State Department Still Sucks At Basic Cybersecurity And Senators Want To Know Why
from the official-shrugs-due-by-mid-October dept
Our President promised to get busy on The Cyber. So did the last president. It’s a very presidential thing to do. Something in the government gets hacked, exposing millions of people’s personal info, and everyone in the government agrees Something Should Be Done. Committees are formed. Plans are drawn up. Directives are issued. Laws are passed. Then the whole thing is turned over to government agencies and nothing happens.
Five US senators have sent a letter to Secretary of State Mike Pompeo requesting answers why the State Department has not widely deployed basic cyber-security protections, such as multi-factor authentication (MFA).
The letter was sent yesterday and was signed by senators Ron Wyden [D-Ore], Cory Gardner [R-Colo], Ed Markey [D-Mass], Rand Paul [R-Ky], and Jeanne Shaheen [D-N.H.].
The letter [PDF] cites two reports. The first is the General Service Administration’s assessment of cybersecurity practices. It shows the State Department has only implemented multi-factor authentication for 11% of “high-value devices.” When the mandated goal is 100%, this barely reaches the level of “grossly inadequate.”
Considering the amount of turnover the agency has had in the past several months, you’d think it would be considerably more concerned with internal security. But it isn’t. And, as the letter points out, it’s not just stupid. It’s also illegal.
According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law– The Federal Cybersecurity Enhancement Act — requiring all Executive Branch agencies to enable MFA for all accounts with “elevated privileges.”
Breaking the law. And just generally not doing much whatsoever on the security front.
Similarly, the Department of State’s Inspector General (IG) found last year that 33% of diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular reviews and audits. The IG also noted that experts who tested these systems “successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems.”
The senators are hoping the State Department will have answers to a handful of cybersecurity-related questions by October 12th, but given the agency’s progress to compliance with a law that’s been on the book for two years at this point, I wouldn’t expect responses to be delivered in a timelier fashion.
The agency’s track record on security isn’t great and these recent developments only further cement its reputation as a government ripe for exploitation. The agency’s asset-tracking program only tracks Windows devices, its employees are routinely careless with their handling of classified info, and, lest we forget, its former boss ran her own email server, rather than use the agency’s. Of course, given this long list of security failures, there’s a good possibility an off-site server had more baked-in security than the agency’s homebrew.
Filed Under: cybersecurity, state department
Comments on “State Department Still Sucks At Basic Cybersecurity And Senators Want To Know Why”
IT Security: We’re not satisfied till you’re not satisfied.
No Imran Awan?
A lot of these questions can be answered by simply asking how the hell Imran Awan got hired, and how he kept his job for so long. When you can figure out how that was even possible, you’ll figure out why the state is so terrible at security.
Re: No Imran Awan?
The main allegations I find against Awan are for theft, fraud, and embezzlement.
I would think those would be viewed as practical experience for a job supporting Congress, not necessarily grounds for dismissal. Heck, if absconding with taxpayer money were grounds for dismissal, there wouldn’t be a US Congress.
Re: Re: No Imran Awan?
He extorted them with their own data. Hell, he got a sitting Congresswoman to threaten the chief of police! That’s pretty amazing.
Re: No Imran Awan?
Irman Awan had no criminal record, was a naturalized US citizen, and it appears the charges against him start after a decade of public service.
I don’t see anything that necessarily should have prevented him from being hired in his position. There is no evidence that better IT security standards would have prevented his scams, and no evidence better IT security would have caught him.
Better IT security would have made the conspiracy theories less plausible, while still allowing him to work however.
Hey remember that time...
Remember that time the um, contracted professional *cough* hired to secure the private Microsoft Windows Server (cough) being used for email for a certain candidate actually asked on a Subreddit for help securing his email server, and got tricked into posting the private key for it? I do. Wanna see it?
https://web.archive.org/web/20160919052820/https:/www.reddit.com/r/exchangeserver/comments/2bmm4l/remove_or_replace_tofrom_address_on_archived/
That’s Stonetear. We now know that was Paul Combetta. How was he ever hired? How did he keep his job so long?
Security
Is “fundamentally” misunderstood by just about everyone. When it is all said and done it mostly comes down to security theater.
Checkpoints that require ID will not stop a shooter, neither will doors that require badges.
Computer security has the same problem. People will create bullshit password complexity rules that actually weaken security instead of strengthen it (NIST finally changed this recently). Most businesses will run 2nd factor authentication over insecure communications platforms (like text/sms) or companies that have intentionally weakened their protocols by request of the government (RSA) to pretty much every fucking thing being made comes with backdoors, zero day vulnerabilities, and weakn half-baked to no-baked security.
