New Report: The State Department’s Anti-Hacking Office Is a Complete Disaster

“This report reads like a what-not-to-do list from every policy, program, and contracting perspective.”


The State Department has plenty of important secrets—classified cables, foreign policy directives, embassy plans, and more. It also has a department (with a nine-word name) responsible for protecting those secrets from hackers: the Bureau of Information Resource Management’s Office of Information Assurance. Yet according to an unusually scathing new report from the State Department’s inspector general, this “lead office” for cybersecurity is so dysfunctional and technologically out-of-date that Foggy Bottom may be open to cyberattack.

The IG’s audit of the cybersecurity office, which took place earlier this year, concluded that the office “wastes personnel resources,” is unequipped to monitor $79 million in contracts, “has no mission statement,” and “is not doing enough and is potentially leaving Department systems vulnerable.” The report notes that department employees usually cannot find the head of the bureau because he’s often not in the office, and as a result, they don’t know what their work priorities are. The IG report notes that because of these problems, other parts of the department have to pick up the slack.

“This report reads like a what-not-to-do list from every policy, program, and contracting perspective,” says Scott Amey, the general counsel for the Project On Government Oversight, a nonprofit watchdog group where I used to work. “With stories about foreign entities hacking US government systems and questions about non-authorized access to classified information, this latest IG report causes major concerns about the State Department’s ability to protect government systems.”

The threat of someone hacking the State Department isn’t merely theoretical. In 2010, Bradley Manning was able to leak more than 250,000 State Department cables to WikiLeaks. In 2009, the Associated Press revealed that the State Department was hit with large-scale computer break-ins that appeared to originate from North Korea and China. “I know of several instances where the consular visa systems were attacked,” adds Peter Van Buren, a former Foreign Service officer who spent 24 years working for the State Department before blowing the whistle on problems with reconstruction in Iraq. “State never advertised attacks or intrusions, but from time to time ‘network outages’ happened.”

“One can assume that the State Department faces the same kind of [cybersecurity] challenges as do other government sites,” says Steven Aftergood, director of the Federation of American Scientists’ Project On Government Secrecy. “This IG report is startling in its blunt recitation of security failings. There is no such thing as perfect security, but there is sloppy security, and that’s what seems to be on display here.”

One profound problem is that the cybersecurity office’s technology is not sufficiently advanced to deal with modern cyberattacks. The IG report notes that many of the office’s regulations have not been updated since 2007, and its policies do not provide guidance on how to incorporate “the latest technologies and efforts within the Department”—including the State Department’s $1 billion cloud computing initiative, which would make the State Department’s network much more efficient. In a hard-to-believe finding, the IG audit reports that the database used by the cybersecurity office to track computer vulnerabilities can only be updated by hand after it’s printed out. As the IG notes, the office “is contradicting the main reason to use an electronic means…to improve efficiency.”

Van Buren says this isn’t surprising. During his time with the State Department, he recalls, the agency “strongly opposed internet access except on stand alone dial-up machines and clung to its mainframe systems long after the rest of the world had moved to PCs.”  But James Lewisa senior fellow and director of the Technology and Public Policy Program at? the Center for Strategic and International Studies, argues that the IG still needs to do more research on how many cyber attacks the State Department is actually stopping, because “last I heard, State was doing pretty well on cybersecurity.”  

The office consumes a good chunk of taxpayer change. Its 2013 operating budget is $10 million, and it’s getting an additional $19 million this year from Vanguard, a $2.5 billion State Department contract that awards money for dozens of different IT services. The office also oversees five procurement contracts worth $79 million, and it relies disproportionately on contractors. Of its 58 employees, just 22 are full-time State Department employees; the rest are contractors.

According to the report, the cybersecurity office has asked for more staff. But the IG says that increasing the number of people assigned to the office is “not justified by the current level of work being performed.” The IG notes that “the atmosphere in the office has improved” since William Lay took over the office in 2012, but it reports that “many of the staff members commented that they were unaware of [his] activities in general” and “he is not seen regularly in the office.” The staff meetings also “do not normally provide clarity on what [Lay] considers to be office priorities.” Lay reports to Chief Information Officer Steven C. Taylor, who Secretary of State John Kerry appointed in April.

“The State Department takes the OIG feedback seriously and will respond appropriately,” Steve Aguzin, a spokesman for the State Department, tells Mother Jones. 

There is some good news. “The IG identified numerous problem areas before any of them could really develop into a crisis,” Aftergood says. For the IG, at least, “It’s a job well done.”

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate