Sen. Mark R. Warner (D-Va.), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the bipartisan Senate Cybersecurity Caucus, voiced deep concerns with the ability of the U.S. Department of State to address the surge of offensive cyber activity by Iran. In a letter, which comes on the heels of a U.S. airstrike that killed Iranian general Qassem Soleimani, Sen. Warner notes Iran’s growing cybersecurity capabilities and presses Secretary Mike Pompeo for answers on how the Department plans to defend its information security systems in light of its long history of information breaches.
“The Iranian government’s state-sponsored cybersecurity capabilities have grown in sophistication and intensity in recent years, and they have developed a number of advanced persistent threat (APT) groups that conduct various offensive operations. Examples include prolonged espionage, destructive malware and ransomware attacks, and social media manipulation through influence campaigns,” wrote Sen. Warner. “These attacks serve both political and economic purposes, and use methods like password spray attacks, scanning for VPN vulnerabilities, DNS hijacking, spear-phishing emails, and social engineering.”
As recently as 2018, the Department of Justice indicted two Iranian individuals who conducted a 34-month-long international scheme, in which they used ransomware to extort hospitals, municipalities and public institutions, causing $30 million in losses.
In his letter, Sen. Warner cites two separate reports by the Department of State’s Office of the Inspector General (OIG) that detail a number of cybersecurity risks presented by the structure of the Department of State and by hiring freezes affecting the department. These risks include a diminished ability to respond to malicious cyber activity targeting personnel and information assets due to the hiring freeze, as well as a lack of cybersecurity oversight resulting in unauthorized and misconfigured network devices comprising the Department’s sensitive network.
“The State Department has a long history of information security breaches, beginning with a series of blunders in the late 1990’s, and including a massive and prolonged attack in 2014, when the National Security Agency (NSA) and Russian hackers fought for control of State Department servers,” wrote Sen. Warner. “In September 2018, after an email breach of unclassified systems, a bipartisan group of Senators asked you how the State Department was addressing the issue. Two months later, hackers with suspected ties to the Russian government were found to be impersonating State Department officials in an attempt to infiltrate computers belonging to the U.S. government, the military, and defense contractors.”
Noting the Department of State’s cybersecurity vulnerabilities and the risks of Iran carrying out cyberattacks with disruptive effects, Sen. Warner posed the following questions for Secretary Pompeo, requesting an answer by January 31st:
- Currently, cybersecurity personnel are dispersed organizationally across different bureaus within the Department of State, and across embassies around the world. Since the OIG report was issued in August 2019, what personnel changes have you made to more efficiently and effectively address both the hiring freeze impacts and the earlier security and audit concerns presented by the OIG?
- The OIG report noted that the Chief Information Security Officer (CISO) of the Department of State lacked necessary seniority for effectiveness or accountability. My understanding is that the current CIO reports to the Undersecretary for Management to the Secretary of State, and that the CISO reports to the CIO. In 2018 a study by the Financial Services Information Sharing and Analysis Center (FS-ISAC) recommended that CISO’s have clear and direct communication with the CEO, rather than just to the CIO. Most organizations provide at least a dotted-line reporting structure from the CISO to the CEO. What kind of direct communication do you have with the CISO, given that the position sits below a CIO and an Undersecretary?
- What kind of employee training changes have you made to protect employees from phishing and other social engineering attacks?
- What technical changes have you made within the information security organization of the State Department to protect against ransomware and wiper malware attacks?
- Have you addressed the August 2019 OIG report’s hiring concerns for information and IT security personnel at our embassies? Are you up-to-date on your information security audits? Does the State Department, at the very least, conduct routine scanning, patching, and utilize multifactor authentication?
Earlier this month, Sen. Warner cautioned the Trump Administration on the dangers of escalating tensions with Iran and urged the Administration to prepare for the long-term potential consequences of targeting Soleimani.
A copy of the letter can be found here.