State IG blamed for blaming the messenger on mismanagement and Internet security lapses at BBG
Commentary
In this guest commentary by an Internet security expert , BBG Watch looks again at the recent State Department’s Office of the Inspector General (OIG) controversial and widely criticized inspection report on the Broadcasting Board of Governors (BBG).
IG Report Kills The Messenger of Internet Security Lapses
The IG Report overall attempts to kill the messenger while ignoring the message. The report states;
“Board dynamics are characterized by a degree of hostility that renders its deliberative processineffectual. Board meetings are dominated by one member whose tactics and personal attacks on colleagues and staff have created an unprofessional and unproductive atmosphere.”
Examples given in the report of this type of behavior generally focus on one governor, who is being characterized as obstructionist, for having the audacity to actually ask the board staff questions and expect real answers. As a result questions on why employee morale is so low at the IBB, that are danced around by the board staff, when the governor presses for answers he is characterized as “hostile”. Tenacity in pursuing an answer and not accepting just any explanation offered by the board staff is a “personal attack” when it should be praised as doing proper oversight. The root issue for example on the “morale” of the IBB staff is never addressed in the IG Report but the Governor who is seeking information and trying to remedy the problem is demonized.
The IG seems to forget that the BBG staff works for the Board and not the other way around. If a supervisor (The Board) questions a subordinate (the BBG Staff) on a particular problem or issue why is the supervisor at fault for wanting answers and why is not the issue itself examined by the IG to determine if the Governor is raising legitimate concerns?
The IG Report overall is inconsistent in condemning Governors that do not keep abreast of the issues and have a poor attendance records while at the same time accusing the more involvedGovernors as meddling with and not respecting the BBG staff?
Another example of this inconsistency in the IG report and example of not looking in depth at the issue that is supposedly causing dissension is the entity wide use of the Pangea CMS and the role of Radio Free Asia (RFA).
A CMS (Content Management System) is a system used to manage the content of a Web site. With a quick source code check of this site it can be surmised that BBG Watch is most likely using ReviewIt templates in WordPress as its CMS.
The IG Report states in one section on Pangea:
“One example that emerged in numerous interviews and correspondence illustrates the problem. The Board decided that all five broadcast entities should adopt a new content management system called Pangea. The goals were to save money and allow all entities to share content. RFA was on the study committee that included representatives from various BBG entities. The committee submitted its findings to the Board, which voted to adopt Pangea. Despite the Board’s decision, RFA refused to adopt this content system. This action was an obvious challenge to Board authority. At present, all broadcast entities except RFA participate in the program, and the broadly held perception—expressed repeatedly to the OIG team—is that RFA can flout collective decisions of the Board because it can rely on strong support from the chairman and vice chairman of its corporate board.”
In another section of the report that follows:
“An assessment of the relations between the Board and IBB staff must begin with the IBB Director, appointed by the President and approved by the Senate, who has broad responsibilities,including management of VOA and OCB on paper. The Board delegated the Director a widerange of authorities in 2011 but promptly overrode his initiative to introduce a single contentmanagement system (Pangea) for all broadcast entities. The Board allowed one grantee, RFA, not to take part in this initiative. This action led to the IBB Director’s authorities being undermined in the eyes of the broadcast entities and his own staff.”
The decision to migrate to Pangea in one section is a “Board Decision” and states that RFA can “flout collective decisions of the Board”. In the following section that mentions Pangea the decision to migrate is now an “initiative” of the IBB Director and RFA’s not being on Pangea has “undermined in the eyes of the broadcast entities and his own staff” the IBB Director’s authority.
So which is it? A Board Directive or an IBB Director Initiative? The IG Report contradicts itself. While the report states a study committee “submitted its findings to the Board, which voted to adopt Pangea” there is no record of this vote or of a board decision to this end.
