Another Poor Cybersecurity Audit at State Department Draws Scrutiny

Suppachok N/

Auditors have been reporting weaknesses in IT security controls for over a decade. 

The latest publication in a long line of reports drawing attention to the State Department’s failure to secure its information technology-dependent systems from cyberattacks reflects a general mismanagement of resources.

“Notwithstanding the expenditure of substantial resources by the Department,” reads a report State’s Office of the Inspector General released Wednesday, “the OIG continues to identify significant issues that put its information at risk.”

The report follows a Jan. 14 letter Sen. Mark Warner, D-Va., sent to Secretary of State Mike Pompeo asking what steps he’s taken to address the shortcomings detailed in previous IG reports. Warner put the letter in the context of a “long history of information breaches” at State and recent tensions with Iran.

The senator specifically noted an August OIG report that called attention to the absence of “two senior executive service positions responsible for cybersecurity” due to a hiring freeze, and a 2017 OIG report that stated the chief information officer was “not well placed to be held accountable for State Department Cybersecurity issues.” 

The report out Wednesday reiterated the 2017 findings, noting “lapses in the performance of duties by Information Systems Security Officers persisted in FY 2019” and pointed to overseas posts where problems were more extensive.

In the Office of Foreign Missions, for example, “the lack of a fully implemented systems development lifecycle methodology” meant staff there was using a system that hadn’t been authorized for operation since 2013, the report said.

The report, which was a statement on the department’s “Major Management and Performance Challenges,” referenced the OIG’s 2019 Federal Information Security Management Act report, which reported weaknesses in all of eight metrics the IG used: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning.

And an independent auditor's report on State’s consolidated financial statements for fiscal 2018 and 2019, also released Wednesday, said, “We have reported weaknesses in IT security controls as a significant deficiency in each audit since our audit of the Department’s FY 2009 consolidated financial statements.”

The independent audit also found “significant deficiencies” in State’s financial reporting, budgetary accounting and intergovernmental revenue, among other things.