A bipartisan group of senators is criticizing the State Department for failing to meet what they say are basic federal cybersecurity standards — even neglecting to equip employees with multi-factor authentication that could protect them from the types of phishing attacks that Russian hackers have used to target political campaigns.
In a letter sent Tuesday to Secretary of State Mike Pompeo, the lawmakers pointed to recent reports showing the department lagged behind other federal agencies in safeguarding itself from cyberthreats. They specifically called on the State Department to roll out multi-factor authentication, or MFA, across its networks, saying a “password-only approach is no longer sufficient to protect sensitive information from sophisticated phishing attempts and other forms of credential theft.”
“Two-factor authentication is cybersecurity 101,” Sen. Ron Wyden (D-Ore.), one of the letter’s authors, told me in an email. “Effective diplomacy depends on being able to keep certain things secret from other governments, especially during sensitive negotiations. If State can’t secure their emails from hackers, it will undermine their ability to function as the foreign policy arm of the U.S. government.”
The letter was also signed by Sens. Cory Gardner (R-Colo.), Rand Paul (R-Ky.), Edward J. Markey (D-Mass.) and Jeanne Shaheen (D-N.H.).
The State Department’s apparent inability to adopt relatively low-hanging security practices highlights the Trump administration's struggles to make good on promises to improve cybersecurity across federal agencies. Wednesday’s letter reflects frustration among lawmakers at the lack of progress, even after President Trump himself pledged in his sweeping cybersecurity executive order last year to hold agency heads accountable for boosting their defenses against digital threats.
Multi-factor authentication, in particular, is a basic defense that can have a huge impact as nation states or criminals may be targeting diplomats or other U.S. interests at home and overseas. It adds a layer of security that experts say is essential for guarding against phishing attacks, which involving posing as a trusted source to gain access to private information. Russian hackers used the technique to infiltrate Democratic organizations during the 2016 election and have used it to target several candidates ahead of the November midterms.
The State Department has deployed special security controls such as multi-factor authentication on just 11 percent of required agency devices, according to the lawmakers’ letter. This not only puts the department at risk, the senators wrote — it also violates the Federal Cybersecurity Enhancement Act, a 2015 law that requires agencies to use multi-factor authentication for all accounts with “elevated privileges,” meaning accounts used by people who have administrative duties on a computer network.
“While certainly not a silver bullet, MFA is a simple step that makes it significantly harder for foreign governments or criminals to access accounts,” the lawmakers wrote. “We are sure you will agree on the need to protect American diplomacy from cyberattacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA.”
And the problems didn't end there, the lawmakers said. The letter noted that the White House recently deemed the State Department’s cyber readiness “high risk.” The lawmakers also pointed to a report by the department’s watchdog from last year that found that a third of diplomatic missions didn’t conduct “even the most basic” cyberthreat management practices, such as regular reviews and audits of information systems to check for unusual activity. They called on the department to explain what steps it has taken to address these issues and to turn over three years' worth of statistics detailing cyberattacks against State Department systems outside the United States.
A department spokesperson declined to comment on the specifics of the letter. “All Congressional correspondence to the Department is carefully reviewed before an appropriate response is provided,” the spokesperson said.
The State Department isn’t the only agency with subpar cybersecurity practices — not by a long shot. Earlier this year, the Office of Management and Budget found that nearly three-quarters of federal agencies are ill equipped to deal with intrusions into their networks. In a government-wide cybersecurity review, OMB concluded that 71 of the 96 agencies it examined were relying on cybersecurity programs that were deemed “at risk or high risk.” On top of that, the Government Accountability Office revealed in July that agencies throughout government hadn’t implemented hundreds of GAO recommendations to shore up their cyberdefenses. Even the watchdog for the National Security Agency, which is tasked with defending the country's communications systems, recently hammered the agency for failing to protect data stored on its networks.
It’s not clear what the Trump administration intends to do to respond to the pressure to bring federal cybersecurity up to speed. There is no obvious person in the White House to shepherd a major overhaul. The likely choice, former cybersecurity coordinator Rob Joyce, returned to the National Security Agency over the summer, and the White House has no plans to replace him.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The White House is considering an executive order that would enact punitive measures against foreign individuals or companies that interfere in American elections via cyberattacks or other operations, according to two sources familiar with the plan, Reuters's Christopher Bing and Patricia Zengerle reported Tuesday.
“Based on a recent draft of the order reviewed by the U.S. official, it will require any federal agency aware of election interference by foreigners to take the information to the office of Director of National Intelligence,” Bing and Zengerle wrote. “Election interference will be defined in the order as hacking attempts against ‘election infrastructure,’ and efforts to sway public opinion through coordinated digital propaganda or systematic leaks of private political information.” Moreover, the ODNI would lead several federal agencies tasked with determining whether foreign interference did occur, according to Reuters.
“Congress has been purposefully left out of the executive order drafting process, the official said, because the administration wants to preempt legislation being considered in the House and Senate that addresses similar issues,” Bing and Zengerle wrote. The Washington Post's Shane Harris, Josh Dawsey and Ellen Nakashima reported last month that the White House was drafting an executive order to punish foreign interference in U.S. elections.
PATCHED: “Seventeen years after the 9/11 terror attacks, lawmakers are stepping up their warnings about how the next assault on the U.S. could be a cyberattack,” the Hill's Jacqueline Thomsen reported Tuesday. “Airports and airlines increasingly rely on cyber networks to operate, yet there are no federal regulations specifically governing their use. Lawmakers say they are drafting legislation that would impose new standards for cybersecurity as experts argue U.S. airlines are vulnerable to attacks.”