Further the IG Report represents RFA as being contrary, apparently, just to be contrary. No mention is given to why RFA chose not to migrate or why any Governors, that kept informed on the issue, supported RFA’s decision. RFA as the “messenger” is attacked for being at odds with the board staff. The only issue the IG seems concerned about is the feelings of the board staff not the actual “message” which is RFA’s issues with Pangea.
RFA in this case, becomes hostile, uncooperative and unprofessional in the report. Once again the core issue itself, the use of Pangea, and RFA’s position is ignored in the IG in the report. The board staff wanted it RFA did not do it – RFA is bad player.
Bypassing the for brevity’s sake the value of even being on a shared CMS or, the workings of the “committee” that studied the CMS issue or, the final recommendation that was written by one person who did not even participate in the committee meetings, what was RFA’s issue?
Pangea is a proprietary system that was written and is maintained by RFE/RL. There is no support for Pangea other than what is provided by RFE/RL. All security patches and system upgrades must be written, tested and implemented by RFE/RL.
There is no large company with a large user base to support Pangea, as with commercial software. There is no large development community to provide support for Pangea as with Open Source software. The technical support for Pangea software is one – RFE/RL. The user base of Pangea is one, the IBB entities that use it now.
RFA is continually a victim of cyber-attacks. In some of RFA target regions not only is the RFA website blocked but internet users that access the RFA site can face harassment and potential prosecution.
RFA did not migrate to Pangea due to concerns about the stability, maintainability and security of the software. RFA did not flat out refuse to migrate to Pangea but requested an independent code audit be performed on the Pangea software before migration. This independent code audit was refused.
The Other IBB entities successfully migrated to Pangea in the spring and summer of 2012 which, is documented on the BBG website:
VOA Websites Get New Design – March 30, 2012
Alhurra and Radio Sawa Launch New Websites – May 16, 2012
VOA English Website Gets New Look – May 22, 2012
What is not mentioned in the IG Report is that during the migration to Pangea and for months afterword the site was hacked and was compromised. Exactly what RFA feared would happen did happen.
This is not speculation but a matter of public record. On July 25, 2012 on the blog “Krebs on Security” an article was posted titled “Espionage Hackers Target ‘Watering Hole’ Sites”https://krebsonsecurity.com/2012/09/espionage-hackers-target-watering-hole-sites/ .
This article discusses a case study paper, “THE VOHO CAMPAIGN: AN IN DEPTH ANALYSIS” http://blogs.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf published by RSA FirstWatchSM Team.
The RSA FirstWatchSM team is a global threat research and intelligence team designed to operate in a number of disciplines to provide tactical and strategic intelligence on advanced threats, threat campaigns and threat actors.
The RSA paper describes in depth a complex attack dubbed as “Watering Hole”. The attack was executed by planting malware on multiple compromised that were used as pivot or redirector sites that were deemed most likely to be visited by the targets of interest.
The RSA paper edits out the actual URL of the compromised Watering Hole sites for legal reasons. In the paper RFE/RL is listed as “hxxp://www.rfxxx.org”.
The Krebs on Security blog felt no such compulsion for privacy and used Google cached logs to identify the compromised sites that were used in the attack. From the Google logs a list of top-five “Watering Hole” compromised websites is provided which includes: http://www.rferl.org (Radio Free Europe / Radio Liberty). The report states that the type of attack used has been associated with Gh0stRat and the Elderwood project. Both of these exploits are strongly believed to be run by Chinese hacking teams and are most likely State sponsored.
Pangea is a CMS the system serves all “rferl.org” pages. It is not a question “if” the RFE/RL Pangaea site was compromised for months as the report and blog article provide documentedevidence of this fact.
The IG rather than condemn RFA and the governors who supported RFA’s decision in making a good faith effort to protect its content and audience maybe should have been asking; “Was RFA and the Governors that supported RFA right in their position?”
With all the issues in the IG’s Report the IG should have examined the realities of issue itself that was in contention rather than focus on the boards staff “feelings” about the issue.