A new report from the U.S. Government Accountability Office (GAO) highlights how the U.S. foreign service (still) doesn’t understand what “cybersecurity practices” mean. The State Department claims to have a proper cybersecurity risk management plan, but it is only on paper.
GAO report GAO-23-107012 examines the poor state of cyber affairs at the State Department, the government agency that conducts U.S. diplomacy and helps shape U.S. foreign policy. Securing IT systems that support the State Department's mission should be a critical goal, and so far the State Department has done an "exceptionally good job" of achieving that goal.
The GAO report said the State Department has documented a cybersecurity risk management plan "that meets federal requirements." The plan identifies risk management roles and responsibilities and develops appropriate risk management strategies. However, the plan has not been "fully" implemented, and the State Department cannot even identify or monitor risks to its IT assets, nor does it know how many IT assets it actually owns.
The full report states that the U.S. State Department "probably does not fully recognize" the information security vulnerabilities and cyber threats that affect the operation of its missions. The U.S. State Department has a "cyber incident response team" in place that monitors and identifies security issues around the clock, but lacks a "comprehensive implementation process" to support its incident response plan.
The U.S. State Department "does not adequately protect" its IT infrastructure, which is probably the understatement of the year, as the government agency is likely still using Windows XP-based PCs. The U.S. Government Accountability Office confirmed that some operating systems reached end-of-life "as early as 13 years ago," which almost exactly coincides with the end of XP mainstream support on April 14, 2009. Microsoft is offering extended support for its legendary PC operating system until April 8, 2014.
Other issues with IT infrastructure include 23,689 "hardware systems" and 3,102 network and server operating system installations that have reached the end of their useful life and are no longer supported. The U.S. Government Accountability Office report points out that if the problem of information technology security is not enough to cause people's concern, then the bureaucracy and joint structure of the U.S. State Department are very successful in self-sabotage.
The State Department split IT management responsibilities between the chief information officer and subagencies, and this "silo culture" fostered a lack of communication that ultimately led to many of the deficiencies noted in the report. Because of this communication problem, the State Department's Enterprise Configuration Management (ECM) database does not provide a complete picture of all hardware and software still in use, the GAO said. The ECM database appears to be completely devoid of data on IT assets used by the country's 20 diplomatic outposts.
The U.S. Government Accountability Office has made 15 recommendations to address the many problems identified in the U.S. State Department’s IT infrastructure. In addition, the oversight office will later release another "limited distribution" report highlighting an additional 500 recommendations to remedy the poor state of U.S. diplomatic agencies.