State Department Still Sucks At Basic Cybersecurity And Senators Want To Know Why

from the official-shrugs-due-by-mid-October dept

Our President promised to get busy on The Cyber. So did the last president. It’s a very presidential thing to do. Something in the government gets hacked, exposing millions of people’s personal info, and everyone in the government agrees Something Should Be Done. Committees are formed. Plans are drawn up. Directives are issued. Laws are passed. Then the whole thing is turned over to government agencies and nothing happens.

Five US senators have sent a letter to Secretary of State Mike Pompeo requesting answers why the State Department has not widely deployed basic cyber-security protections, such as multi-factor authentication (MFA).

The letter was sent yesterday and was signed by senators Ron Wyden [D-Ore], Cory Gardner [R-Colo], Ed Markey [D-Mass], Rand Paul [R-Ky], and Jeanne Shaheen [D-N.H.].

The letter [PDF] cites two reports. The first is the General Service Administration’s assessment of cybersecurity practices. It shows the State Department has only implemented multi-factor authentication for 11% of “high-value devices.” When the mandated goal is 100%, this barely reaches the level of “grossly inadequate.”

Considering the amount of turnover the agency has had in the past several months, you’d think it would be considerably more concerned with internal security. But it isn’t. And, as the letter points out, it’s not just stupid. It’s also illegal.

According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law– The Federal Cybersecurity Enhancement Act — requiring all Executive Branch agencies to enable MFA for all accounts with “elevated privileges.”

Breaking the law. And just generally not doing much whatsoever on the security front.

Similarly, the Department of State’s Inspector General (IG) found last year that 33% of diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular reviews and audits. The IG also noted that experts who tested these systems “successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems.”

The senators are hoping the State Department will have answers to a handful of cybersecurity-related questions by October 12th, but given the agency’s progress to compliance with a law that’s been on the book for two years at this point, I wouldn’t expect responses to be delivered in a timelier fashion.

The agency’s track record on security isn’t great and these recent developments only further cement its reputation as a government ripe for exploitation. The agency’s asset-tracking program only tracks Windows devices, its employees are routinely careless with their handling of classified info, and, lest we forget, its former boss ran her own email server, rather than use the agency’s. Of course, given this long list of security failures, there’s a good possibility an off-site server had more baked-in security than the agency’s homebrew.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “State Department Still Sucks At Basic Cybersecurity And Senators Want To Know Why”

Subscribe: RSS Leave a comment
18 Comments
Anonymous Coward says:

Re: No Imran Awan?

The main allegations I find against Awan are for theft, fraud, and embezzlement.

I would think those would be viewed as practical experience for a job supporting Congress, not necessarily grounds for dismissal. Heck, if absconding with taxpayer money were grounds for dismissal, there wouldn’t be a US Congress.

James Burkhardt (profile) says:

Re: No Imran Awan?

Irman Awan had no criminal record, was a naturalized US citizen, and it appears the charges against him start after a decade of public service.

I don’t see anything that necessarily should have prevented him from being hired in his position. There is no evidence that better IT security standards would have prevented his scams, and no evidence better IT security would have caught him.

Better IT security would have made the conspiracy theories less plausible, while still allowing him to work however.

Zof (profile) says:

Hey remember that time...

Remember that time the um, contracted professional *cough* hired to secure the private Microsoft Windows Server (cough) being used for email for a certain candidate actually asked on a Subreddit for help securing his email server, and got tricked into posting the private key for it? I do. Wanna see it?

https://web.archive.org/web/20160919052820/https:/www.reddit.com/r/exchangeserver/comments/2bmm4l/remove_or_replace_tofrom_address_on_archived/

That’s Stonetear. We now know that was Paul Combetta. How was he ever hired? How did he keep his job so long?

Anonymous Coward says:

Security

Is “fundamentally” misunderstood by just about everyone. When it is all said and done it mostly comes down to security theater.

Checkpoints that require ID will not stop a shooter, neither will doors that require badges.

