In a letter sent to Secretary of State Mike Pompeo, a bipartisan group of five United States senators is criticizing the State Department for failing to address basic cybersecurity standards.
The letter sent Tuesday points out the department’s failure to safeguard itself from cyber threats, claiming that the State Department is lagging far behind that of other federal agencies in the race to defend itself from cyber attacks.
The letter specifically calls on the State Department to roll out multifactor authentication across its networks since the “password only approach is no longer sufficient to protect sensitive information from sophisticated phishing attempts and other forms of credential theft.”
Multifactor authentication is essential to effective diplomacy, at least according to Sen. Ron Wyden who claims, “Effective diplomacy depends on being able to keep certain things secret from other governments, especially during sensitive negotiations. If State can’t secure their emails from hackers, it will undermine their ability to function as the foreign policy arm of the U.S. government.”
But the letter claims that the State Department has deployed multifactor authentication on only 11 percent of required agency devices, violating the requirement under the Federal Cybersecurity Enhancement Act of 2015 to use multi-factor authentication for all accounts with elevated privileges.
The letter also points out that the Whitehouse recently deemed the State Department’s cyber readiness level at “high risk” and that a report released last year from the department’s watchdog found that a third of diplomatic missions did not conduct “even the most basic” cyber threat management practices, such as regular reviews and audits of information systems to check of any unusual activity.
Last May President Trump signed an executive order to hold agency heads accountable for cybersecurity and require them to implement the NIST Framework for Improving Critical Infrastructure. However, the State Department’s inability to adopt relatively simple cybersecurity protections highlights the Trump administration’s failure to strengthen cybersecurity defenses across all federal agencies at the most basic level.
While certainly not a silver bullet, Multifactor authentication (MFA) can make it significantly harder for foreign governments or cybercriminals targeting diplomats or other U.S. interests to access accounts. MFA is a basic cybersecurity defense highlighted in the CIS Basic Controls, in specific CIS Control 4 – Controlled Use of Administrative Privileges. Specifically, CIS Sub control 4.5, demands the use of multi-factor authentication and encrypted channels for all administrative account access. Neglecting to implement such a crucial safeguard could result in phishing campaigns to target political campaigns and allow hackers to exploit vulnerabilities in email accounts, applications, and operating systems.