Specifically, the GAO examines whether the security of the State Department’s computer systems meets federal requirements and how the state manages and responds to cybersecurity threats.
Vijay D’Souza, director of information technology and cybersecurity at GAO, confirmed to POLITICO that GAO “has an ongoing review of the Department of State’s cybersecurity practices at the request of the business committee. Foreign Affairs of the Senate ”. He added that last week’s letter to the State Department “was part of our standard request for documents” and that the GAO “tentatively planned to release a report later this year.”
Around the time the GAO launched its investigation, suspected Russian hackers searched the State Department’s mail servers and managed to steal thousands of emails from the department’s European and Eurasian affairs office and office. East Asian and Pacific affairs, as reported by POLITICO.
The hacking campaign was at least the third known Kremlin-backed breach on the department’s mail server in less than a decade. Russian hackers also succeeded in penetrating State Department networks in 2014 and 2015. The deputy director of the National Security Agency at the time said officials were engaged in a “fight against it.” body to body ”to secure state emails in 2014.
Experts are also concerned that the Covid-19 pandemic has exacerbated the cybersecurity risk as many federal employees have been working remotely, on less secure systems, since last year.
Recent State Department email thefts occurred concurrently with the infamous SolarWinds attack – a massive spy campaign by suspected state-sponsored Russian hackers that targeted federal and private entities via a vulnerability in commonly used computer software.
The State Department said it “takes seriously its responsibility to protect its information and continually takes steps to ensure that information is protected.” And in a response to GAO late last month, attached to the March 30 letter, the ministry noted that its Inspector General, a position currently held on an interim basis by Diana Shaw, “conducts an annual audit of the program. cybersecurity department. And that state is using a framework developed by the National Institute of Standards and Technology to protect its infrastructure.
But the letter from GAO says it still needs key documents from the department “to understand the department’s computer systems and networks and analyze their implementation.”
“The information is also needed to determine, among other things, the ability of systems and networks to monitor, identify, discover and respond to cybersecurity events and incidents,” the officials wrote.
The state has resisted handing over some documents, the letter said, arguing that they fall outside the scope of GAO. “The Department is aware of the recent GAO request and is working to meet it,” a State Department spokesperson said.
The GAO has given the state an April 9 deadline to hand over nearly 50 pending documents, including complete inventory lists of all software and hardware assets in use across the country and at U.S. embassies and other posts, an inventory list of “all applications / data that has been migrated to the cloud environment”, and a list of all incidents reported by the state to the Department of Homeland Security’s IT emergency preparedness team in 2019, 2020 and 2021.
The most recent document request was sent on March 12, for a copy of the last three daily cybersecurity briefs received by the department’s chief information officer.