Rep. Bonnie Watson Coleman (D-N.J.) is working to develop a bill that would direct the Transportation Security Administration to require that airlines and airports enact cybersecurity standards, according to the Hill. Two House Homeland Security subcommittees heard last week from cybersecurity and aviation professionals during a hearing on cybersecurity threats to the American aviation industry.
“Christopher Porter, the chief threat intelligence specialist for the cybersecurity firm FireEye who testified at last week’s hearing, said during an interview this week that a federal baseline on cybersecurity could more clearly lay out the roles of airlines, airports and federal officials in the case of an attack,” Thomsen wrote. “Organizations like the Aviation Information Sharing and Analysis Center (A-ISAC) offer a way for the federal government, airlines, airports and aircraft manufacturers to share information about potential cyber threats. But experts said more needs to be done to loop in all parties when it comes to cyber.”
PWNED: “Google's alleged practice of recording location data about Android device owners even when they believe they have opted out of such tracking has sparked an investigation in Arizona, where the state's attorney general could potentially levy a hefty fine against the search giant,” my colleague Tony Romm reported on Tuesday. “The probe, initiated by Republican Attorney General Mark Brnovich and confirmed by a person familiar with his thinking but not authorized to speak on the record, could put pressure on other states and the federal government to follow suit, consumer advocates say — although Google previously insisted it did not deceive consumers about the way it collects and taps data on their whereabouts.”
Ryan Anderson, a spokesman for Arizona's attorney general, told Tony that the state has “been thinking about investigating privacy concerns by tech companies for some time.” However, Anderson said he could not confirm which company Arizona was investigating. “Under state law, Arizona can bring consumer-protection cases against businesses that deceive users about their practices,” Tony wrote. “The state also can seek penalties of up to $10,000 per violation, meaning Google's location privacy practices could result in a sky-high fine for the company.”
— “The military’s research branch is investing in systems that automatically locate and dismantle botnets before hackers use them to cripple websites, companies or even entire countries,” Nextgov's Jack Corrigan wrote Tuesday. “The Defense Advanced Research Projects Agency on Aug. 30 awarded a $1.2 million contract to cybersecurity firm Packet Forensics to develop novel ways to locate and identify these hidden online armies. The award comes as part of the agency’s Harnessing Autonomy for Countering Cyber-adversary Systems program, a DARPA spokesperson told Nextgov.”
— West Virginia is getting closer to upgrading its election systems. “State Election Commissioners Tuesday approved federal Help America Vote Act (HAVA) grants totaling $6.53 million to 41 counties,” the Charleston Gazette-Mail's Phil Kabler reported. “Donald Kersey, Election Division director for the Secretary of State’s Office, said the funds will be used to upgrade or replace voting systems, upgrade cybersecurity and improve physical security for areas where voting machines are stored.”
— David Campos, a former information technology employee in New Jersey, admitted Tuesday in federal court in Newark that he deleted files from his former employer's computer network in 2017, resulting in losses of more than $150,000, according to a news release from the U.S. attorney's office for the District of New Jersey. Campos, 60, pleaded guilty to a charge that carries a maximum potential sentence of 10 years in prison and a fine. His sentencing has been scheduled for January.
— More cybersecurity news from the public sector:
— Russian trolls targeted the health care debate, too. Nearly 600 accounts linked to the Internet Research Agency, a Russian company at the heart of Moscow's political influence campaign, tweeted about the Affordable Care Act and health policy between 2014 and May 2018, the Wall Street Journal reports. “Researchers at Clemson University provided The Wall Street Journal with the set of about 9,800 tweets involving health policy and the ACA that the IRA posted over that period. An analysis by the Journal found that 80% of the tweets had conservative-leaning political messages, often disparaging the health law,” according to the Journal.
— More cybersecurity news from the private sector:
— “A Romanian court has ruled that a hacker known as Guccifer should be extradited to the U.S. to serve a 4½-year prison sentence,” the Associated Press reported. “The court in the central city of Alba Iulia ruled Monday that Romanian Marcel Lazar Lehel will be extradited after completing a seven-year sentence in Romania. Guccifer gained global notoriety after he hacked the email accounts of U.S. officials including former Secretary of State Colin Powell and members of the Bush family.”
— More cybersecurity news from abroad:
- 10th EAI International Conference on Digital Forensics & Cyber Crime in New Orleans.
- Senate Banking Committee hearing on “countering Russia.”
- Senate Homeland Security and Governmental Affairs Committee hearing on “evolving threats to the homeland” tomorrow.
- House Homeland Security Committee markup of two cybersecurity bills — a bill by House Majority Leader Kevin McCarthy (R-Calif.) that would establish a vulnerability disclosure policy for DHS websites and a bill by Sen. Maggie Hassan (D-N.H.) that would create a bug bounty pilot program at DHS — tomorrow.
- The Senate Judiciary Committee examines a bill by Sens. Richard J. Durbin (D-Ill.) and Lindsey O. Graham (R-S.C.) to prevent foreigners who “improperly interfere” in U.S. elections from entering the United States tomorrow.
Trump at Flight 93 memorial: “We remember the moment when America fought back”
U.N. slams Myanmar for crackdown on journalists, freedom of press:
Hurricane hunter aircraft flies into eye of Hurricane Florence: