Lawmakers Question State Department on Cyber Failures

Mike Pompeo Secretary of State Department of State

Secretary of State Mike Pompeo (Photo: Gage Skidmore)

A bipartisan group of senators wrote to Secretary of State Mike Pompeo on Tuesday questioning the State Department on what they called its failure to meet Federal cybersecurity standards, including a “near total absence of multifactor authentication (MFA).”

The letter was signed by Sens. Ron Wyden, D-Ore., Cory Gardner, R-Colo., Edward Markey, D-Mass., Rand Paul, R-Ky., and Jeanne Shaheen, D-N.H., and was written “in response to reports from Federal auditors.”

The senators cited a 2018 General Service Administration (GSA) assessment of Federal cybersecurity, referencing cyber monitoring numbers tracked in quarterly reports on the President’s Management Agenda.

The GSA assessment found that the State Department had deployed privileged network access management–including MFA–on only 11 percent of agency devices. “This despite a law–The Federal Cybersecurity Enhancement Act–requiring all Executive Branch agencies to enable MFA for all accounts with ‘elevated privileges,’” the senators wrote.

The next-lowest agency figure reported for the same quarter is 69 percent, and a great majority of agencies are fully covered at 100 percent.

“We are sure you will agree on the need to protect American diplomacy from cyberattacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with Federal law requiring agency use of MFA,” the senators wrote.

“Similarly, the Department of State’s Inspector General found last year that 33 percent of diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular reviews and audits,” they added.

In addition to requesting an update on MFA progress, the lawmakers are calling on Pompeo to respond with actions his agency has taken to address its “high risk” cyber readiness designation from the Office of Management and Budget, and with statistics on “the number of cyberattacks against Department of State systems located abroad.”

A State Department official told MeriTalk that “the Department takes all Congressional correspondence seriously and will respond appropriately.”

Recent