State Says it Needs to Rebuild Classified Computer Networks after Hack

State Department headquarters.

State Department headquarters. J. Scott Applewhite/AP File Photo

State has asked Congress for $10 million to support "the necessary re-architecting of the classified and unclassified networks” at the department

The State Department says it needs to reconstruct its classified computer systems after suffering a hack the agency has said only affected its unclassified networks.

This detail, buried in a 2016 funding request document, combined with State’s failing data protection grades on a recent governmentwide report card, paints a picture of an agency ripe for another attack, security experts say. 

"I assume (and hope) that emails sent between the President and Secretary of State are heavily encrypted and never touch the public Internet," Christopher Soghoian, principal technologist for the American Civil Liberties Union, tweeted Monday.

That might not be the case. Zero percent of State's email was sent via systems configured to encrypt messages -- or code the contents so they are unreadable if intercepted, according the White House's annual report to Congress on agency information security. The messages were all sent in clear text.

It’s unclear what kind of data protections former State Secretary Hillary Clinton had in place when she emailed President Barack Obama from her homemade email system.

State has asked Congress for $10 million to support "the necessary re-architecting of the classified and unclassified networks” at the department, according to current Secretary of State John Kerry's budget justification. The budget request also proposes spending $17.3 million on "architecture services." The overhaul will establish new security controls and help reduce "known security vulnerabilities." 

One weakness in all department systems is the absence of two-step identity verification, according to the cyber score-sheet. Under a 2004 presidential directive, all agency login screens must require users to enter passwords and a second credential, like a smart card, for access. The 2016 budget states State is aiming to establish the two-step process by 2018.

On Tuesday, State declined to comment on the extent of the reconstruction of its classified and unclassified  information technology systems.

Coming enhancements “will add additional protections and provide IT modernization to meet industry best practices,” a department official said in an email. State is remodeling the classified networks now because the agency “continually looks for ways of modernizing our infrastructure to better protect its data,” the official said. 

"I think that it’s fair to say that State doesn’t have reliable security practices, if it was at zero percent” for encryption and two-factor identification, said David Brumley, a Carnegie Mellon University computer engineering professor.  

"A lot of the times when things are compromised, it’s not because there wasn’t already a technology solution out there -- it was because there weren't enough people to support the technical solution" or teach employees to follow security rules in a way that doesn't interrupt their jobs, he added. "My guess is that that is where a lot of the money is going.”

State also plans to install more barriers between business-sensitive data and other types of information, so hackers who prop open the door to one system can't push their way into higher-value systems. The $10 million in part would go toward completing "a private cloud infrastructure" designed to create secure enclaves that would add "perimeters around business critical applications and data," the justification states. 

The Doomsday Scenario

One of the stumbling blocks in trying to recover from a network attack is trust. What hardware and software is safe? Uncertainty about the presence of malware in devices makes organizations consider rebuilding from top to bottom, which is "the doomsday scenario," said John Dickson, an information security analyst and former U.S. Air Force intelligence officer. 

"What we understand happened at Sony is they ended up just starting over, with getting new servers and new devices because they simply could not trust the hardware that they had at a certain point," said Dickson, comparing State’s 2016 budget explanation to a breach at the entertainment giant that aired Hollywood's dirty laundry and sensitive personal information on employees. 

As previously reported, State replaced some 30,000 keychain login fobs after the penetration of its unclassified email system last fall, which happened at the same time the White House was hacked. It’s uncertain what the original or replacement credentials grant access to.

Some computer science experts say the IT do-over reflects a realization that State’s past security investments might not be enough to prevent another intrusion. 

"It may very well be the case that there are some things that they don’t trust anymore because they are compromised and they want to replace them, but my guess is that they have just devoted insufficient funds to protection previously, because it was compromised," said Brumley, who also heads cyber startup ForAllSecure. "A lot of the security expense is in the people and the training. If they already have bad practices and grades, you know, getting rid of those."

Purchasing new devices is not that costly, but arranging the proper technical support so people actually use it is, he said. 

The Fake “KerryJF@state.gov

Right now, State is incapable of "digitally signing" outgoing email to citizens and colleagues, the cyber score sheet found.

This means anyone might be able to "spoof," or copy, an official "@state.gov" email address to fool people into thinking they are being contacted by a legitimate high-ranking official.

In theory, an email purportedly from Kerry at "KerryJF@state.gov” that asks a staffer to send him an internal PowerPoint presentation on Iran actually might be from a foreign cyberspy.

"Clinton’s own staff had been targeted with such highly targeted 'spear phishing' emails as early as 2009, the year she took office," Shane Harris writes in the Daily Beast

Some reformed black hat hackers say it goes without saying that any system -- government or personal -- is vulnerable without multistep ID checks.

 "Without these protections, it only takes one successful malware or phishing attack," said Jennifer Emick, a former member of the hacktivist group Anonymous who now works as an independent security researcher. "I wouldn't think it would be easy" to crack a secretary of state's state.gov account, "but a suitably determined intruder isn't going to find the task insurmountable."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.