Ride the Lightning

State Department Gets an “F” in 2FA Security

September 19, 2018

As Naked Security reported yesterday, five Senators have discovered that the State Department is breaking the law by not using multi-factor authentication (MFA or 2FA) in its emails. They've sent a letter to Secretary of State Mike Pompeo, and they want answers.

The letter, from Senators Ron Wyden, Cory Gardner, Edward Markey, Rand Paul and Jeanne Shaheen, referenced reports from federal auditors that the Department of State was failing to meet basic federal cybersecurity standards.

The letter said that the General Services Administration (GSA), which is the US department dealing with government procurement, property management and information delivery, analyzed federal cybersecurity this year. The GSA's report found that the Department of State had deployed "enhanced access controls" across just 11% of required agency devices.

MFA or 2FA requires users to enter a second piece of information along with their password. This is linked to a physical asset that only they hold, thwarting imposters trying to steal their accounts remotely. That second piece of information could be biometric, such as your fingerprint; a hardware key, such as Google's recently-announced dongle; or a code delivered to a mobile phone.

Federal agencies in the Executive Branch are legally required to enable 2FA for any accounts with elevated privileges under the Federal Cybersecurity Enhancement Act, passed as part of an omnibus spending bill in December 2015.

The letter said that according to the Department of State's Inspector General, one third of diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular reviews and audits. Penetration testers also successfully hacked email accounts along with applications and operating systems at the Department.

The Senators wrote, "We are sure you will agree on the need to protect American diplomacy from cyberattacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA."

The Senators demanded that the Department respond by October 12, telling it what actions it has taken to remediate the classification of its cyber-readiness as "high-risk" by the White House's Office of Management and Budget (OMB). Although not explicitly mentioned, the letter is probably referring to a May OMB report on cybersecurity that categorized almost three quarters of the 96 Federal agencies as at risk or high risk.

The letter also asked what the Department of State has done to fix the "near total absence" of MFA-enabled accounts, and asked for statistics detailing the number of cyberattacks against Department of State systems located abroad.

Cybersecurity has not been a high priority for the current administration. If even our State Department is this woefully unprotected, we might as well send out engraved invitations to hack us. Then again, perhaps we have.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson