Securing the IT systems that support the Department of State’s mission is crucial to its ability to manage its cybersecurity risks. But the Government Accountability Office (GAO) says State hasn’t fully implemented its cybersecurity risk program, lacks assurance that its security controls are operating as intended, and is likely not fully aware of information security vulnerabilities and threats affecting mission operations.
GAO says State’s incident response processes for detecting, responding to, and recovering from cybersecurity incidents generally align with federal guidance by requiring the department to establish an incident handling capability for its information systems. For example, State’s Cyber Incident Response Team and other units within its Monitoring and Incident Response Division provide the capability to identify active and potential threats to the department’s network security 24 hours a day, 7 days a week.
However, the watchdog has found that the department has not fully implemented processes that support its incident response program. For example, State has not fully updated and tested information system contingency plans to ensure continuity of operations nor configured its centralized inventory management database to identify asset inventory information from all available data sources.
Further, State has not adequately secured its IT infrastructure to support its incident response program. This includes replacing the 23,689 hardware systems and 3,102 occurrences of network and server operating system software installations that have reached end-of-life. Certain installations of operating system software had reached end-of-life over 13 years ago.
Without fully implemented incident response processes and an adequately secured IT infrastructure to support State’s incident response program by, among other things, updating outdated or unsupported products, GAO believes State’s IT infrastructure is vulnerable to exploits. Furthermore, the watchdog is concerned that the department risks being unable to fully detect, investigate, and mitigate cybersecurity-related incidents.
In the last several years, State has taken a number of steps to clarify and strengthen the role of the Chief Information Officer (CIO). For example, in October 2020, State issued a memo and matrix outlining the roles and responsibilities for cybersecurity of State’s CIO and others.
Nevertheless, GAO says the ability of State’s CIO to secure the department’s IT systems is limited due to shared management responsibilities and a lack of communication. In State’s IT structure, the CIO manages State’s main network and sets department-wide standards, but bureaus perform many activities independently, purchasing much of their own equipment, managing many of their own IT systems, and obtaining their own funding. In addition, GAO found a lack of communication among the CIO, Information Resource Management, and the bureaus also hampers the CIO’s ability to secure the department’s IT systems. For example, this created confusion among information system security officers about the applicability of IT-related requirements. GAO says State’s IT structure, insulated culture (i.e., bureaus operating independently), and the lack of communication between the CIO and the bureaus is responsible for many of the deficiencies it identified.
In October 2021, the CIO noted that the roles and responsibilities matrix needed to be updated to better reflect the specific cyber functions and activities that department leadership and bureaus engage in throughout State. Until State addresses these and other deficiencies, GAO says the CIO faces challenges managing and overseeing the department’s cybersecurity program, including risk management and incident response, and the department’s systems remain vulnerable.
It is worth noting that State also conducts its own cyber threat and investigations analysis. The Diplomatic Security Service (DSS) Cyber Threat and Investigations office (CTI) confronts cyber threats and crimes involving computers and other electronic technologies affecting the State Department. CTI maintains a highly skilled staff of special agents and civilian forensic examiners, network analysts, and evidence technicians accomplish CTI’s mission by performing advanced threat analysis, conducting digital evidence recovery and analysis, conducting worldwide investigations involving computers or other digital devices, investigating cyber crimes impacting the State Department, and centralizing DSS cybersecurity coordination with intelligence and law enforcement agencies.
Through CTI, DSS supports State Department programs by seizing, examining, and analyzing digital evidence used in both criminal and non-criminal activities that affect the State Department’s mission. CTI personnel analyze those items utilizing the latest forensic technology and methods to extract relevant electronic evidence.
GAO is making 15 recommendations to State, including that the Secretary of State
- develop plans to mitigate vulnerabilities that State previously identified,
- conduct bureau-level risk assessments for the 28 bureaus that owned information systems that GAO reviewed,
- ensure that its information systems have valid authorizations to operate in accordance with department policies and federal guidance,
- ensure that the CIO has access to assets at bureaus and posts to continuously monitor for threats and vulnerabilities that may affect mission operations,
- ensure that all system contingency plans for high value assets are tested annually as required by department policies, and
- direct the CIO to update an October 2020 matrix to better ensure compliance with applicable department policies and federal guidance.
State concurred with all 15 recommendations to address the cybersecurity weaknesses. For example, the Bureau of Diplomatic Security stated that it will update its standard operating procedures for its cyber incident response program to formalize procedures related to annual reviews, updates, and testing activities.
In addition, GAO will issue a subsequent limited distribution report discussing technical security control deficiencies in State’s IT infrastructure. The report will identify approximately 40 unique deficiencies across three bureaus and 16 posts and will address about 500 recommendations to State for remediating those deficiencies. These recommendations will include replacing hardware and software installations that have reached end-of-life.