State Department gets failing cybersecurity grades again in new report

The State Department spends $1.92 billion annually on information technology. But one of America's most important government agencies cannot seem to get cybersecurity right.

Despite being one of the most tempting targets on the planet for hackers and spending $1.92 billion annually on information technology, the U.S. State Department earned more failing grades on cybersecurity from internal watchdogs this year who charged that leadership couldn’t ensure the department’s security program is effective against growing threats.

The state of security at the State Department has been widely criticized for nearly a decade while under the leadership of both Hillary Clinton and John Kerry. The spotlight turned hot in 2014 when suspected Russian hackers breached the department’s email system. The hack is considered among the “worst ever” to hit the U.S. government. The State Department plays a crucial role in the federal government as it is responsible for the country’s international relations.

A new report from the State Department’s Office of Inspector General (OIG) served as both a stark reminder of past failing grades and a warning that significant vulnerabilities are getting worse. In more than 55 percent of attacks and incidents reviewed by the watch dogs, the Department failed to comply with its own security policies, according to an Inspector General report from Spring 2016.

The report cited three specific problems facing the department. A bad network user account management process at State left 1,850 unneeded accounts inactive for over a year, providing potent attack vectors for hackers who can use an unneeded inactive account to gain access, elevate its permissions, compromise the integrity of the department’s network and cause “widespread damage across the department’s [information technology] infrastructure,” according to the Inspector General’s report.


Worse, hackers using inactive but undeleted accounts could have free reign on sensitive data “without being detected, creating the risk of data loss and theft and compromising user identities and the accountability of user actions.”

A lack of “IT contingency plans” both in Washington and overseas continues to plague the department five years after watchdogs first pointed out the deficiency. The Inspector General’s report also charged that the Department’s current reporting structure meant information security risks are not properly communicated and risk being miscommunicated “which in turn could increase the likelihood and impact of potential attacks.”

“Since 2010, OIG has reported that the Department lacks effective risk management for all phases of the system development lifecycle,” the report charged. “These problems, however, have persisted.”

There are wins listed in the report. In the last year, the State Department cyber team was a part of the launch of an interagency task force made up of the State Department, the National Security Agency, the Department of Homeland Security and industry experts to respond to security threats. The result of that program is “a new capacity to stop suspicious emails and identify malicious attachments that are designed to evade traditional security defenses.”

Additionally, cybersecurity awareness training reached over 140,000 network users in 2016.


If anything could overshadow the cybersecurity criticisms, it’s the marquee issue that plagued former Secretary Clinton’s recently ended presidential campaign: Email. Across the department and around the world, the OIG charged there were problems managing records “at many levels in the department” that increase “the risk of a loss of institutional knowledge and potentially creating an inability to locate and retrieve documents or communications necessary to support key operations.”

When the State Department did spend its $1.92 billion tech budget, a lack of oversight led to duplicated efforts and poor transparency, according to the report.

The State Department has not yet responded to a request for comment. Despite a string of scathing Inspector General reports in the last half-decade, State Department spokespeople have often disagreed and called their cybersecurity program “strong.”


Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts