— Domani Spero
[twitter-follow screen_name=’Diplopundit’ ]
Just the bit of bad news you don’t need to start your Monday:
Below via WaPo:
The State Department did not seek to publicize that it had been hacked. On Friday, it announced that “maintenance” would be done to the unclassified network during a routine, scheduled outage. But on Sunday, after the Associated Press first reported the breach, officials acknowledged they had found traces of suspicious activity in their system and were updating security in the middle of a scheduled outage. In a sign of how complete the shutdown was, duty officers were using Gmail accounts.
A senior State Department official, who spoke on the condition of anonymity to discuss the breach, also told WaPo that “none of the department’s classified systems were compromised.”
Would State report publicly the classified intrusion if those systems were compromised?
This report follows the confirmation of a hack at the National Oceanic and Atmospheric Administration which reportedly forced cybersecurity teams to seal off data vital to disaster planning, aviation, shipping, etc. this past September, the reported breach of the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees and a breach at the White House. In June this year, the WSJ also reported the breach of computer systems at the Office of Personnel Management, which stores data on federal employees.
An unnamed official told nextgov.com that State is bolstering the security “of its main unclassified network during a scheduled outage of some Internet-linked systems.” The site, nextgov.com says it is “unclear why officials waited until this weekend to disconnect potentially infected systems at State.”
As of this writing, the State Department’s mobile access (go.state.gov) is down with the following notice: “The Department is currently experiencing an ongoing, planned outage to upgrade our network. during this event, mobile access (GO) will be unavialable. We apologize for any inconvenience this may cause you. For questions or more information, please contact the IT Service Center at 202-647-2000.”
We understand that GO will be down until further notice and may need to be rebuilt. A mobile copy is currently live at http://m.state.gov.
* * *
In totally unrelated news, and nothing/nothing whatsoever to do with this reported hack — State/OIG on November 7, published its Audit of Department of State Information Security Program. The report is readable if you don’t mind the redacted parts:
Below is an excerpt:
Information technology security controls are important to protect confidentiality, integrity, and availability of information and information systems. When they are absent or deficient, information becomes vulnerable to compromise.[REDACTED]
Although we acknowledge the Department’s actions to improve its information security program, we continue to find security control deficiencies in multiple information security program areas that were previously reported in FY 2010, FY 2011, FY 2012, and FY 2013. Over this period, we consistently identified similar control deficiencies in more than 100 different systems. As a result, the OIG issued a Management Alert in November 2013 titled “OIG Findings of Significant and Recurring Weaknesses in the Department of State Information System Security Program” that discussed significant and recurring control weaknesses in the Department’s Information System Security Program [REDACTED B(5)]
The FY 2013 FISMA audit report contained 29 recommendations intended to address identified security deficiencies. During this audit, we reviewed corrective actions taken by the Department to address the deficiencies reported in the FY 2013 FISMA report. Based on the actions taken by the Department, OIG closed 4 of 29 recommendations from the FY 2013 report.
We identified control deficiencies in all [Redacted] (b) (5) of the information security program areas used to evaluate the Department’s information security program. Although we recognize that the Department has made progress in the areas of risk management, configuration management, and POA&M since FY 2013, we concluded that the Department is not in compliance with FISMA, OMB, and NIST requirements. Collectively, the control deficiencies we identified during this audit represent a significant deficiency to enterprise-wide security, as defined by OMB Memorandum M-14-04.
Although we found the Department’s Computer Incident Response Team (CIRT) Standard Operating Procedures aligned with NIST SP 800-61, Revision 2,39 procedures do not clearly state all the bureaus, offices, and organizations that require notification prior to closing an incident. As a result, DS/SI/CS did not report all incidents to the U.S. Computer Emergency Readiness Team (US-CERT) as required. Specifically, 1 out of 22 (5 percent) security incidents we tested was not reported to the US-CERT, even though it was a Category 4 incident and involved potential classified spillage. If the Department does not report data spillage incidents (potential or confirmed) to US-CERT within the established timeframes, US-CERT may not be able to help contain the incident and notify appropriate officials within the allotted timeframe.
According to State/OIG, Category 4 incidents are incidents involving improper usage of Department systems or networks (that is, a person that violates acceptable computing use policies).
According to OMB Memorandum M-14-04, a significant deficiency is defined as a weakness in an agency’s overall information systems security program or management control structure, or within one or more information systems that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. via
* * *
Audit of Department of State Information Security Program; Published On: November 07, 2014; Report Date: November 2014; Report Number: AUD-IT-15-17; View Report: aud-it-15-17.pdf