State Says It Mistakenly Gave Itself an F on Email Security

Cybersecurity at the State Department might not be as dire as an email shutdown last week and failing grades on a White House report card lead one to believe.

A buggy scoring system and self-reporting mistakes are partly to blame for State earning "0" marks on email encryption, for at least two years, according to State and a federal cyber contractor.

Still, it's not comforting that an annual report -- which the public and lawmakers rely on for information about government computer security compliance -- is flawed.

The flub was revealed after Nextgov inquired whether State really flunked the email encryption part of the annual cybersecurity test. An agency official responded that "the department misreported the initial statistics." 

The 2015 Federal Information Security Management Act report to Congress erroneously gave State no points in at least a couple of categories, according to the department.

It's unclear whether CyberScope, a federal system that automates reporting, is to blame or whether human beings at State misinterpreted the question and thus underreported their capabilities. In other words, it is possible personnel thought the FISMA security benchmark was set higher than the actual requirements.

State has made no mention of trying to correct the record. And the White House declined to comment on the discrepancy.

The FISMA compliance survey directed all agencies to answer the following question: How much of your "email traffic" is on systems "that have FIPS 140-2" standard encryption, meaning content in transit is impervious to eavesdroppers?

State officials replied -- in both this year's report and last year's report -- that their machines have "no ability to use FIPS 140-2 encryption when sending messages." The results for 2014, released a few weeks ago, also inaccurately reported that systems "have no capability to digitally sign email," or prevent impostors from sending out fake State.gov emails, according to State.

The agency official said unclassified emails are sent "via encrypted circuits" to overseas posts, other agencies and between various departmental facilities.

Messages to citizens go out through commercial email programs, "using standard industry practices," the official said. In addition, all desktops are equipped with software that allows State employees to encrypt and digitally sign emails.

"FIPS 140-2" standard encryption has been used since 2008, the official said.

These missteps follow two incidents that have pushed State's cybersecurity posture into the spotlight.

A fall 2014 data breach prompted the department to disconnect unclassified email for about five days total this year, while attempting to debug systems. In addition, former Secretary of State Hillary Clinton’s choice to use a homemade email system has brought on a storm of questions about security and withholding public records.

Some security experts familiar with the department's business investments assure State's encryption level is not at zero and say all agencies should be given credit for attempting transparency.

"Do I buy the human-error argument? I kind of do," said Ron Gula, chief executive officer of Tenable Network Security, which sells CyberScope-compatible tools for monitoring networks. "If you’re working at the Department of State, I don’t think you get to write in the answers for the independent White House report on the agencies. You have to have some separation of duties. I think these things happen."

He suspects the problem was that State's CyberScope technologies do not test for email encryption.

Then again, information technology employees might have thought the rules were more stringent than what State has in place. If the goof was caused by the belief that the whole email system must be encrypted, including the device, email client and communications line, that doesn't necessarily mean State's security is inadequate, Gula said.

"I’m not so sure that that’s a huge problem," said Gula, a former National Security Agency researcher. "It would be very easy for somebody to point out, 'Oh, 100 percent encryption even for data at rest should be mandatory for somebody like the State Department,' but it's difficult to prove that any system is 100 percent encrypted."

However, unencrypted software on the device could let an outsider who fraudulently logs on to a machine read State information in plain text.

The government is pioneering the practice of being open about adequate -- as well as inadequate -- computer security rankings.

The mishap demonstrates “it’s difficult to automate security, and to have one scorecard that everybody agrees on to measure security," Gula said.

(Image via Mark Van Scyoc/ Shutterstock.com)