Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Senators Concerned About State Department’s Cybersecurity Failures

A group of United States senators this week sent a letter to Secretary of State Mike Pompeo requesting clarifications regarding the Department of State’s failure to meet federal cybersecurity standards.

The letter was signed by senators Ron Wyden, Cory Gardner, Edward J. Markey, Rand Paul, and Jeanne Shaheen.

A group of United States senators this week sent a letter to Secretary of State Mike Pompeo requesting clarifications regarding the Department of State’s failure to meet federal cybersecurity standards.

The letter was signed by senators Ron Wyden, Cory Gardner, Edward J. Markey, Rand Paul, and Jeanne Shaheen.

The lawmakers cited a recent assessment by the General Service Administration (GSA), which revealed that the State Department had only deployed advanced access controls on 11 percent of the agency’s devices. The senators noted that all executive branch agencies are required by law, the Federal Cybersecurity Enhancement Act, to enable multi-factor authentication (MFA) on accounts with elevated privileges.

The officials also pointed out that a report last year from the Department of State’s Inspector General found that roughly one-third of diplomatic missions “failed to conduct even the most basic cyber threat management practices, like regular reviews and audits.” The same report noted that experts managed to exploit vulnerabilities in the agency’s email accounts, applications and operating systems during the tests they conducted.

“We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA,” the senators wrote.

The letter instructs the Department of State to provide information on the actions taken in response to the Office of Management and Budget (OMB) designating its cyber readiness as “high risk,” to clarify what actions it has taken to address the absence of MFA on high-privilege accounts, and to provide statistics for the past three years regarding the number of attacks launched against State Department systems located abroad.

“It is not surprising in that there is no stopping the ‘Bring Your Own Device’ train — not even our most sensitive federal agency can stop it. As a result, federal agencies are not immune from the cyber-security risks that the private sector has been grappling with for years — except when it comes to having to pay fines, defense costs, and large damage awards (not to mention losses from customer defections),” Todd Shollenbarger, chief global strategist of biometric technology company Veridium, said via email.

“For our federal government, no amount of ‘budgetary pressures’ (or other excuse) should be tolerated when it comes to failing to have utilized a basic cybersecurity technique, such as 2FA or MFA — especially since ‘user convenience’ is not the overriding concern. The good news is that NIST’s recently updated Digital Identity Guidelines (Special Publication 800-63-3) has done much of the hard work. What’s now needed — obviously — is for our federal government agencies to use it,” Shollenbarger added. “But remember: not all MFA solutions are built the same.”

Advertisement. Scroll to continue reading.

Last year, the DHS issued a Binding Operational Directive (BOD) instructing all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

A report published this summer by email threat protection company Agari revealed that over half of agencies had fully implemented the DMARC email security standard. However, the Department of State had only implemented DMARC on 9 of its 19 domains and was among the worst-performing agencies in this regard.

Related: Senator Asks DoD to Secure Its Websites

Related: Senator Urges Federal Agencies to Ditch Adobe Flash

Related: Senators Ask National Security Advisor to Save Cybersecurity Coordinator Role

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.