State Department, other agencies struggle with cybersecurity vulnerabilities
WASHINGTON (Sinclair Broadcast Group) — Deficiencies in cybersecurity at the State Department point to broader problems in the government's handling of security issues that could be difficult to correct, according to experts and official reports.
The Associated Press reported Monday that the State Department was assessed as being among the worst agencies in the federal government at securing its computer networks when Hillary Clinton was secretary of state, and it has continued to struggle with security under Secretary John Kerry.
In reports from 2011 through 2014, the State Department inspector general called the agency's cybersecurity a "significant deficiency." The 2015 assessment has not yet been released.
The State Department received one of the lowest ratings on the federal government's latest cybersecurity report card, according to the Associated Press. Two inspectors general have expressed concerns about the security of the agency's data since 2009.
State Department spokesman Mark Toner told reporters Monday that the department disagrees with the inspectors' characterization of its cybersecurity efforts.
"The department has a very strong cybersecurity program," Toner said, "as I think I said in the article, that we successfully defeated almost 100% of the 4 billion--and I'll say that again--4 billion attempted intrusions that we experience each year."
Toner noted that a continuous monitoring program implemented by the department while Clinton was in charge became the model for a program that is now being rolled out to other agencies.
The questions about cybersecurity at the State Department under Clinton and Kerry came on the same day that a hacker claimed to have broken into personal email accounts of CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson. Officials are still working to confirm that the hacks had occurred.
Concerns have recently been raised about security of data in other government departments, as well.
A report released by the Government Accountability Office (GAO) in September identifies "persistent weaknesses" in information security at 24 federal agencies over the previous two years. Numerous recommendations made by the GAO to improve security had not been implemented.
Intelligence officials told the Senate Armed Services Committee that cyber attacks are becoming more frequent, more sophisticated, and more severe. They expressed concerns about foreign government-sponsored hackers, corporate espionage, and data manipulation that could undermine the nation's infrastructure.
The Office of Personnel Management (OPM) faced harsh criticism over the summer after acknowledging that breaches of government databases exposed sensitive personal information of over 22 million people. This included applications for government security clearance containing details about employees' friends and relatives.
Cybersecurity experts say the OPM breach is indicative of government-wide security problems that need to be addressed, but they also say there are specific reasons why the State Department is particularly vulnerable to hackers. While no security system is perfect, there are many areas where improvements could be made.
"There is never, ever a silver bullet. You cannot prevent everything from happening," said Morgan Wright, a senior fellow at the Center for Digital Government and a cybersecurity analyst.
One of the flaws in the government's approach to security, according to Wright, is a "defend at all costs" attitude rather than a focus on the truly critical systems. If a breach cannot be avoided, the goal should be to identify it and shut it down as quickly as possible.
"You can't stop fires from happening," he said, "but what you want is the fastest fire department on the planet."
James Scott, a senior fellow at the Institute for Critical Infrastructure Technology who recently co-authored a report on the OPM breach, expressed a similar sentiment.
"You can't really protect against a breach...What you have to do is count on a breach happening" and be prepared to slow down and stop a bad actor inside the system, he said. The use of behavioral analytics or biometrics could help with that.
Most systems that are connected to the internet can be penetrated by foreign intelligence agencies, according to Martin Libicki, a cybersecurity expert at the RAND Corporation. Banks and defense contractors are particularly good at defending themselves against these kinds of attacks, but government offices are not.
Part of the reason for this is bureaucratic. The government cannot easily adjust its cybersecurity spending, and it is prone toward what he called "checkbox thinking," employees doing only what is required of them like they are checking off boxes on a list.
There are also some challenges specific to the State Department, though. According to Libicki, the work done there makes it an obvious target for foreign intelligence agencies, and it cannot run without communicating with outsiders and people overseas. As a result, it cannot be protected the same way other departments might be.
"Bureaucracy is one of the biggest inhibitors of the evolution that the government's supposed to be trying to expedite," Scott said. People who do not understand cybersecurity are trying to come up with solutions, and there are few truly qualified people working there.
One of the reasons qualified people are not attracted to government work, Wright suggested, is that technology there is so far behind what is available in the private sector and in people's personal lives. He recommended changes to the government's technology acquisition process.
As it is now, Wright said, it can take 18 to 36 months for government systems to implement new technology, and by that point it is often already outdated. If that process was streamlined, "that would have, I think, one of the single greatest impacts on getting the job done."
He noted that one thing that made the OPM breach possible was that the agency's technology was too old for encryption.
"I think the threats are internal, I mean from attitude and philosophy." The underlying philosophy of security officials needs to change before the strategy will change, but he is not optimistic about that happening soon.
"The only thing that changes is the 'R' or 'D' in the White House," he said. "Everything else kind of remains the same."
Many solutions have been offered for these problems, some of which are more complicated and challenging to accomplish than others.
"One of the main things is education," Scott said. "They're not educating federal employees on the basics of social engineering."
Other basic things that could improve security, according to Scott, include minimizing what employees have access to, upgrading from legacy systems, and patching known vulnerabilities.
"There's really no oversight to make sure that these individual agencies are even doing this."
Some have proposed creating a high-ranking position that would have such oversight, a chief information security officer for the government. If that person had sufficient power over the various agencies, it could be effective.
