The State Department Improves Its Cyber State
The U.S. Department of State is expanding its cyber and technology stance to support its operations worldwide. The State Department’s Chief Information Officer (CIO) Kelly Fletcher, who worked previously as the acting Department of Defense CIO, is guiding the portfolio of information technology (IT) needed to underlie the United States’ global diplomacy.
At the same time, the department is employing its first cyber diplomat to help elevate the cyber readiness of the United States, its allies and partners. Nathaniel Fick—officially called the ambassador at large in the department’s Bureau of Cyberspace and Digital Policy—is performing this groundbreaking cyber diplomacy (see sidebar).
For Fletcher, who for about a year has been leading the 2,700 personnel in the CIO’s office in the Bureau of Information Resource Management (IRM) in Washington, D.C., as well as 2,000 contractors and 1,000 foreign service IT officials overseas, it is about modernizing the technology infrastructure that supports the complex diplomatic operations for 100,000 users at the State Department’s 275 posts in 191 countries around the world.
“Here at IRM, I’m responsible for three things,” the CIO stated. “My team operates the network, so we’re an analogue to DISA [the Defense Information Systems Agency] in that way. We build tools that the other system owners can consume to increase cybersecurity. We run platforms where folks can live on that platform and inherit some cybersecurity controls. And the last thing we do is oversight, policy and governance. It is part of my job to say these are the cybersecurity standards.”
And while the State Department’s CIO is responsible for improving its cyber posture, other offices also play a key cyber role, such as Consular Affairs—which protects online services like passport renewal—as well as the Diplomatic Security group. “Over the entire department, we’re spending between $2 and $3 billion on cybersecurity, and a lot of that is in IRM,” Fletcher said. “Diplomatic Security has a role that is very analogous to what the U.S. Cyber Command does. [They are] defending the network, and I see my job as creating a defensible terrain.”
Fletcher, who works closely with Diplomatic Security Assistant Secretary Gentry Smith, acknowledged that there is a “little bit of positive friction” as part of their strong relationship. “It’s my job to say, ‘Customers really want this cool capability,’ and it’s his job to say, ‘I need to be able to defend this network,’” she said.
After visiting nine different embassies and consulates at the beginning of her tenure to assess IT infrastructure, Fletcher saw how widely the facilities differ, making the placement of IT infrastructure a challenge. “I cannot tell you how shocked I’ve been by how different our embassies are,” she exclaimed. “For example, I went to the consulate in Sydney. It is in a commercial building. It’s a floor above a ‘WeWork.’ I also went to Bogota, where we have a giant compound with guards and gates and tons of facilities. ... I recently met an IT pro from East Timor, and he described how much internet costs and how much bandwidth he gets for that cost. And it was shocking to me. We’re in places where our diesel fuel is being siphoned by criminals. And then we’re also, you know, in Paris. It’s just a huge scope and breadth.”
In April, Fletcher and the IRM team were evaluating bids for the Evolve contract, the Department of State’s huge multiple-award, indefinite delivery, indefinite quantity, five to seven-year contracting effort for IT services. The centrally managed contract is meant to improve the department’s cybersecurity posture and bring in innovation and modernized information technology. The chosen companies will provide IT portfolio management, architecture, cybersecurity and compliance, internal and external cloud services, data center, network and telecommunications, application development, and customer and end-user support services.
Other near-term priorities of the CIO include striking a delicate balance between increasing cybersecurity while improving user experience. “Frankly, when I came into the State Department, I brought what I had learned from DoD,” she shared. “My top priority is cybersecurity, and I’m going to get in here and clean things up. And my boss said, ‘You know, I love that. It’s great. But the people need something, too. You can’t just improve cybersecurity. I’m going to need you to improve user experience and listen to what users want.’ That’s when we started thinking a little bit more creatively about how we do these two things together.”
Another key effort is the so-called Tech for Life program streamlining phone configuration and user continuity across devices. “We have a workforce that is moving all the time,” Fletcher stated. “They’re in Baghdad for a year and then they’re going to Bogota for three years. But right now, their government devices are associated with the first location. The embassy would drop them off at the airport, say, in Baghdad, and they would have no way to contact the embassy. That’s a bad answer. So, what we’re doing is we’re enabling folks to take their devices with them.”
Next, the CIO is pursuing network modernization to improve a legacy architecture that fed all network traffic from embassies and consulates around the world through Washington, D.C. “I think that network architecture made sense 20 years ago,” she said. “Today, that does not make sense. Through our network modernization initiative, we are changing the way that network traffic works. We’re doing some micro-segmentation. We’re doing some smart things with cybersecurity. And we’re allowing network traffic to go directly to where it needs to go from wherever you are. Obviously, this will really cut down on latency.”
As part of that modernization, Fletcher and her team are also tackling so-called nonenterprise networks built at some of the offices to address slow networks. The nonenterprise networks are wildly divergent, as is their cybersecurity posture. “And more importantly, none of these are accessible to Diplomatic Security, so they’re not seeing what’s happening on these networks,” she offered. “These make me very concerned from a cybersecurity perspective. But what I can’t do is just start unplugging them, because people then can’t do their job.”
Instead, officials will be working with users to move to modernized networks, and if that does not work, the CIO’s office intends to add sensors so that the Diplomatic Security cyber protectors can monitor non-enterprise networks for vulnerabilities.
The CIO is also installing secure Wi-Fi networks in its facilities—a long-awaited improvement to the diverse array of embassies. In addition, the State Department is employing emerging technologies such as zero-trust architecture, multifactor authentication, robotic process automation, edge compute, neural networks, data management and encryption. The department—with the help of Matthew Graviss, chief data officer and managing director for the Center for Analytics, Office of Management Strategy and Solutions—is promulgating a new policy for artificial intelligence. “It will give some pretty prescriptive rules to include what is allowable overseas,” Fletcher noted. The CIO also emphasized that the State Department does need industry help in several areas.
