Watchdog: Hiring freeze increased cyber risk at State

An extended hiring freeze at the Department of State delayed key cybersecurity initiatives and placed highly classified information at risk according to a watchdog report.

The State Department elected to extend the governmentwide civilian hiring freeze, launched at the start of the Trump Administration for more than a year after the White House announced its end in April, 2017. According to a new report from the State Department Office of Inspector General, the freeze not only had a highly debilitating effect on employee morale but also put the agency's IT systems – including classified systems – at increased risk

The Bureau of Information Resource Management told the IG that the hiring freeze led to the delay of information assurance reviews, delayed the launch of an encryption initiative and pushed back the start date of planned identity management system by 18 months.

The report states that IRM was unable to fill two senior cybersecurity positions with Senior Executive Service members, delaying the launch of an enterprise risk management program covering IT systems.

The impact wasn't limited to IRM. The Bureau of Diplomatic Security reported that the hiring freeze limited its ability to respond to "malicious cyber activity targeting department personnel and information assets." Additionally, penetration testing of State Department networks was delayed as we a program to integrate cybersecurity into network support.

Two departments that were not named in the report also reported serious problems relating to the freeze. One department was unable to hire an Information Systems Security Officer for the entire 17 months of the freeze. Another department with TS/SCI systems reported that "that extended vacancies in its information security positions placed at risk highly classified information."

Tech security at State has seen more than its share of problems over the years. The agency's Consular Consolidated Database, which holds hundreds of millions of passport and visa records, has been alleged to have security flaws in the past. In November 2014, the department shut down its non-classified email system in an effort to root out hackers and it's possible penetration continued for months afterward.

According to an OIG survey, 56.75% of IRM employees characterized the hiring freeze as having a very negative or somewhat negative impact on operations. No one said the freeze had a positive impact. For overall operations, 94.6% of respondents said the freeze had a negative impact on operations and 0% had a positive response.

The hiring freeze continued to take a toll long after being lifted in May 2018, according to the report. The Bureau of Human Resources estimated in December 2018 that it would be two years before civil service vacancies arising from the freeze would be filled.