Situation Report: State Department assertions on cyber breach at odds with history of weakness

A recent media report from Fox News indicates that U.S. Cyber Command notified the U.S. State Department of a serious cybersecurity “breach” within the State Department networks, though the details of the hack and its potential implications are still unknown.

Reuters reported that “a knowledgeable source” stated that “State Department has not experienced significant disruptions and has not had its operations impeded in any way.” It is unclear whether this “source” is referring to a non-impact of the cyber breach on the State Department’s current evacuation operations surrounding the botched “withdrawal” from Afghanistan.

A State Department spokesperson said, “for security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time,” and that the State Department “takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected.”

Unfortunately, it hard to take statements by State Department leadership at face value.

For example, Fox News’ White House Correspondent Jacqui Heinrich pointed out that the State Department’s statement is at odds with a staff report of the Senate Committee on Homeland Security and Government Affairs titled “Federal Cybersecurity: America’s Data Still At Risk.”

“Notably, a Senate Homeland Security committee report this month rated State Department’s overall information security a ‘D’, the lowest possible rating in the model, calling it ineffective in 4 of 5 function areas,” she tweeted.

That report listed numerous worrisome findings, including “450 critical-risk and 736 high-risk outstanding vulnerabilities,” and “the Department’s failure to comply with its own policy for patch management and vulnerability remediation.” The State Department Inspector General (IG) cited the State Department in 2016, 2017, 2018, and again in 2021 for “Failure to Provide for Adequate Protection of PII (Personally Identifiable Information), asserting that it “did not have an effective data protection and privacy program in place,” and that it was “unable to document that it had defined controls related to the protection of data at rest and in transit.”

Even worse, the report noted that the State Department’s protest of these findings by the IG were – on at least two occasions – so poorly articulated that the IG indicated that the State Department IT office “may not understand the intent of the recommendation.” That the department’s IT personnel could not even appropriately comprehend and respond to an IG recommendation call into question their ability to execute the cybersecurity functions they are paid to perform.

Ultimately, the Senate Homeland Security Committee staff report casts serious doubt on the State Department’s assertion that it “takes seriously its responsibility to safeguard its information.”

This is a major problem, given that State is the lead agency for American foreign policy and holds a “wealth of both PII and sensitive national security information” such as the Consular Consolidated Database (CCD) which includes “current and archived data from all of the Consular Affairs post databases around the world.” It’s Blue Lantern program “monitors the end-use of defense articles, technical data, defense services, and brokering activities exported through commercial channels.”

Even if the cyber breach did not “disrupt” current State Department operations, it could clearly put at severe risk our citizens, allies, and our defense capabilities worldwide, particularly during the ongoing crisis in Afghanistan.