"In theory, it sounds good," Wright said. However, that officer would need to have responsibility, accountability, and authority, and he is skeptical that they would be granted all three.
"Everybody wants the same outcomes, but nobody wants to do the same things to get there."
Accountability, as he sees it, is one of the things most lacking in the government cybersecurity system. Following high-profile data breaches at private companies, executives are usually fired. When government systems are breached, the consequences are rarely so severe.
"Who gets penalized in the government for not fixing problems?"
Wright suggested that regulations should be rewritten so senior government officials are as vulnerable to being fired or sued for security failures as private business executives are.
Scott also noted the lack of accountability. If officials were willing to hold themselves accountable for their failures instead of looking out for their own interests, problems might get solved faster.
Similarly, Libicki cited fear of embarrassment as one of the biggest threats to government cybersecurity. Another problem he sees is the difficulty of placing value on sensitive information. To determine how much to spend on security, officials need to know how much the loss of information is costing.
If Chinese hackers find out what the U.S. embassy in Nairobi is doing, how much does that hurt State Department interests, Libicki asked. It is important to think those things through, but it is hard to put a number on, particularly when politics interfere as they frequently do in the current environment.
"When it comes to the State Department and sensitive information, the question has become politicized," he said.
Despite the concerns that have been raised about the state of government security and several high-profile hacks, a recent survey of cybersecurity by BitSight ranked the government as the second highest performing sector in the U.S. economy. The report does identify vulnerability to certain specific kinds of attacks, though.
Wright said such a ranking is highly subjective. Measuring the effectiveness of security is difficult because it entails quantifying the attacks that were prevented. Even if the ranking is accurate, though, he argued that for what the government spends on security, it should be the best by far.
According to Libicki, other industries like pharmaceutical companies, retail stores, and law offices are currently dealing with similar cybersecurity problems. Scott also pointed to energy, nuclear power, and aerospace businesses as particularly likely targets for hackers. The private sector seems to place a higher priority on cybersecurity, though.
While government officials are quick to point out the volume of cyber-attacks they face--Toner noted 4 billion attempted intrusions per year and federal agencies reported 67,000 incidents last year--experts say those numbers can be misleading.
"It's just not terribly interesting how many attempts there are," Libicki said. "It's only interesting how many attempts get through."
A lot of those attempted intrusions are likely by automated software searching for vulnerabilities that do not even know what systems they are attacking.
"I'm not worried about the ankle-biters," Wright said of those attacks. "It's the advanced persistent threats."
He cited a quote from former Homeland Security Secretary Tom Ridge, "We have to be right a billion-plus times a year...The terrorists only have to be right once."
"Numbers are irrelevant to me. It's the impact," Wright said, and he fears the impact of a security breach in the future could be far greater than in the past.
Wright and another security expert have launched Cyber Decision 2016, an effort to bring cybersecurity forward as a vital issue in 2016 presidential race. They have distributed a questionnaire about security issues to all of the presidential campaigns and will post completed questionnaires on their website if the campaigns submit them.
During the first Democratic debate, candidate Jim Webb mentioned cybersecurity as one of the major threats facing the U.S. right now, but otherwise the topic has rarely come up. Wright noted that former Florida Governor Jeb Bush has a plan on his website for dealing with it.
"I would like to see the candidates be more articulate" on cybersecurity issues, Wright said. He feels they should be as conversant about it as they are on things like debt and spending.
"If I have to, I will shame candidates into answering this questionnaire."
Libicki, however, said it might not be a bad thing if the issue stays out of this election cycle.
"There's the whole Hillary factor," he said. With Hillary Clinton facing scrutiny for her email practices and her handling of sensitive information while she was secretary of state, the discussion would be inherently politicized and partisan.
Libicki also expressed concern that the general public and some politicians may not fully understand cybersecurity matters, which makes a substantive policy debate difficult.
"It's not an easy subject," he said.
Libicki sees three trends impacting cybersecurity. One is that the technical level of cyber defense is improving. Another is that operating systems are growing more secure. This makes things more difficult for hackers, but the hackers are also becoming more talented. The third trend is that computers are constantly being used to do new things, which introduces new vulnerabilities.
Even if current vulnerabilities are patched up, Scott is concerned about what hackers may do with information they have already taken. Foreign intelligence agencies or other bad actors will not sell sensitive information, as some have speculated.
"The information that has been taken, no one who understands what they have would market this information or sell it," he said.
They will use it for espionage purposes, launching more targeted attacks on people with higher intelligence grades based on the data. The long-term consequences of these breaches are what he worries about.
"You're going to see the results of what they're doing right now, the bad actors, ten years from now," Scott said.
According to Wright, the government's response to cybersecurity threats also needs to be forward-thinking. In addition to the changes he recommends in acquisitions and philosophy, the age of leadership has to change.
"It's a paradigm shift that needs to happen," he said.
The people making advanced technology policy decisions today grew up with rotary phones. In ten years, millennials will likely be taking positions of leadership. Considering how important technology is in their lives, Wright expects they will bring a new understanding of these issues.
Those are the people he believes will really make a difference, so the government needs to attract and hire the best.
"You want to harvest in the fall," Wright said, "you've got to plant in the springWhat are they going to do right now to start planting the seeds of change?"
