Cybersecurity at the US State Department has been scrutinized for years while under the leadership of Hillary Clinton and John Kerry. The department has a tech budget of $1.92 billion annually, yet has never scored well on internal security tests. This year’s report looked no better than previous ones.
The State Department’s Office of Inspector General’s (OIG) latest report revealed that the State Department is still failing at cybersecurity. Beyond that, the department scored worse in some criterias.
According to a report from the Inspector General in 2016, the department failed to comply with its own security policies in 55 percent of attacks. The State Department fell under heavy scrutiny after the massive data breach in 2014 where hackers accessed the department’s email system. CNN called the breach “the worst ever” when it came to cyber attacks against the US government.
Here the report spoke of the State Department’s 2014 breach:
The U.S. Government’s global computer networks are tempting targets for hackers, spies, and other intruders. […] Cyberattacks pose a serious threat to the protection of information. The 2014 intrusion into the Department’s network, for example, highlighted the importance of being prepared to restore operations promptly while protecting information.
In the most recent report, email infrastructure was once again one of the weakest sectors mentioned. Unnecessary accounts were left open for more than a year. A bad network user account management process left 1,850 accounts completely inactive. The accounts, left unattended and inactive, provided excellent network access for hackers; they could be easily accessed and used to cause “widespread damage across the department’s [information technology] infrastructure,” according to the Inspector General’s report.
The OIG reported major weaknesses in the State Department’s ability to respond to denial-of-service attacks, malicious code, and unauthorized access. Major vulnerabilities, such as these, caused a non-compliance in the department itself. During these incidents, the OIG noted that the State Department failed to comply with policy and protocol 55 percent of the time.
IT contingency plans and threat models showed similar signs of incompetence, the report stated. They were either untested or not properly developed. The State Department’s ability to recover from a potential threat was unknown. The OIG report stated that “emergency preparedness activities had not devoted sufficient attention to the development and testing of IT contingency plans.” Contingency planning did not only lack in Washington. As early as 2011, the department lacked overseas contingency planning in 69 percent of reported incidents.
The report also pointed out a major issue in the State Department’s information communication system—in respect to communicating a pertinent threat. The Department’s Chief Information Officer was not in a position to ensure that the information security program structure was effective. Threats could easily be miscommunicated in the current structure; there was no centralized reporting system in use.
Under the decentralized structure, the OIG reported, “bureaus may accept risks associated with one mission or business function without understanding the potential effect on the Department as a whole.”
The report mentioned a positive move the department made in 2016; 140,000 network users had been reached by cybersecurity awareness training.