Despite frequent hacking attempts and the threat of another Edward Snowden-like data theft, the State Department’s computer systems remain woefully insecure and easily could be breached by enemies seeking to steal classified information, the department’s internal watchdog says.
The warning by the department’s inspector general was issued one day after State was blamed by a bipartisan Senate report for allowing lax security at its Benghazi, Libya, compound and failing to stop a deadly 2012 attack there that senators concluded was preventable.
The department has failed to address “significant and recurring weaknesses” with cybersecurity — some which were flagged during earlier reviews dating to 2011, the department’s inspector general wrote in a redacted letter made public Thursday.
“The department is responsible for preserving and protecting classified information vital to the preservation of national security in high risk environments across the globe,” the inspector general said, but added that officials have yet to “correct many of the existing significant deficiencies thereby leading to continuing undue risk in the management of information.”
The vulnerabilities could allow foreign spies to steal U.S. secrets or terrorists to acquire sensitive information that could be used to plan more attacks like the slayings of U.S. Ambassador J. Christopher Stevens and three others in Benghazi.
The unsecured networks also could allow internal leaks of classified information, the inspector general said, such as those revealed by Army Pvt. Bradley Manning and Mr. Snowden, a former National Security Agency contractor.
Investigators said more than 6,300 administrators have wide access to computer systems and databases, with limited oversight on who is accessing information.
“Really, no computers are completely secure,” said Clifford Neuman, director of the Center for Computer Systems Security at the University of Southern California. “With these kinds of systems, it’s not if there will be a breach, it’s when there will be a breach.”
Although most classified and sensitive information is kept on a separate network from the day-to-day operations, lots of sensitive information is still at risk, Mr. Neuman said.
At the very least, the State Department could be exploited by more traditional crime, investigators said. The agency handles millions of dollars from items such as visa fees, making it a prime target for theft. Processing passport applications means agency computers often contain lots of personal information about U.S. citizens.
The inspector general has been warning the department of the problems since 2011, but inspectors say little has been done. The watchdog declared computer security a “significant deficiency,” one of the highest and most urgent markers the government uses to track issues.
Most of the specifics on what is not working are still classified because of concerns that the vulnerabilities could be exploited.
Although officials have expressed a desire to correct the problems, inspectors said little action has been taken and no written guidelines or documented strategies have been implemented for improving security.
In a response to investigators, the State Department’s Management Control Steering Committee said a plan to fix the vulnerabilities is under consideration and should be ready by the end of the month.
“The committee takes the reported weaknesses very seriously,” said Chairman James Millette. “The committee believes that our efforts over the coming year will advance the department’s information security posture.”
Steve Linick, the inspector general, said his office was still concerned that the agency’s own personnel would be the ones testing whether cybersecurity was improving, calling it an issue of “independence and perceived independence.” Instead, an outside organization such as the National Security Agency should evaluate whether changes were actually effective, he said.
Attacks on government computers have been growing rapidly, according to the U.S. Computer Emergency Readiness Team, a federal office focused on cybersecurity. In fact, attempts at breaching government networks went up 680 percent from fiscal years 2006 to 2011, from 5,503 incidents to 42,887.
• Phillip Swarts can be reached at pswarts@washingtontimes.com.
Please read our comment policy before commenting.