State Department Shamed For Poor Adoption Of Multi-Factor Authentication

Five US senators have sent a letter to Secretary of State Mike Pompeo requesting answers why the State Department has not widely deployed basic cyber-security protections, such as multi-factor authentication (MFA).

Featured stories

The letter was sent yesterday and was signed by senators Ron Wyden [D-Ore], Cory Gardner [R-Colo], Ed Markey [D-Mass], Rand Paul [R-Ky], and Jeanne Shaheen [D-N.H.].

The five senators cite two recent governmental reports in their letter, reports that pinpoint serious issues with the State Department implementing cyber-security best practices.

Also: First IoT security bill reaches governor’s desk in California

The first of these is a 2018 General Service Administration (GSA) assessment of the Department of State’s cyber-security practices.

The GSA said that only 11 percent of high-value devices deployed by the Department of State had multi-factor authentication enabled, meaning they were protected only by passwords, lacking a multi-layer authentication system that involved SMS tokens, security keys, biometrics, or other second factors.

The report found the Department of State in breach of the Federal Cybersecurity Enhancement Act that requires all Executive Branch agencies to enable MFA for all accounts with elevated privileges.

“We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA,” the five senators wrote in the joint letter.

Further, the senators also cited a report by the Department of State’s Inspector General (IG), which found last year that 33 percent of US diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular cyber-security reviews and audits.

Also: US government releases post-mortem report on Equifax hack

The bipartisan group is now looking for answers from the State Secretary Pompeo, and gave his office until October 12 to answer three questions:

  • What actions has the Department of State taken in response to the designation of the Department of State’s cyber readiness as “high risk”?
  • What actions has the Department of State taken to rectify the near total absence of multifactor authentication systems for accounts with elevated privileges accessing the agency’s network, as required by federal law?
  • Please provide us with statistics, for each of the past three years, detailing the number of cyber attacks against Department of State systems located abroad. Please include statistics about both successful and attempted attacks.

READ MORE HERE