In response to reports that the US State Department is lagging in its implementation of basic cybersecurity standards, a group of bipartisan senators have written a letter to Secretary of State Mike Pompeo urging him to augment security mechanisms and improve compliance.
The senators point out that the password-only approach is not reliable protection, particularly with the increased number of phishing attacks. Additionally, they referenced the 2018 General Service Administration assessment, which evidenced that across the Department of State only 11% of agency devices had enhanced security controls deployed.
“The US government, through NIST [National Institute of Standards and Technology], has done a great job of providing best-practice guidance to enterprise via the Cybersecurity Framework and other documents,” said Anupam Sahai, vice president of product management at Cavirin.
“However, it is sad that they are not as widely adopted across the different agencies. Is this any different from Congress being unable to come to agreement on securing voting machines in advance of the November elections, knowing the published risks?”
Senators Ron Wyden, Ed Markey, Jeanne Shaheen, Cory Gerdner and Rand Paul wrote, “We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA [multifactor authentication].”
“You would expect anyone handling sensitive data today to have enabled multifactor authentication as one of their basic security protocols,” said Steve Durbin, managing director of the Information Security Forum.
“It’s imperative that all types of organizations ensure they have strong standard security measures in place. This requires more diligence and organization-wide discipline than throwing money at the latest hyped-up software solution.”
The letter requested that Secretary Pompeo respond with details to three questions by October 12, 2018. Among other things, lawmakers want to know what actions the Department of State has taken to implement MFA, specifically for accounts with elevated privileges. In addition, they have requested statistics with details on the number of attempted and successful attacks on the Department of State systems located abroad for each of the past three years.