'

State Department shamed for poor adoption of multi-factor authentication

Senators demand answers after government report finds that only 11 percent of the Department of State's devices use multi-factor authentication.

Five US senators have sent a letter to Secretary of State Mike Pompeo requesting answers why the State Department has not widely deployed basic cyber-security protections, such as multi-factor authentication (MFA).

Also: Best Home Security Devices for 2018 CNET

The letter was sent yesterday and was signed by senators Ron Wyden [D-Ore], Cory Gardner [R-Colo], Ed Markey [D-Mass], Rand Paul [R-Ky], and Jeanne Shaheen [D-N.H.].

The five senators cite two recent governmental reports in their letter, reports that pinpoint serious issues with the State Department implementing cyber-security best practices.

Also: First IoT security bill reaches governor's desk in California

The first of these is a 2018 General Service Administration (GSA) assessment of the Department of State's cyber-security practices.

The GSA said that only 11 percent of high-value devices deployed by the Department of State had multi-factor authentication enabled, meaning they were protected only by passwords, lacking a multi-layer authentication system that involved SMS tokens, security keys, biometrics, or other second factors.

The report found the Department of State in breach of the Federal Cybersecurity Enhancement Act that requires all Executive Branch agencies to enable MFA for all accounts with elevated privileges.

Also: 7 tips for SMBs to improve data security TechRepublic

"We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA," the five senators wrote in the joint letter.

Further, the senators also cited a report by the Department of State's Inspector General (IG), which found last year that 33 percent of US diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular cyber-security reviews and audits.

Also: US government releases post-mortem report on Equifax hack

The bipartisan group is now looking for answers from the State Secretary Pompeo, and gave his office until October 12 to answer three questions:

  • What actions has the Department of State taken in response to the designation of the Department of State's cyber readiness as "high risk"?
  • What actions has the Department of State taken to rectify the near total absence of multifactor authentication systems for accounts with elevated privileges accessing the agency's network, as required by federal law?
  • Please provide us with statistics, for each of the past three years, detailing the number of cyber attacks against Department of State systems located abroad. Please include statistics about both successful and attempted attacks.

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.