The State Department has plenty of important secrets—classified cables, foreign policy directives, embassy plans, and more. It also has a department (with a nine-word name) responsible for protecting those secrets from hackers: the Bureau of Information Resource Management’s Office of Information Assurance. Yet according to an unusually scathing new report from the State Department’s inspector general, this “lead office” for cybersecurity is so dysfunctional and technologically out-of-date that Foggy Bottom may be open to cyberattack.
The IG’s audit of the cybersecurity office, which took place earlier this year, concluded that the office “wastes personnel resources,” is unequipped to monitor $79 million in contracts, “has no mission statement,” and “is not doing enough and is potentially leaving Department systems vulnerable.” The report notes that department employees usually cannot find the head of the bureau because he’s often not in the office, and as a result, they don’t know what their work priorities are. The IG report notes that because of these problems, other parts of the department have to pick up the slack.
“This report reads like a what-not-to-do list from every policy, program, and contracting perspective,” says Scott Amey, the general counsel for the Project On Government Oversight, a nonprofit watchdog group where I used to work. “With stories about foreign entities hacking US government systems and questions about non-authorized access to classified information, this latest IG report causes major concerns about the State Department’s ability to protect government systems.”
The threat of someone hacking the State Department isn’t merely theoretical. In 2010, Bradley Manning was able to leak more than 250,000 State Department cables to WikiLeaks. In 2009, the Associated Press revealed that the State Department was hit with large-scale computer break-ins that appeared to originate from North Korea and China. “I know of several instances where the consular visa systems were attacked,” adds Peter Van Buren, a former Foreign Service officer who spent 24 years working for the State Department before blowing the whistle on problems with reconstruction in Iraq. “State never advertised attacks or intrusions, but from time to time ‘network outages’ happened.”
“One can assume that the State Department faces the same kind of [cybersecurity] challenges as do other government sites,” says Steven Aftergood, director of the Federation of American Scientists’ Project On Government Secrecy. “This IG report is startling in its blunt recitation of security failings. There is no such thing as perfect security, but there is sloppy security, and that’s what seems to be on display here.”
One profound problem is that the cybersecurity office’s technology is not sufficiently advanced to deal with modern cyberattacks. The IG report notes that many of the office’s regulations have not been updated since 2007, and its policies do not provide guidance on how to incorporate “the latest technologies and efforts within the Department”—including the State Department’s $1 billion cloud computing initiative, which would make the State Department’s network much more efficient. In a hard-to-believe finding, the IG audit reports that the database used by the cybersecurity office to track computer vulnerabilities can only be updated by hand after it’s printed out. As the IG notes, the office “is contradicting the main reason to use an electronic means…to improve efficiency.”
Van Buren says this isn’t surprising. During his time with the State Department, he recalls, the agency “strongly opposed internet access except on stand alone dial-up machines and clung to its mainframe systems long after the rest of the world had moved to PCs.” But James Lewis, a senior fellow and director of the Technology and Public Policy Program at? the Center for Strategic and International Studies, argues that the IG still needs to do more research on how many cyber attacks the State Department is actually stopping, because “last I heard, State was doing pretty well on cybersecurity.”
The office consumes a good chunk of taxpayer change. Its 2013 operating budget is $10 million, and it’s getting an additional $19 million this year from Vanguard, a $2.5 billion State Department contract that awards money for dozens of different IT services. The office also oversees five procurement contracts worth $79 million, and it relies disproportionately on contractors. Of its 58 employees, just 22 are full-time State Department employees; the rest are contractors.
According to the report, the cybersecurity office has asked for more staff. But the IG says that increasing the number of people assigned to the office is “not justified by the current level of work being performed.” The IG notes that “the atmosphere in the office has improved” since William Lay took over the office in 2012, but it reports that “many of the staff members commented that they were unaware of [his] activities in general” and “he is not seen regularly in the office.” The staff meetings also “do not normally provide clarity on what [Lay] considers to be office priorities.” Lay reports to Chief Information Officer Steven C. Taylor, who Secretary of State John Kerry appointed in April.
“The State Department takes the OIG feedback seriously and will respond appropriately,” Steve Aguzin, a spokesman for the State Department, tells Mother Jones.
There is some good news. “The IG identified numerous problem areas before any of them could really develop into a crisis,” Aftergood says. For the IG, at least, “It’s a job well done.”