State Department Still Sucks At Basic Cybersecurity And Senators Want To Know Why
from the official-shrugs-due-by-mid-October dept
Our President promised to get busy on The Cyber. So did the last president. It's a very presidential thing to do. Something in the government gets hacked, exposing millions of people's personal info, and everyone in the government agrees Something Should Be Done. Committees are formed. Plans are drawn up. Directives are issued. Laws are passed. Then the whole thing is turned over to government agencies and nothing happens.
Five US senators have sent a letter to Secretary of State Mike Pompeo requesting answers why the State Department has not widely deployed basic cyber-security protections, such as multi-factor authentication (MFA).
The letter was sent yesterday and was signed by senators Ron Wyden [D-Ore], Cory Gardner [R-Colo], Ed Markey [D-Mass], Rand Paul [R-Ky], and Jeanne Shaheen [D-N.H.].
The letter [PDF] cites two reports. The first is the General Service Administration's assessment of cybersecurity practices. It shows the State Department has only implemented multi-factor authentication for 11% of "high-value devices." When the mandated goal is 100%, this barely reaches the level of "grossly inadequate."
Considering the amount of turnover the agency has had in the past several months, you'd think it would be considerably more concerned with internal security. But it isn't. And, as the letter points out, it's not just stupid. It's also illegal.
According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law-- The Federal Cybersecurity Enhancement Act -- requiring all Executive Branch agencies to enable MFA for all accounts with "elevated privileges."
Breaking the law. And just generally not doing much whatsoever on the security front.
Similarly, the Department of State's Inspector General (IG) found last year that 33% of diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular reviews and audits. The IG also noted that experts who tested these systems "successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems."
The senators are hoping the State Department will have answers to a handful of cybersecurity-related questions by October 12th, but given the agency's progress to compliance with a law that's been on the book for two years at this point, I wouldn't expect responses to be delivered in a timelier fashion.
The agency's track record on security isn't great and these recent developments only further cement its reputation as a government ripe for exploitation. The agency's asset-tracking program only tracks Windows devices, its employees are routinely careless with their handling of classified info, and, lest we forget, its former boss ran her own email server, rather than use the agency's. Of course, given this long list of security failures, there's a good possibility an off-site server had more baked-in security than the agency's homebrew.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, state department
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
No Imran Awan?
[ link to this | view in chronology ]
Re: No Imran Awan?
The main allegations I find against Awan are for theft, fraud, and embezzlement.
I would think those would be viewed as practical experience for a job supporting Congress, not necessarily grounds for dismissal. Heck, if absconding with taxpayer money were grounds for dismissal, there wouldn't be a US Congress.
[ link to this | view in chronology ]
Re: Re: No Imran Awan?
[ link to this | view in chronology ]
Re: No Imran Awan?
I don't see anything that necessarily should have prevented him from being hired in his position. There is no evidence that better IT security standards would have prevented his scams, and no evidence better IT security would have caught him.
Better IT security would have made the conspiracy theories less plausible, while still allowing him to work however.
[ link to this | view in chronology ]
Hey remember that time...
https://web.archive.org/web/20160919052820/https:/www.reddit.com/r/exchangeserver/comments/2bmm4l /remove_or_replace_tofrom_address_on_archived/
That's Stonetear. We now know that was Paul Combetta. How was he ever hired? How did he keep his job so long?
[ link to this | view in chronology ]
Security
Checkpoints that require ID will not stop a shooter, neither will doors that require badges.
Computer security has the same problem. People will create bullshit password complexity rules that actually weaken security instead of strengthen it (NIST finally changed this recently). Most businesses will run 2nd factor authentication over insecure communications platforms (like text/sms) or companies that have intentionally weakened their protocols by request of the government (RSA) to pretty much every fucking thing being made comes with backdoors, zero day vulnerabilities, and weakn half-baked to no-baked security.
Security teams often spend time bitching about settings that do not even matter, such as renaming well known accounts but allowing anonymous enumerations. Placing extra firewalls between everything and then having to turn it all into a complex maze of swiss cheese while most attack vectors now go over already well known and open ports.
