State Department Still Sucks At Basic Cybersecurity And Senators Want To Know Why

Our President promised to get busy on The Cyber. So did the last president. It's a very presidential thing to do. Something in the government gets hacked, exposing millions of people's personal info, and everyone in the government agrees Something Should Be Done. Committees are formed. Plans are drawn up. Directives are issued. Laws are passed. Then the whole thing is turned over to government agencies and nothing happens.

Five US senators have sent a letter to Secretary of State Mike Pompeo requesting answers why the State Department has not widely deployed basic cyber-security protections, such as multi-factor authentication (MFA).

The letter was sent yesterday and was signed by senators Ron Wyden [D-Ore], Cory Gardner [R-Colo], Ed Markey [D-Mass], Rand Paul [R-Ky], and Jeanne Shaheen [D-N.H.].

The letter [PDF] cites two reports. The first is the General Service Administration's assessment of cybersecurity practices. It shows the State Department has only implemented multi-factor authentication for 11% of "high-value devices." When the mandated goal is 100%, this barely reaches the level of "grossly inadequate."

Considering the amount of turnover the agency has had in the past several months, you'd think it would be considerably more concerned with internal security. But it isn't. And, as the letter points out, it's not just stupid. It's also illegal.

According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law-- The Federal Cybersecurity Enhancement Act -- requiring all Executive Branch agencies to enable MFA for all accounts with "elevated privileges."

Breaking the law. And just generally not doing much whatsoever on the security front.

Similarly, the Department of State's Inspector General (IG) found last year that 33% of diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular reviews and audits. The IG also noted that experts who tested these systems "successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems."

The senators are hoping the State Department will have answers to a handful of cybersecurity-related questions by October 12th, but given the agency's progress to compliance with a law that's been on the book for two years at this point, I wouldn't expect responses to be delivered in a timelier fashion.

The agency's track record on security isn't great and these recent developments only further cement its reputation as a government ripe for exploitation. The agency's asset-tracking program only tracks Windows devices, its employees are routinely careless with their handling of classified info, and, lest we forget, its former boss ran her own email server, rather than use the agency's. Of course, given this long list of security failures, there's a good possibility an off-site server had more baked-in security than the agency's homebrew.