about the classified side? Where is it? How high up the classification chain do you have to go before you guys are no longer responsible for, you know, it becomes a sort of NSA defensive thing, not a, DIPSEC defensive thing.

Gharun Lacy: Sure. No, for in the Department, you know, we're responsible with protection on the unclassified network and our secret level network. Our good close partners in the Bureau of INR are responsible for the protection of the TS fabric for the State Department and they are good partners. I actually spent a good portion of the day yesterday with their CIO, Mr. Jimmy Hall. He's a good friend.

Benjamin Wittes: And just to be clear, INR is?

Gharun Lacy: They are the intelligence element inside of State Department. So just like State Department has a law enforcement bureau inside of the State Department, State Department has an IC element inside the State Department and that's the Bureau of INR.

Benjamin Wittes: So, I want to return to the question of like what you're what your biggest day to day worries are. You've described, you know, a constant set of perimeter attacks, and then the need to manage breaches when they happen. You've talked about a workforce training that is trying to change the culture a little bit, make people more, more aware of defense and cyber threats. You've talked about a very dynamic interaction with other governments, other U.S. agency components and industry. How do you sleep at night? I mean, like, you're describing just an impossible thing. So when you bolt up at two in the morning, worried about something, what is it?

Gharun Lacy: So usually it won't be me waking up. It'll be a call. What brings me a lot of comfort is the quality of those 365 people in this team. I never worked with a more dedicated, creative, and mission driven bunch. They care so much and they're so good at what they do. So, yeah, but when we do jump up, you know, obviously it's the nation state actor, the holy grail, which you never want to see is that the nation state actor has gotten into your classified, classified data and has pulled some type of essential foreign policy national security information and is using it and weaponizing it against us, right? That is something that we never want to see. That's the nightmare scenario. Your unclassified network is your unclassified network for a reason. It's why people only process unclassified information. Now, with that interconnectivity, you always worry about the aggregation of a million pieces of unclassified information being put together.

Benjamin Wittes: You could learn a huge amount about how the State Department works on a day-to-day basis without touching a single piece of classified information if you have enough data about the rest of that.

Gharun Lacy: Correct.

Benjamin Wittes: Especially the cafeteria.

Gharun Lacy: I was posted in Brussels, Belgium, and I used to hang out in the cafeteria at NATO headquarters. Phew. That scares me. When we talk about what scares me, that scares me. But yeah, so, so many nuggets floating around that we have to protect. One of the things that does where we've placed a lot of emphasis, and if you ask me this question, maybe a year or two ago, this would have been my answer is: because we have so many different priorities across the department, 32 different bureaus, each of them with their own distinct missions, each of them with their own distinct risk tolerances and distinct IT capabilities. There can be pockets of your information and pockets of your network that you don't know exist that you don't have visibility on. For whatever reason over the last 15 to 20 years, they were stood up out of a business necessity over here without your tools, without your knowledge, you know, without the documentation to show that it's there. That would have been the concern for me maybe a year and a half ago, two years ago.

The good news is that was a concern and collectively we have attacked it over the last 18 months in partnership with our good friends in Diplomatic Technology, in partnership with our good friends in the Center for Analytics, in partnership with some of the larger bureaus that are extremely capable, like the Bureau of Consular Affairs that operates a huge network segment. We've gone after the visibility in those little corners that we couldn't see. Happy to say that the progress in that regard has been going outstandingly well, and that's where we've had to continue to ramp up our capacity as we get visibility into those areas, that's a lot more data coming at us. And we have to be able to sift through that data, make sure that we understand what's happening and make sure we can respond or make sure we can start to see the deviations in trend that may not necessarily be an incident, but may be pointing at an incident that may happen soon.

