US State Department Reportedly Sustained Cyber Incident
Governance & Risk Management
,
Incident & Breach Response
,
IT Risk Management
Department Recently Received a ‘D’ Grade for Its Cybersecurity Defenses
The U.S. State Department reportedly recently sustained a cyber incident that prompted a notice to the Defense Department’s Cyber Command.
See Also: A Guide to Passwordless Anywhere
The exact scope of the attack, including if the State Department was targeted by a nation-state group or an attacker who may have attempted to exploit a vulnerability, remains unclear. Fox News, which reported on the incident, did not say when it took place or if the federal agency’s IT systems or data was damaged or compromised.
Citing a source, Reuters reported that the incident has not affected the State Department’s day-to-day operations, including the ongoing evacuations from Afghanistan.
“The department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time,” a State Department spokesperson tells Information Security Media Group.
Security Concerns Highlighted
Earlier this month, a congressional report criticized the State Department and other agencies for their weak cybersecurity practices and questioned their ability to protect the data of employees and U.S. citizens (see: Report: 7 Federal Agencies Still Lack Basic Cybersecurity).
In the report, which was published by the Senate Homeland Security and Governmental Affairs Committee, investigators gave the State Department a “D” grade for its cybersecurity effectiveness – the lowest score on the scale.
Among the numerous shortcomings, the report found the State Department continued to use IT products that are no longer supported by the vendors, including outdated versions of Microsoft Windows. The investigation also noted that of 487 IT systems used by the department, 128 – about 26% – did not have valid authorizations, demonstrating that the “department did not perform timely, required security assessments.”
The report also found that the State Department routinely left “thousands” of classified and unclassified internal accounts open even after employees had left their position, retired or been fired.
“Former employees or hackers could use those unexpired credentials to gain access to State’s sensitive and classified information while appearing to be an authorized user,” according to the congressional report. “The Inspector General warned that without resolving issues in this category, ‘the risk of unauthorized access is significantly increased.'”
The State Department was also one of nine federal agencies that apparently were targeted by a Russian-linked group that conducted a supply chain attack against the network management software firm SolarWinds (see: Federal Agencies Struggling With Supply Chain Security).
Making Changes
The recent security incident at the State Department, along with the congressional report, should prompt the department – and all federal agencies – to quickly adopt the recommendations laid out in President Joe Biden’s executive order on cybersecurity, says Sam Curry, CSO at security firm Cybereason (see: Biden’s Cybersecurity Executive Order: 4 Key Takeaways).
The order, for example, calls for adopting endpoint detection and response technologies to have better visibility into IT networks, which could help uncover malicious activity faster, Curry notes.
“Having a means of finding the attacks like the one on the State Department as threat actors move in the slow, subtle, stealthy way through networks is the only option in returning defenders to higher ground above threat actors,” Curry says. “Advanced prevention, building resilience, ensuring that the blast radius of payloads is minimized and generally using peacetime to foster antifragility is achievable. Today, it’s not about who we hire or what we buy. It’s about how we adapt and improve every day.”
Other Security Measures
The reported cyber incident at the State Department also prompted a response from Rep. Ted Lieu, D-Calif., who noted on Twitter that he supports a bipartisan bill that could help provide additional security protections for the department.
The Hack Your State Department legislation would create a bug bounty program for the State Department and invite security researchers and white hat hackers to find vulnerabilities in systems and report them to officials.
The measure has passed the House but has not been scheduled for a vote in the Senate.
Managing Editor Scott Ferguson contributed to this report.