Several US Senators queried Secretary of State Mike Pompeo in a letter earlier this week on why mandated cyber-security reforms, including the implementation of multifactor authentication (MFA), had not been implemented.
Sens. Cory Gardner, R-Colo.; Ron Wyden, D-Ore.; Ed Markey, D-Mass.; Jeanne Shaheen, D-N.H.; and Rand Paul, R-Ky. expressed their concern over a General Service Administration report indicating that enhanced access controls have been only deployed to 11 percent of required State Department devices, despite passing of The Federal Cybersecurity Enhancement Act which requires MFA for all State accounts with elevated privileges. Additionally, the Senators expressed their dismay that 33 percent of US diplomatic missions failed to conduct any cyber-security audits or reviews.
"We are sure you will agree on the need to protect American diplomacy from cyber-attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA," the letter states.
Click the letter for a full view.
The Senators requested the State Department explain what actions it has taken to improve cyber-security along with a list of any cyber-attacks that have taken place against the agency in the last three years.
Elected officials were not the only people upset over the fact a major federal agency has not kept current with its security. Anupam Sahai, Cavirin’s VP of product management, noted the fact that the government issues excellent cyber-security advice to others makes this failing hard to swallow.
"The US government, through NIST, has done a great job of providing best practice guidance to enterprises via the Cybersecurity Framework and other documents. However, it is sad that they are not as widely adopted across the different agencies," he said.
Steve Durbin, managing director of the Information Security Forum, said enabling MFA is essentially a cyber-security 101 task that any organisation dealing in secure information would have implemented. "You would suppose that anyone handling sensitive data would have enabled multi-factor authentication as one of their rudimentary security protocols. It’s imperative that all types of organisations ensure they have robust standard security measures in place. This requires more diligence and organisation-wide discipline than simply throwing money at the latest, glorified software solution," he said.