Security teams often spend time bitching about settings that do not even matter, such as renaming well known accounts but allowing anonymous enumerations. Placing extra firewalls between everything and then having to turn it all into a complex maze of swiss cheese while most attack vectors now go over already well known and open ports.
Blacklists instead of whitelists because having a dedicated Security Engineer is a waste of money but paying entire teams of paper security analysts are worth it.
this can go on and on.
Computer security is “fundamentally” misunderstood by pretty much everyone and “especially” by government for whom “security theater” is the GOTO solution for all things to appease the clueless and unwashed masses!
Re: Security
Another "fundamental" misunderstanding is that most security is intended to stop a shooter…
This is just as true for cybersecurity as for physical security, though usually for different reasons. In the physical case, well, that just hasn’t even been on the radar until the last couple years, and even now it’s such a fringe case that the vast majority of situations don’t need it. In the cybersecurity case it’s actually because it is many orders of magnitude better for a shooter to breach security than for a ninja to do the same. Even the best computer security is flawed enough that damage control is a principle part of the design consideration, and being able to track exactly what was breached by the trail of bodies and bullet casings is infinitely preferable to not knowing.
Re: Re: Security
“Another “fundamental” misunderstanding is that most security is intended to stop a shooter…”
Agree, but because of their “security theater” nature they are there to entice people to think that and not unintentionally either. Like those password complexity requirements, it just gets people to change behaviors and often times, it ways that are less effective than they would have been if you just did nothing. A hidden camera is about the best checkpoint you can get in the vast majority of cases. If people “think” they are not being watched you are likely going to catch a criminal entering the building than one that greased their way past a checkpoint. Not only that, but humans are usually pretty terrible at detecting danger when it is hidden behind a smile.
“Even the best computer security is flawed enough that damage control is a principle part of the design consideration, and being able to track exactly what was breached by the trail of bodies and bullet casings is infinitely preferable to not knowing.”
Monitoring systems are also useful because they are able to more intelligently engage lockout systems. For example… any business that has an exposed login screen are at risk for DDOS attacks because anyone with a list of users can rapidly enter invalid passwords locking out accounts maliciously. Instead of locking accounts, perimeter systems should instead block the source IP like an RBL. Similar for Threat analytics… if an account historically logged in from one state should be blocked when access is attempted from an unknown geographical location.
The Ninja vs Shooter comment was funny though.
Re: Re: Security
“better for a shooter to breach security than for a ninja to do the same”
You can start suing me now for copyright infringement, that’s funny as hell, and such a good metaphor I’m going to use it frequently. Thanks! 🙂
Last I recall of the Senate
They were all I’m no nerd but I disagree. and even recently affirmed their position of contentious ignorance.
Ron Wyden has been pretty much the only voice of dissent.
Is this going to change?
Re: Last I recall of the Senate
There are four other signatures on that letter besides Wyden’s.
That’s still only 5 out of 100. But it’s more than just Wyden.
Re: Re: Last I recall of the Senate
And the other 95 put out a statement saying “We’re against the MFA. After all, organized crime is bad, and the Italian Mob is the worst of them.” 😉
Timely response
I think October 12th is plenty of time. How long does it take to write up a memo that (1) blames the previous administration, (2) blames Congress for insufficient funding, or (3) blames unspecified “higher priority projects” for delaying this one (or (4) some combination of the above)? This is government, so none of those excuses need to be substantiated on the first round (if ever). They just need to be written in appropriately passive voice and with enough vagueness that they can’t be quickly disproven.
Accidentally on purpose
>”…given this long list of security failures…”
To us they are failures. To them the are features. Why would the State Department actually want anyone else to know what they think or do? Who do we think they work for?
It's probably cultural
People make a big deal about Clinton keeping a private email server as Secretary of State, but what a lot of people seem to forget about that — or never knew — is that she did so because her predecessor told her she should do it as part of the briefings when she was preparing to take over the job.
Her predecessor kept a private server. So did his predecessor. So do lots of officials in the executive branch. It’s illegal for every single one of them, but they all do it.
When the boss sets an example, the underlings follow it.
Re: Clinton's private email server
Right now, we’re still working out the social ramifications of every request to a clerk to print this suddenly becoming public record. It’s a problem both legal and cultural in large corporations as well, especially when those records can be collected as evidence.
The problem with her private email server is that it wasn’t secure enough for classified materials. And I’d forgive this except the administration she served prosecuted people as spies for carelessly handling classified materials. They also overclassified like mad.
(The Trump administration is, if anything, worse.)
It’s hard to get on her case about it when the official servers are not very well secured, and are just as susceptible to Russian hackers. So it seems we only use our security policies to persecute enemies of the current administration.
Understanding
The state department sucks at cyber security.
Senators suck at understanding the cyber.