Posted: 2:10 am EDT
[twitter-follow screen_name=’Diplopundit’ ]
AP Exclusive: Under Clinton, years of poor network security at State Department predated hack linked to Russia: http://t.co/8HD6ntLnQ1
— The Associated Press (@AP) October 19, 2015
Via the AP:
Clinton approved significant increases in the State Department’ information technology budgets while she was secretary, but senior State Department officials say she did not spend much time on the department’s cyber vulnerabilities. Her emails show she was aware of State’s technological shortcomings, but was focused more on diplomacy.
Emails released by the State Department from her private server show Clinton and her top aides viewed the department’s information technology systems as substandard and worked to avoid them.
The report does not include specific details on the “significant increases” in the IT budget. Where did it go? Why did the Clinton senior staff suffer through the State Department’s antiquated technology without any fixes?
In contrast, here is Colin Powell’s Wired Diplomatic Corps:
Another disturbing aspect of State Department life prior to 2001 was the poor condition of its information technology (IT). Independent commissions warned the organization’s computer networks were “perilously close to the point of system failure” and “the weakest in the U.S. government.” Inadequate funding, concerns over IT security, and simple bureaucratic inertia were all contributing factors. Powell came to an institution in which his employees relied on an antiquated cable messaging system, slow, outdated computers and as many as three separate networks to do their daily work. At several posts diplomats did not enjoy full access to the Internet or the department’s classified network. Such realities were troubling for a new secretary of state, who had served on American Online’s board of directors and considered Internet access an indispensable resource in his own daily life. Powell believed effective twenty-first diplomacy necessitated a modern communications system at State and made its establishment a top priority.
As with embassy construction and security, Powell successfully garnered the financial resources to make substantial quantitative and qualitative improvements in the organization’s information technology. For instance, a secure unclassified computer network with full Internet access was extended to 43,500 desktops during his tenure, making the State Department a fully wired bureaucracy for the first time in its history. This goal was reached in May 2003, under budget and ahead of schedule. Shortly thereafter a modernized classified network was installed at 224 embassies and consulates — every post that the Bureau of Diplomatic Security deemed eligible for such technology. In addition, a Global IT Modernization (GIT-M) program was launched to ensure that all computer hardware is kept state-of-the-art through an aggressive, four-year replacement cycle. Other changes equipped the institution with cutting-edge mainframes, updated secure telephones, and wireless emergency communication systems. Most recently, the State Department began under Powell’s leadership to replace its decades old cable and e-mail systems with one modern, secure, and fully integrated messaging and retrieval system.
These impressive technological changes were complemented by the creation of a new 10-person office for e-Diplomacy in 2002. The unit was established to support State’s information revolution by finding ways to increase organizational efficiency through information technology, making the newly installed systems user-friendly, and continuing to identify new ways to send, store and access information. Furthermore, IT security was enhanced considerably. One department report indicated that by August 2004, 90.4 percent of State’s operational systems had been fully authorized and certified, earning the department OMB’s highest rating for IT improvement under the President’s Management Agenda (PMA). In part, achievements of this type were facilitated through Powell’s hiring of 530 new IT specialists (while controlling for attrition). Through an aggressive recruitment and retention program based on incentives and bonuses, the department’s vacancy rate for such positions, which was “over 30 percent five years ago, [was] essentially eliminated.” As with congressional relations and embassy construction and security, State’s information technology was enhanced significantly under Powell’s leadership.
Read in full here via American Diplomacy — The Other Side of Powell’s Record by Christopher Jones.
So, among the more recent secretaries of state, one stayed home more than most. Secretary Powell knew the IT systems were substandard and he went about making the fixes a priority; he did not hand it off to “H” to lobby Congress or simply talked about the State Department’s “woeful state of civilian technology.”
Below is a clip from OIG Steve Linick’s Management Alert for recurring information system weaknesses spanning FY2011-FY2013. The actual FISMA reports do not seem to be publicly available at this time:
The FISMA audit dated October 2014 says:
[T]he Chief Information Security Officer stated that the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA), received a budget of $14 million in FY 2014, an increase from $7 million in FY 2013.6 A majority of the budget was used for contractor support to improve FISMA compliance efforts.
We identified control deficiencies in all [Redacted] (b) (5) of the information security program areas used to evaluate the Department’s information security program. Although we recognize that the Department has made progress in the areas of risk management, configuration management, and POA&M since FY 2013, we concluded that the Department is not in compliance with FISMA, OMB, and NIST requirements. Collectively, the control deficiencies we identified during this audit represent a significant deficiency to enterprise-wide security, as defined by OMB Memorandum M-14-04.
We have been unable to find the FISMA reports during all of Rice, Clinton and Kerry tenures. We’ll keep looking.
- Audit of Department of State Information Security Program November 07, 2014
- Management Alert – OIG Findings of Significant, Recurring Weaknesses in Dept of State Info System Security Program January 16, 2014
- Review of the Information Security Program at the Department of State FISMA Oct 2008, July 30, 2010
- Review of the Information Security Program at the Department of State FISMA Sept 04, July 30, 2010
- Review of the Information Security Program at the Department of State FISMA (Sept 05) June 19, 2009