The State Department says it needs to reconstruct its classified computer systems after suffering a hack the agency has said only affected its unclassified networks.
This detail, buried in a 2016 funding request document, combined with State’s failing data protection grades on a recent governmentwide report card, paints a picture of an agency ripe for another attack, security experts say.
"I assume (and hope) that emails sent between the President and Secretary of State are heavily encrypted and never touch the public Internet," Christopher Soghoian, principal technologist for the American Civil Liberties Union, tweeted Monday.
That might not be the case. Zero percent of State's email was sent via systems configured to encrypt messages -- or code the contents so they are unreadable if intercepted, according the White House's annual report to Congress on agency information security. The messages were all sent in clear text.
It’s unclear what kind of data protections former State Secretary Hillary Clinton had in place when she emailed President Barack Obama from her homemade email system.
State has asked Congress for $10 million to support "the necessary re-architecting of the classified and unclassified networks” at the department, according to current Secretary of State John Kerry's budget justification. The budget request also proposes spending $17.3 million on "architecture services." The overhaul will establish new security controls and help reduce "known security vulnerabilities."
One weakness in all department systems is the absence of two-step identity verification, according to the cyber score-sheet. Under a 2004 presidential directive, all agency login screens must require users to enter passwords and a second credential, like a smart card, for access. The 2016 budget states State is aiming to establish the two-step process by 2018.
On Tuesday, State declined to comment on the extent of the reconstruction of its classified and unclassified information technology systems.
Coming enhancements “will add additional protections and provide IT modernization to meet industry best practices,” a department official said in an email. State is remodeling the classified networks now because the agency “continually looks for ways of modernizing our infrastructure to better protect its data,” the official said.
"I think that it’s fair to say that State doesn’t have reliable security practices, if it was at zero percent” for encryption and two-factor identification, said David Brumley, a Carnegie Mellon University computer engineering professor.
"A lot of the times when things are compromised, it’s not because there wasn’t already a technology solution out there -- it was because there weren't enough people to support the technical solution" or teach employees to follow security rules in a way that doesn't interrupt their jobs, he added. "My guess is that that is where a lot of the money is going.”
State also plans to install more barriers between business-sensitive data and other types of information, so hackers who prop open the door to one system can't push their way into higher-value systems. The $10 million in part would go toward completing "a private cloud infrastructure" designed to create secure enclaves that would add "perimeters around business critical applications and data," the justification states.
The Doomsday Scenario
One of the stumbling blocks in trying to recover from a network attack is trust. What hardware and software is safe? Uncertainty about the presence of malware in devices makes organizations consider rebuilding from top to bottom, which is "the doomsday scenario," said John Dickson, an information security analyst and former U.S. Air Force intelligence officer.
"What we understand happened at Sony is they ended up just starting over, with getting new servers and new devices because they simply could not trust the hardware that they had at a certain point," said Dickson, comparing State’s 2016 budget explanation to a breach at the entertainment giant that aired Hollywood's dirty laundry and sensitive personal information on employees.
As previously reported, State replaced some 30,000 keychain login fobs after the penetration of its unclassified email system last fall, which happened at the same time the White House was hacked. It’s uncertain what the original or replacement credentials grant access to.
Some computer science experts say the IT do-over reflects a realization that State’s past security investments might not be enough to prevent another intrusion.
"It may very well be the case that there are some things that they don’t trust anymore because they are compromised and they want to replace them, but my guess is that they have just devoted insufficient funds to protection previously, because it was compromised," said Brumley, who also heads cyber startup ForAllSecure. "A lot of the security expense is in the people and the training. If they already have bad practices and grades, you know, getting rid of those."
Purchasing new devices is not that costly, but arranging the proper technical support so people actually use it is, he said.
The Fake “KerryJF@state.gov”
Right now, State is incapable of "digitally signing" outgoing email to citizens and colleagues, the cyber score sheet found.
This means anyone might be able to "spoof," or copy, an official "@state.gov" email address to fool people into thinking they are being contacted by a legitimate high-ranking official.
In theory, an email purportedly from Kerry at "KerryJF@state.gov” that asks a staffer to send him an internal PowerPoint presentation on Iran actually might be from a foreign cyberspy.
"Clinton’s own staff had been targeted with such highly targeted 'spear phishing' emails as early as 2009, the year she took office," Shane Harris writes in the Daily Beast.
Some reformed black hat hackers say it goes without saying that any system -- government or personal -- is vulnerable without multistep ID checks.
"Without these protections, it only takes one successful malware or phishing attack," said Jennifer Emick, a former member of the hacktivist group Anonymous who now works as an independent security researcher. "I wouldn't think it would be easy" to crack a secretary of state's state.gov account, "but a suitably determined intruder isn't going to find the task insurmountable."