Computer security has the same problem. People will create bullshit password complexity rules that actually weaken security instead of strengthen it (NIST finally changed this recently). Most businesses will run 2nd factor authentication over insecure communications platforms (like text/sms) or companies that have intentionally weakened their protocols by request of the government (RSA) to pretty much every fucking thing being made comes with backdoors, zero day vulnerabilities, and weakn half-baked to no-baked security.

Security teams often spend time bitching about settings that do not even matter, such as renaming well known accounts but allowing anonymous enumerations. Placing extra firewalls between everything and then having to turn it all into a complex maze of swiss cheese while most attack vectors now go over already well known and open ports.

Blacklists instead of whitelists because having a dedicated Security Engineer is a waste of money but paying entire teams of paper security analysts are worth it.

this can go on and on.

Computer security is “fundamentally” misunderstood by pretty much everyone and “especially” by government for whom “security theater” is the GOTO solution for all things to appease the clueless and unwashed masses!

Anonymous Coward says:

Re: Security

Another "fundamental" misunderstanding is that most security is intended to stop a shooter…

This is just as true for cybersecurity as for physical security, though usually for different reasons. In the physical case, well, that just hasn’t even been on the radar until the last couple years, and even now it’s such a fringe case that the vast majority of situations don’t need it. In the cybersecurity case it’s actually because it is many orders of magnitude better for a shooter to breach security than for a ninja to do the same. Even the best computer security is flawed enough that damage control is a principle part of the design consideration, and being able to track exactly what was breached by the trail of bodies and bullet casings is infinitely preferable to not knowing.

Anonymous Coward says:

Re: Re: Security

“Another “fundamental” misunderstanding is that most security is intended to stop a shooter…”

Agree, but because of their “security theater” nature they are there to entice people to think that and not unintentionally either. Like those password complexity requirements, it just gets people to change behaviors and often times, it ways that are less effective than they would have been if you just did nothing. A hidden camera is about the best checkpoint you can get in the vast majority of cases. If people “think” they are not being watched you are likely going to catch a criminal entering the building than one that greased their way past a checkpoint. Not only that, but humans are usually pretty terrible at detecting danger when it is hidden behind a smile.

“Even the best computer security is flawed enough that damage control is a principle part of the design consideration, and being able to track exactly what was breached by the trail of bodies and bullet casings is infinitely preferable to not knowing.”

Monitoring systems are also useful because they are able to more intelligently engage lockout systems. For example… any business that has an exposed login screen are at risk for DDOS attacks because anyone with a list of users can rapidly enter invalid passwords locking out accounts maliciously. Instead of locking accounts, perimeter systems should instead block the source IP like an RBL. Similar for Threat analytics… if an account historically logged in from one state should be blocked when access is attempted from an unknown geographical location.

The Ninja vs Shooter comment was funny though.

Anonymous Coward says:

Timely response

I think October 12th is plenty of time. How long does it take to write up a memo that (1) blames the previous administration, (2) blames Congress for insufficient funding, or (3) blames unspecified “higher priority projects” for delaying this one (or (4) some combination of the above)? This is government, so none of those excuses need to be substantiated on the first round (if ever). They just need to be written in appropriately passive voice and with enough vagueness that they can’t be quickly disproven.

Bergman (profile) says:

It's probably cultural

People make a big deal about Clinton keeping a private email server as Secretary of State, but what a lot of people seem to forget about that — or never knew — is that she did so because her predecessor told her she should do it as part of the briefings when she was preparing to take over the job.

Her predecessor kept a private server. So did his predecessor. So do lots of officials in the executive branch. It’s illegal for every single one of them, but they all do it.

When the boss sets an example, the underlings follow it.

Uriel-238 (profile) says:

Re: Clinton's private email server

Right now, we’re still working out the social ramifications of every request to a clerk to print this suddenly becoming public record. It’s a problem both legal and cultural in large corporations as well, especially when those records can be collected as evidence.

The problem with her private email server is that it wasn’t secure enough for classified materials. And I’d forgive this except the administration she served prosecuted people as spies for carelessly handling classified materials. They also overclassified like mad.

(The Trump administration is, if anything, worse.)

It’s hard to get on her case about it when the official servers are not very well secured, and are just as susceptible to Russian hackers. So it seems we only use our security policies to persecute enemies of the current administration.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...