New Report: The State Department’s Anti-Hacking Office Is a Complete Disaster

“This report reads like a what-not-to-do list from every policy, program, and contracting perspective.”


The State Department has plenty of important secrets—classified cables, foreign policy directives, embassy plans, and more. It also has a department (with a nine-word name) responsible for protecting those secrets from hackers: the Bureau of Information Resource Management’s Office of Information Assurance. Yet according to an unusually scathing new report from the State Department’s inspector general, this “lead office” for cybersecurity is so dysfunctional and technologically out-of-date that Foggy Bottom may be open to cyberattack.

The IG’s audit of the cybersecurity office, which took place earlier this year, concluded that the office “wastes personnel resources,” is unequipped to monitor $79 million in contracts, “has no mission statement,” and “is not doing enough and is potentially leaving Department systems vulnerable.” The report notes that department employees usually cannot find the head of the bureau because he’s often not in the office, and as a result, they don’t know what their work priorities are. The IG report notes that because of these problems, other parts of the department have to pick up the slack.

“This report reads like a what-not-to-do list from every policy, program, and contracting perspective,” says Scott Amey, the general counsel for the Project On Government Oversight, a nonprofit watchdog group where I used to work. “With stories about foreign entities hacking US government systems and questions about non-authorized access to classified information, this latest IG report causes major concerns about the State Department’s ability to protect government systems.”

The threat of someone hacking the State Department isn’t merely theoretical. In 2010, Bradley Manning was able to leak more than 250,000 State Department cables to WikiLeaks. In 2009, the Associated Press revealed that the State Department was hit with large-scale computer break-ins that appeared to originate from North Korea and China. “I know of several instances where the consular visa systems were attacked,” adds Peter Van Buren, a former Foreign Service officer who spent 24 years working for the State Department before blowing the whistle on problems with reconstruction in Iraq. “State never advertised attacks or intrusions, but from time to time ‘network outages’ happened.”

“One can assume that the State Department faces the same kind of [cybersecurity] challenges as do other government sites,” says Steven Aftergood, director of the Federation of American Scientists’ Project On Government Secrecy. “This IG report is startling in its blunt recitation of security failings. There is no such thing as perfect security, but there is sloppy security, and that’s what seems to be on display here.”

One profound problem is that the cybersecurity office’s technology is not sufficiently advanced to deal with modern cyberattacks. The IG report notes that many of the office’s regulations have not been updated since 2007, and its policies do not provide guidance on how to incorporate “the latest technologies and efforts within the Department”—including the State Department’s $1 billion cloud computing initiative, which would make the State Department’s network much more efficient. In a hard-to-believe finding, the IG audit reports that the database used by the cybersecurity office to track computer vulnerabilities can only be updated by hand after it’s printed out. As the IG notes, the office “is contradicting the main reason to use an electronic means…to improve efficiency.”

Van Buren says this isn’t surprising. During his time with the State Department, he recalls, the agency “strongly opposed internet access except on stand alone dial-up machines and clung to its mainframe systems long after the rest of the world had moved to PCs.”  But James Lewisa senior fellow and director of the Technology and Public Policy Program at? the Center for Strategic and International Studies, argues that the IG still needs to do more research on how many cyber attacks the State Department is actually stopping, because “last I heard, State was doing pretty well on cybersecurity.”  

The office consumes a good chunk of taxpayer change. Its 2013 operating budget is $10 million, and it’s getting an additional $19 million this year from Vanguard, a $2.5 billion State Department contract that awards money for dozens of different IT services. The office also oversees five procurement contracts worth $79 million, and it relies disproportionately on contractors. Of its 58 employees, just 22 are full-time State Department employees; the rest are contractors.

According to the report, the cybersecurity office has asked for more staff. But the IG says that increasing the number of people assigned to the office is “not justified by the current level of work being performed.” The IG notes that “the atmosphere in the office has improved” since William Lay took over the office in 2012, but it reports that “many of the staff members commented that they were unaware of [his] activities in general” and “he is not seen regularly in the office.” The staff meetings also “do not normally provide clarity on what [Lay] considers to be office priorities.” Lay reports to Chief Information Officer Steven C. Taylor, who Secretary of State John Kerry appointed in April.

“The State Department takes the OIG feedback seriously and will respond appropriately,” Steve Aguzin, a spokesman for the State Department, tells Mother Jones. 

There is some good news. “The IG identified numerous problem areas before any of them could really develop into a crisis,” Aftergood says. For the IG, at least, “It’s a job well done.”

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate