Cybersecurity Gaps Plague US State Department, GAO Report Warns

The US Department of State must fully implement its cybersecurity risk program and take additional steps to better protect its IT network and systems, a 92-page report by the General Accounting Office (GAO) warns.

The State Department has completed the authorization process for less than half (44%) its nearly 500 information systems, and has yet to implement a department-wide continuous monitoring system.

On the positive side, the department has identified risk management roles and responsibilities and developed a cyber risk management strategy.

However, "until the department implements required risk management activities, it lacks assurance that its security controls are operating as intended," the report noted. "Moreover, State is likely not fully aware of information security vulnerabilities and threats affecting mission operations."

And those threats are likely myriad.

State Dept. Faces Rafts of Outstanding Cyber To-Dos

The report, which forms part of the GAO's extensive work on the US government's cybersecurity and information security challenges, tallied 15 recommendations for executive actions that remain outstanding.

First and foremost among them is the recommendation that the State Department instruct the CIO to develop and maintain a department-wide risk profile prioritizing the department's most significant risks.

Following that, the State Department must develop plans to mitigate the vulnerabilities tallied by the CIO, and then conduct bureau-level risk assessments for the 28 bureaus that owned information systems the GAO reviewed.

The report noted the department also faces challenges in implementing its incident response program, updating and testing information system contingency plans, and configuring its inventory database properly.

An improvement of the overall IT infrastructure security is essential, including replacing outdated hardware and software installations, some of which have been in use for more than 13 years.

"This includes replacing the 23,689 hardware systems and 3,102 occurrences of network and server operating system software installations," the report noted.

The State Department's CIO also faces limitations in securing IT systems due to shared management responsibilities and poor communication, the report added.

While the CIO oversees the main network and sets standards, individual bureaus handle many tasks independently, including equipment purchases, IT system management, and funding.

The report concluded this lack of coordination also leads to confusion among information system security officers regarding requirements.

These deficiencies are largely a result of the department's isolated culture and inadequate communication between the CIO and the individual bureaus.

"Until State addresses these and other deficiencies, the CIO faces challenges managing and overseeing the department's cybersecurity program, including risk management and incident response, and the department's systems remain vulnerable," the report warned.

Meanwhile, a looming shutdown of the federal government threatens to cause additional cybersecurity complications across a host of agencies and departments, with the CISA stating it would furlough more than 80% of staff indefinitely if Congress can't reach an agreement to fund the federal government.

Infrastructure at Risk From Foreign Threats

The report follows the successful attack of 25 US government agencies by Chinese hackers — including the State Department — in May, resulting in the theft of 60,000 emails from senior officials.

In the email breach, a stolen Microsoft account (MSA) key allowed the Storm-0558 APT to forge authentication tokens to masquerade as authorized Azure Active Directory (AD) users, obtaining access to Microsoft 365 enterprise email accounts and the potentially sensitive information contained within.

In April 2022, the State Department announced the creation of a Bureau of Cyberspace and Digital Policy to help shape norms of responsible government behavior in cyberspace and help US allies bolster their own cybersecurity programs, reflecting the growing importance of cybersecurity in national policy, economy, and defense.