Benjamin Wittes: One thing that you have come back to several times in this conversation is the role of the State Department leadership in, in driving some of this change. I'm curious whether in your judgment, you're a career guy, you're not a, you know, you're not part of the administration, except in the sense that you're in a, you're in a leadership role. How much of this is, in your judgment, Tony Blinken, Biden administration set of initiatives, and how much of it is institutional change that, you know, is longer term than that and will, you know, continue in a hypothetical administration, next administration, whether it's a second Donald Trump administration or a Kamala Harris administration. Are you, do you think of this as something that this administration is very committed to, or something that this just is change that the State Department is going through that's important?

Gharun Lacy: I think it's a reflection of how the department is built. Again, clarity of mission. We know why we do everything. Foreign policy has always driven where we've gone from a defensive and a protective standpoint. So if you look at the progression over the last decade or so, the focus on counterterrorism through the last 10, 15 years or so, right? It was a focus on counterterrorism. That's how our protective mission was built. It was built for expeditionary diplomacy. It was built for how do we protect people in some very hard environments like Iraq and Afghanistan while they conduct foreign policy? So if you look at the structure of the support, the support activities, which we absolutely are. Remember, we're, our job is to support the conduct of foreign policy, not execute security for the sake of security. But our job is to make sure that our foreign service officers and our diplomats can have the face to face conversations that they need to have. So as the nature of those conversations change, we change our protective stance.

As the U.S. shifted from a focus on counterterrorism, which was extremely kinetically based, kinetic defense, the ability to go out into some very hard environments, and now shifted to strategic competition with those big four actors. When you say strategic competition, China really starts to rise to the top. Then the tactics that we adjust to, to make sure that we can facilitate foreign policy in a strategic competition environment has to change. Strategic competition is almost all about data. Who has the information? Who knows the talking points? Who has the upper hand in a negotiation? Who can compel a third or fourth party to partner with them? That's all information and relationship based, and that's where that focus and shift has happened. So I think that the way the department is built to adjust to changes in foreign policy really dictates how we do the job.

The beauty, again, of our bureau is that we're nonpolitical. It doesn't matter the administration. It doesn't matter the policy from the White House. Our job still remains predominantly the same. Protect the people. Protect the property. Protect the secrets so that they can conduct foreign policy, the tactics that we adjust to and how we move is so, well, not solely, but predominantly based on the environment. One of the questions that we ask and bring to the table when it comes to cyber? We ask a certain question that most cyber defenders most typical cyber practitioner has it in their skill set but ours is prominence while we have such a strong intelligence component: who? The who for us is so important. Who's coming after us and why? We use that information to help us determine how. The actors are get really smart about hiding their tactics, so we want to know who's coming after us and why and let that help guide how they're coming after us and how we defend against it. But the beauty of it from the State Department, we are apolitical, right? Whoever's in office, whoever, whatever the foreign policy is, we're going to protect it. We're going to facilitate it. We're going to keep it safe.

Benjamin Wittes: A couple of non-cyber questions before we wrap up. There have been, as you know, a lot of concerns about incidents involving U.S. diplomats and intelligence personnel who have been hit with mysterious syndromes that are frequently believed to be the result of some kind of directed energy weapon. As far as I know, nobody has definitively identified what has happened to whom and where, but you do have a lot of people who seem to be claiming this. And some of whom who are clearly impaired as a result of something that happened. How do you protect U.S. diplomats against an unspecified threat, you know, that we don't understand and we don't know who's doing it, but seems to be quite serious when it happens?

Gharun Lacy: Sure. Now, that is an absolute challenge. In my prior role to being here in cyber, I actually worked in our countermeasures directorate where we worked on that problem set the way we approached it, because we're engineers, is how do we get the data right? We absolutely need to understand what the environmental causes for some of the- One, working with some of the smartest people in the federal government. What is the what? What are the symptoms that we absolutely can't account for? And then how do we gather the data that's going to help us? I think for us, the primary thing that we look at is making sure that our personnel are informed, to make sure that we're being transparent with our staff, transparent with our workforce.

