Specifically, the GAO is examining whether the security of the State Department’s information technology systems meet federal requirements and how State manages and responds to cybersecurity threats.
Vijay D’Souza, the GAO’s director for Information Technology and Cybersecurity, confirmed to POLITICO that the GAO “has a review underway of State Department cybersecurity practices under the request of the Senate Foreign Affairs Committee.” He added that last week’s letter to the State Department “was part of our standard request for documents,” and that GAO is “tentatively planning to issue a report toward the end of this year.”
Around the time GAO launched its probe, suspected Russian hackers had been rummaging around State Department email servers and managed to steal thousands of emails from the department’s Bureau of European and Eurasian Affairs and Bureau of East Asian and Pacific Affairs, as POLITICO reported.
The hacking campaign was at least the third known Kremlin-backed breach on the department’s email server in under a decade. Russian hackers also managed to penetrate State Department networks in 2014 and 2015. The then-National Security Agency deputy director said officials there engaged in “hand-to-hand combat” to secure State’s emails in 2014.
Experts also fear the Covid-19 pandemic has exacerbated the cybersecurity risk because many federal employees have been working remotely, on less secure systems, since last year.
The recent State Department email thefts occurred simultaneous to the infamous SolarWinds attack — a wide-reaching espionage campaign by suspected state-sponsored Russian hackers that targeted federal and private entities via a vulnerability in a commonly used computer software.
The State Department has said it “takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected.” And in one response sent to the GAO late last month, enclosed in the March 30 letter, the department pointed out that its Inspector General, a position currently held in an acting capacity by Diana Shaw, “conducts a yearly audit of the Department’s cybersecurity program” and that State uses a framework developed by the National Institute of Standards and Technology to protect its infrastructure.
But the GAO letter says it still needs key documents from the department “to understand the department’s IT systems and networks and analyze their implementation.”
“The information also is needed to determine, among other things, the capability of the systems and networks to monitor, identify, discover, and respond to cybersecurity events and incidents,” the officials wrote.
State has resisted handing over some materials, according to the letter, arguing they are outside of GAO’s scope. “The Department is aware of the recent GAO request and is working to respond,” said a State Department spokesperson.
GAO has given State a deadline of April 9 to hand over nearly 50 outstanding documents, including complete inventory lists of all software and hardware assets used domestically and at U.S. embassies and other posts, an inventory list of “all applications/data that have been migrated to the cloud environment,” and a list of all incidents reported by State to the Department of Homeland Security’s Computer Emergency Readiness Team in 2019, 2020, and 2021.
The most recent document request was sent on March 12, for a copy of the last three cybersecurity daily briefs received by the department’s Chief Information Officer.