“The State Department is hungry for technology that can help us drive diplomacy,” Fletcher said.
Specifically, the department is looking for advanced cyber capabilities—but not superfluous ones. “The thing that I’m most excited about working with industry is that we’re building cybersecurity into our solutions,” Fletcher stated. “Whether you’re working with Consular Affairs, Diplomatic Security or IRM, my organization, I want you all to be aware of what is being provisioned by IRM as a tool for the enterprise to use. We’re not [going to be] building the same solution multiple times.”
She encouraged companies to achieve FedRAMP status, even if it is an arduous process. “Please get the certifications, especially if you’re software focused, get FedRAMP certified,” she said. “And I know that this is an imperfect process. Sometimes it may feel like you’re being asked to fill out a form in triplicate with a crayon. What I would say is, please do that and then write down the things that don’t make sense and bring it to leadership. There is an interest in making these processes work better.”
Industry can also help the State Department identify where it can employ emerging technologies around the globe. “Some of this is just going to be embedded in the tools that we buy,” Fletcher said. “But I’m going to need help rolling out emerging technologies to our diplomats, to folks who want to use it to drive diplomacy, to help them do their job, which is mostly engagement.”
Tools that provide predictive analytics or dashboards would be helpful. “For example, when we take votes at the UN [United Nations], how many times did this country vote with us?” she said. “We should just know that. We also produce a ton of narrative documents, and we have a huge archive of these. What can we do with that? We can mine that for insight. [We need companies] to introduce ways to use technology that we haven’t even thought of yet.”
And like DoD, the State Department has a cadre of CIOs, something Fletcher loves. She is working to improve the coordination and communication between the CIOs. She stood up regular meetings where all of the CIOs can meet and discuss what is and is not working, the tools they need most as a service. “We’re sharing a lot of problems,” she stated. “And then some of it is, ‘I need HR data’ or ‘I need security data.’ And, ‘I need IT-related data to make my master user record.’ It is a venue to talk about that because then we all can consume this capability. How we’re ramping up governance is a big part of how we’re getting after cybersecurity.”
I’m going to need help rolling out emerging technologies to our diplomats, to folks who want to use it to drive diplomacy, to help them do their job, which is mostly engagement.
Cyber Diplomat Sees Great Demand
The U.S. State Department’s first cyber ambassador sees great demand from allies and partners for cybersecurity assistance. Nathaniel Fick, the ambassador at large in the Department’s Bureau of Cyberspace and Digital Policy, is working with department and other U.S. officials to globally elevate the dialogue about cybersecurity and the need for international norms and standards, digital infrastructure and emerging technologies. With the creation of the bureau in April 2022 and Fick’s appointment that September, the department has seen early success.
“A key piece of our remit is bolstering cyber capacity amongst our allies and partners all around the world,” he said, speaking to reporters at a Defense Writers Group event in April in Washington, D.C. “I’ve been all over the Indo-Pacific in my brief tenure already. The same [is true] across the NATO alliance and everywhere else in the world, as the thing about the digital space, of course, is that it’s global. In a place that may geographically seem pretty remote, if that place is connected to other places that are more strategically central, the risk swims upstream. Cyber capacity building of our allies and partners is one of our top-most missions.”
The ambassador cites Albania as an example. Iran attacked the country’s digital assets last summer after Albania had given refuge to members of Mujahedin-e-Khalq (MEK), an opposition group to the Iranian government. Albania is a NATO member, and for a long time, the United States has been advocating around the world for countries to digitize their government services to improve services for its citizens and to help cut corruption, which Albania did.
“‘e-Albania’ was a pretty elegant response to that request so that Albanians could register to vote online and get driver’s licenses and pay their taxes,” he said. “Then the Iranians just thumped them.”
Fick, along with Ambassador Linda Thomas-Greenfield, the U.S. representative to the United Nations, quickly went to Albania and met with the U.S. ambassador to Albania, Yuri Kim, and officials from the Albanian government, including their national cyber coordinator, Igli Tafa.
“The [visit] had a two-fold mission,” Fick stated. “The first was to remind the Iranian attackers that Albania is a member of NATO, and this is a problematic path that they don’t want to go too far down.”
The officials coordinated immediate cyber assistance to Albania. The United States rolled out $25 million in cyber funds to Albania as well as digital capabilities. “We marshaled a bunch of private sector partners to come in and work with the Albanian government,” Fick stated. “We got e-Albania back online, put basic security measures in place and then started the process of long-term capacity building.”
Given the intense cyber threat landscape that defies borders, more allies and partners are clamoring for such assistance. “So that model in Albania, we see demand for that everywhere,” he acknowledged. “We’re doing something similar in Costa Rica right now, just as an example. [Our efforts] are global in scope.”
Moreover, public-private partnerships as part of diplomacy will continue to be crucial in helping allies and partners advance cyber and emerging capabilities, he continued. “I was a CEO before,” Fick shared. “I built a cybersecurity software business, and I met a lot with government counterparts, and they would talk about public-private partnership, and my eyes would glaze over because it generally didn’t mean anything. It really does actually mean something in this context.”
In another example of a meaningful public-private partnership, Fick shared how the Ukrainian government migrated its entire government enterprise to the cloud with the help of the private sector just before Russia unlawfully invaded Ukraine. “That gave them the ability to continue to communicate and provide services to citizens even when all of the towers were smoking piles of twisted metal,” Fick stated. “That actually was an extraordinary accomplishment.”
Nathaniel Fick, the U.S. State Department’s ambassador at large, Bureau of Cyberspace and Digital Policy, is performing groundbreaking cyber diplomacy around the world.