Not going to get into too much detail here, but make sure that we've also gathered the environmental information to the best of our ability and have the capability to gather whatever environmental information we can. That was the focus of my countermeasures directorate and the focus of that activity was to make sure that we could put some quantifiable data around this and at least be able to eliminate certain things. There are definitely other elements in the federal government that have taken on a different approach looking at different factors, different variables. But for us, again, it was always protective. What are the elements in the environment that we can quantify and that we can look for changes and deviations in?

Right now, we have a very mature, very well thought out response plan where if we have an individual that has, you know, reports certain symptoms, we go through a whole process. There's equipment that we move. There are services that we provide to the individual. It is laid out. It's a good SOP, to make sure that the individual can gain the information that they need to feel comfortable, and that we can gain the information we can to give them the most data that we can at the time about what did happen in the environment or what we've seen in the environment since. Unfortunately, being retroactive about what happened at the exact time an individual faced symptoms is next to impossible to do. But what we can do is from the time we've got that report, we can make sure that we've pushed equipment to place, to make sure that we are recording what's happening in the environment, and looking to see if there's anything there that we can provide them with information on. The process now has matured over the past couple of years and is a good process. And we make sure people understand that process is one of the ways we can try to give them at least a little bit of level of comfort until that smoking, that smoking gun, so to speak, is discovered. And, you know, we actually have the physics behind what has happened, there's always going to be, we're still going to be in this kind of state of limbo.

Benjamin Wittes: Finally, I want to ask about a different side of the protective function, which is, you know, you guys protect a bunch of embassies and visiting dignitaries who don't always behave very well. You know, there are famous incident involving the president of Turkey in this building whose thugs kind of beat some protesters outside. Similar things have happened in near the Turkish embassy at different times. And you know, I have, in one of my other lives, I do some provocative protests at the Russian embassy. You guys have been uniformly fabulous in, in dealing with that stuff. But I've seen the Russians do some stuff that is you know, frankly illegal and not playing fair by the, you know, standards of U.S. norms and laws and interactions with protesters. And I'm curious, you know, when you guys are protecting people who are behaving real badly, what's the, you know, what's the obligation? What's the protocol for, you know, you guys are providing a security detail for a diplomat who, or for a dignitary who's got his own bodyguards who don't respect protesters, what do you do?

Gharun Lacy: So, that's where the relationships that we build across state and local law enforcement come into play. For every detail that we have running for a dignitary, Bureau of Diplomatic Security is in contact with the cognizant local authorities, D.C. Metro Police, good partners. Wherever we have facilities where we have to do our protection details, we also make sure that we are closely coordinated with our local and state law enforcement elements in that same location. And that's where that's where that line is drawn, right? You know, a dignitary commits a crime in Washington capital region, then we would rely on our D.C. Metro partners to actually take care of that issue again. And that's where the authorities, kind of, our authority in that moment is to protect that individual, but of course, all law enforcement has the responsibility of protecting life, safety of anyone that's involved in that moment. But when you talk about the crime persecution component of it, that's where we rely on our local and state law enforcement bodies to really be in that sweet spot where the handoff happens and they take over.

Benjamin Wittes: Thank you so much for taking the time to talk to us today.

Gharun Lacy: Absolutely. No, absolutely. Lot of fun.

Benjamin Wittes: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Chatter, Allies, and the Aftermath. Our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja. Our theme song is from Alibi Music. As always, thank you for listening.


Benjamin Wittes is editor in chief of Lawfare and a Senior Fellow in Governance Studies at the Brookings Institution. He is the author of several books.
Gharun Lacy is th deputy assistant secretary and assistant director for Cyber and Technology Security at the U.S. State Department.
Jen Patja is the editor and producer of the Lawfare Podcast and Rational Security. She currently serves as the Co-Executive Director of Virginia Civics, a nonprofit organization that empowers the next generation of leaders in Virginia by promoting constitutional literacy, critical thinking, and civic engagement. She is the former Deputy Director of the Robert H. Smith Center for the Constitution at James Madison's Montpelier and has been a freelance editor for over 20 years.