A group of United States senators this week sent a letter to Secretary of State Mike Pompeo requesting clarifications regarding the Department of State’s failure to meet federal cybersecurity standards.
The letter was signed by senators Ron Wyden, Cory Gardner, Edward J. Markey, Rand Paul, and Jeanne Shaheen.
The lawmakers cited a recent assessment by the General Service Administration (GSA), which revealed that the State Department had only deployed advanced access controls on 11 percent of the agency’s devices. The senators noted that all executive branch agencies are required by law, the Federal Cybersecurity Enhancement Act, to enable multi-factor authentication (MFA) on accounts with elevated privileges.
The officials also pointed out that a report last year from the Department of State’s Inspector General found that roughly one-third of diplomatic missions “failed to conduct even the most basic cyber threat management practices, like regular reviews and audits.” The same report noted that experts managed to exploit vulnerabilities in the agency’s email accounts, applications and operating systems during the tests they conducted.
“We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA,” the senators wrote.
The letter instructs the Department of State to provide information on the actions taken in response to the Office of Management and Budget (OMB) designating its cyber readiness as “high risk,” to clarify what actions it has taken to address the absence of MFA on high-privilege accounts, and to provide statistics for the past three years regarding the number of attacks launched against State Department systems located abroad.
“It is not surprising in that there is no stopping the ‘Bring Your Own Device’ train — not even our most sensitive federal agency can stop it. As a result, federal agencies are not immune from the cyber-security risks that the private sector has been grappling with for years — except when it comes to having to pay fines, defense costs, and large damage awards (not to mention losses from customer defections),” Todd Shollenbarger, chief global strategist of biometric technology company Veridium, said via email.
“For our federal government, no amount of ‘budgetary pressures’ (or other excuse) should be tolerated when it comes to failing to have utilized a basic cybersecurity technique, such as 2FA or MFA — especially since ‘user convenience’ is not the overriding concern. The good news is that NIST’s recently updated Digital Identity Guidelines (Special Publication 800-63-3) has done much of the hard work. What’s now needed — obviously — is for our federal government agencies to use it,” Shollenbarger added. “But remember: not all MFA solutions are built the same.”
Last year, the DHS issued a Binding Operational Directive (BOD) instructing all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS and DMARC.
A report published this summer by email threat protection company Agari revealed that over half of agencies had fully implemented the DMARC email security standard. However, the Department of State had only implemented DMARC on 9 of its 19 domains and was among the worst-performing agencies in this regard.