Our State Department’s technology is vulnerable in several ways to hackers and to our global adversaries.
From The Register. The US Department of State has largely failed to implement an effective cybersecurity risk program, auditors concluded in a report last week. …
This content is supported by your donations.
Give today.
The State Department, which handles diplomacy and US foreign policy, wrote a risk management strategy for its IT security, the Government Accountability Office (GAO) said, and that’s basically where the dept gave up. As a result, department-wide risks haven’t actually necessarily been mitigated, there’s no overall monitoring program in place, and IT infrastructure used by the department may not have been adequately secured. …
The State Department was among the federal government agencies that had data stolen by suspected Chinese snoops when the spies managed to gain access to Microsoft-hosted email services used by Uncle Sam. …
While it’s unlikely better cybersecurity habits at the State Department could have directly prevented that email theft via Microsoft accounts, due to blunders by the Azure giant itself, the issue serves to illustrate the seemingly poor state of US government cybersecurity. The GAO has called attention to this before, saying in January that nearly 60 percent of the security recommendations it has made since 2010 have yet to be implemented.
And implement the State Department must, because things are potentially really bad over there. “Certain installations of operating system software had reached end-of-life over 13 years ago” bad, in fact.
Along with its vintage OSes, State is operating 23,689 systems and 3,102 “network and server operating system software installations” that have reached end of life. With so many outdated systems on its networks, State’s IT infrastructure is highly susceptible to known exploits and may be “unable to fully detect, investigate and mitigate cybersecurity-related incidents,” the GAO warned.
A federated mess
A good portion of the blame for the State Department’s cybersecurity planning failures falls, at least according to the GAO, on State’s federated structure that splits IT management responsibilities between the department’s CIO and also other sub-organizations.
That way of doing business “limits the CIO’s ability to effectively oversee the department’s IT security posture,” the GAO said, which is only made worse by an “insulated culture” (eg, State’s various bureaus operate largely independently) that has led to communication issues. …
The communication breakdown at the State Department also means that contrary to its risk management framework, which specifies that the CIO must grant or deny requests to deploy and operate systems, around 56 percent of such systems were running without proper authorization, 15 high-value assets and seven high-risk systems among them. …
Share your prayers for our State Department below.
(Excerpt from The Register. Photo Credit: Towfiqu barbhuiya on Unsplash)