Blacklists instead of whitelists because having a dedicated Security Engineer is a waste of money but paying entire teams of paper security analysts are worth it.
this can go on and on.
Computer security is "fundamentally" misunderstood by pretty much everyone and "especially" by government for whom "security theater" is the GOTO solution for all things to appease the clueless and unwashed masses!
[ link to this | view in chronology ]
Re: Security
Another "fundamental" misunderstanding is that most security is intended to stop a shooter...
This is just as true for cybersecurity as for physical security, though usually for different reasons. In the physical case, well, that just hasn't even been on the radar until the last couple years, and even now it's such a fringe case that the vast majority of situations don't need it. In the cybersecurity case it's actually because it is many orders of magnitude better for a shooter to breach security than for a ninja to do the same. Even the best computer security is flawed enough that damage control is a principle part of the design consideration, and being able to track exactly what was breached by the trail of bodies and bullet casings is infinitely preferable to not knowing.
[ link to this | view in chronology ]
Re: Re: Security
Agree, but because of their "security theater" nature they are there to entice people to think that and not unintentionally either. Like those password complexity requirements, it just gets people to change behaviors and often times, it ways that are less effective than they would have been if you just did nothing. A hidden camera is about the best checkpoint you can get in the vast majority of cases. If people "think" they are not being watched you are likely going to catch a criminal entering the building than one that greased their way past a checkpoint. Not only that, but humans are usually pretty terrible at detecting danger when it is hidden behind a smile.
"Even the best computer security is flawed enough that damage control is a principle part of the design consideration, and being able to track exactly what was breached by the trail of bodies and bullet casings is infinitely preferable to not knowing."
Monitoring systems are also useful because they are able to more intelligently engage lockout systems. For example... any business that has an exposed login screen are at risk for DDOS attacks because anyone with a list of users can rapidly enter invalid passwords locking out accounts maliciously. Instead of locking accounts, perimeter systems should instead block the source IP like an RBL. Similar for Threat analytics... if an account historically logged in from one state should be blocked when access is attempted from an unknown geographical location.
The Ninja vs Shooter comment was funny though.
[ link to this | view in chronology ]
Re: Re: Security
You can start suing me now for copyright infringement, that's funny as hell, and such a good metaphor I'm going to use it frequently. Thanks! :)
[ link to this | view in chronology ]
Last I recall of the Senate
They were all I'm no nerd but I disagree. and even recently affirmed their position of contentious ignorance.
Ron Wyden has been pretty much the only voice of dissent.
Is this going to change?
[ link to this | view in chronology ]
Re: Last I recall of the Senate
That's still only 5 out of 100. But it's more than just Wyden.
[ link to this | view in chronology ]
Re: Re: Last I recall of the Senate
[ link to this | view in chronology ]
Timely response
[ link to this | view in chronology ]
Accidentally on purpose
To us they are failures. To them the are features. Why would the State Department actually want anyone else to know what they think or do? Who do we think they work for?
[ link to this | view in chronology ]
It's probably cultural
Her predecessor kept a private server. So did his predecessor. So do lots of officials in the executive branch. It's illegal for every single one of them, but they all do it.
When the boss sets an example, the underlings follow it.
[ link to this | view in chronology ]
Clinton's private email server
Right now, we're still working out the social ramifications of every request to a clerk to print this suddenly becoming public record. It's a problem both legal and cultural in large corporations as well, especially when those records can be collected as evidence.
The problem with her private email server is that it wasn't secure enough for classified materials. And I'd forgive this except the administration she served prosecuted people as spies for carelessly handling classified materials. They also overclassified like mad.
(The Trump administration is, if anything, worse.)
It's hard to get on her case about it when the official servers are not very well secured, and are just as susceptible to Russian hackers. So it seems we only use our security policies to persecute enemies of the current administration.
[ link to this | view in chronology ]
Understanding
Senators suck at understanding the cyber.
[ link to this | view in chronology ]