State Department is failing at basic cybersecurity standards, senators say

The agency was told to adopt basic cybersecurity measures. Less than 11 percent of its devices actually did.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
Seal of United States Department of State seen displayed on

The US State Department is not using multifactor authentication, according to a group of five senators.

Igor Golovniov/SOPA Images/LightRocket via Getty Images

Senators want to know why the State Department isn't using basic cybersecurity protections. 

In a letter sent to Secretary of State Mike Pompeo on Tuesday, a bipartisan group of five senators called out the department's poor cybersecurity practices. 

The agency was required to adopt multifactor authentication for all accounts with "elevated privileges" as part of the Federal Cybersecurity Enhancement Act. An inspection found that only 11 percent of required agency devices actually enabled it, according to the letter. 

The State Department has received the letter and is carefully reviewing it, a spokesperson said.

Cybersecurity has become a major concern for government officials as nation-state hackers from countries like North Korea, Russia and Iran set their sights on the US for espionage and cyberattacks. These hacks, which have infiltrated power grids and routers, give spies an opening for future attacks. As these cyberattacks are often politically motivated, it's alarming to the group of senators that the State Department isn't meeting federal cybersecurity standards.

Watch this: US officials charge North Korean over major hacks like WannaCry and Sony

In another investigation, the Department of State's inspector general found that security experts were able to exploit vulnerabilities in the agency's email accounts, as well as its applications and operating systems.  

The senators noted that a simple password isn't enough to protect State Department email accounts anymore. Multifactor authentication is a simple security measure that requires two forms of verification -- like a password and a PIN code, for example -- to gain access to an account. Even if hackers steal your password, it'll be harder to hijack an account.

"We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA," the letter says.

The letter was signed by Sen. Ron Wyden, a Democrat from Oregon; Sen. Cory Gardner, a Republican from Colorado; Sen. Ed Markey, a Democrat from Massachusetts; Sen. Rand Paul, a Republican from Kentucky; and Sen. Jeanne Shaheen, a Democrat from New Hampshire.

They're seeking answers from Pompeo on these points, with a deadline of Oct. 12:

  1. What actions has the Department of State taken in response to the Office of Management and Budget's designation of the Department of State's cyber readiness as "high risk"?
  2. What actions has the department taken to rectify the near total absence of multifactor authentication systems for accounts with elevated privileges accessing the agency's network, as required by federal law?
  3. Provide statistics, for each of the past three years, detailing the number of cyberattacks against Department of State systems located abroad and including statistics about both successful and attempted attacks.

Originally published Sept. 12, 7:35 a.m. PT.
Update, 12:13 p.m. PT:
To include response from the State Department.

Your credit cards at risk: British Airways breach shows hackers fine-tuning e-commerce attacks.

On the wanted list: Justice Department charges North Korean over WannaCry ransomware and Sony hack.