The State Department must do more to shore up its cybersecurity posture, according to a bipartisan group of senators.
The department is woefully behind on hitting various federal cybersecurity benchmarks, and it is weak on basic measures to protect against phishing, hacks and other cyberattacks, wrote Ron Wyden, D-Ore., Cory Gardner, R-Colo., Ed Markey, D-Mass., Rand Paul, R-Ky., and Jeanne Shaheen, D-N.H., in a letter to Secretary Mike Pompeo.
The letter cites two recent reports: The department’s inspector general found last year that 33 percent of diplomatic missions failed to conduct even the most basic cyberthreat management practices, like regular reviews and audits. Also, the General Services Administration found that the department has only instituted enhanced access controls on 11 percent of agency devices. The Federal Cybersecurity Enhancement Act requires agencies to enable multi-factor authentication (MFA) for elevated privileged accounts.
“We urge you to improve compliance by enabling more secure authentication mechanisms across the Department of State’s information systems,” the senators wrote. “While certainly not a silver bullet, MFA is a simple step that makes it significantly harder for foreign governments or criminals to access accounts.”
Cybersecurity has been big point of contention at the State Department under the Trump administration. Outside of internal procedures, the cybersecurity policy office has been caught in an internal tug-of-war over its mission.
Additionally, the House Foreign Affairs Committee advanced a bill in May that would task the secretary of State with setting up a vulnerability disclosure process for researchers to hunt for and disclose flaws in the department’s public-facing websites and applications.
The senators issued various questions to Pompeo around statistics tied to high-value assets, lack of multi-factor authentication and cybersecurity policy for foreign State Department missions.
You can read the letter below.