By George Russell, ,
Published December 20, 2015
EXCLUSIVE: More than three years after U.S. Army Pvt. Bradley Manning handed over hundreds of thousands of sensitive State Department cables to WikiLeaks, the department’s inspector general has warned in stark terms that State has done little since 2010 to fix an info-tech system that is riddled with security gaps, and has no plan yet for how to fix it.
At risk, the IG says, is not only “classified information vital to the preservation of national security in high-risk environments across the globe,” but the personal information on file concerning about 192 million American passport-holders.
The public version of the inspector general’s accusations -- contained in an unprecedented “management alert” to State’s top officials and in the managerial responses to the alert -- have been heavily redacted for security reasons.
The alert was circulated in the State Department bureaucracy in November. After a back-and-forth process between department managers and the IG’s office, it became accessible to outsiders in mid-January.
The problems it describes, however, have been festering far longer than that. Among other things, the alert says that:
-- between 2011 and 2013 alone, six lengthy and detailed reports on information security (five by State’s inspector general’s office, and one by the Government Accountability Office) have found “recurring weaknesses” in a wide variety of cyber-security issues, including how State hands out and keeps track of passwords; certifies whether information systems are authorized to operate securely; protects its hardware, files and operating systems from hackers or other unauthorized users; and how it scans its systems to detect wayward patterns of behavior.
--In most cases, despite repeated warnings, State Department bureaucrats have not formally reported the shortcomings to other federal agencies, including Homeland Security, though the inspector general argues it is obligated to do so.
--Nor, the watchdog says, has the department “remediated the identified vulnerabilities and risks.” Translation: it hasn’t done anywhere near enough to fix things, and, in some cases, nothing at all.
--One reason is that portions of the bureaucracy that are specifically tasked with handling information security issues have already been identified by the inspector general’s office as part of the problem. Among other things, the alert references a previous IG report on the Bureau of Information Resource Management (IRM), a section of the State Department, where, the alert delicately says, it “identified a number of conditions that required management’s attention.”
In fact, that report, published last July, described an agency in shambles, whose members often were simply no-shows at inter-departmental meetings, and can’t even keep track of budget receipts. Much of its work was being done, the report said, by outside contractors, including work that should only be done by government employees.
The current alert also observes that as of last August, IRM had an improbable total of 6,369 system administrators, with clearance to “collaboratively manage and troubleshoot issues” across the State Department “network wide.” The report notes that Edward Snowden, the National Security Agency employee whose theft of a huge trove of security-related documents is still reverberating across the intelligence world, was similarly a contracted systems administrator.
As a further issue for concern, in a heavily censored section of the alert, the alert makes reference to 36 individuals with access to unspecified areas of IT who didn’t have appropriate security clearances for the work.
In essence, the alert is a higher decibel repeat of the central concern of the six previous reports it documents: plenty of the most important problems in the State Department’s IT systems have been known for years, and not much has been done about them. In 2012, for example, the inspector general found that 14 conditions it had identified as problematic in a report the previous year on State’s information security had gone uncorrected. In 2013, the number of uncorrected “findings” had risen to 20.
Indeed, the lack of enough movement on critical security issues is the main reason for the use of the unprecedented “management alert,” according to officials in the inspector general’s office, who described the document as a “new product.” It is also the product of new Inspector General Steve Linick, who was appointed to the job last September.
A one-time federal prosecutor, Linick is the first IG since 2008 to hold the job on something other than an acting basis, and the management alert seems clearly intended to show the State Department bureaucracy that there is a new sheriff in town.
Or, as one official in the inspector general’s office told Fox News, “One of the purposes of the alert is to ensure that individuals at the highest levels of management are aware of the problems.”
In one sense, the stratagem has worked. In his response to the alert, James Millette, head of State’s ungainly-titled Management Control Steering Committee, declared that the bureaucracy is already preparing a “corrective action plan” that is one of the inspector general’s main recommendations.
A State Department official told Fox News that a due date for the document is January 31; a draft of the plan began circulating in December.
Whether the “corrective action plan” will get to the entire root of the matter is still an open question. Millette’s response to the “management alert” says that it will be agreed to by members of his committee, but only presented to the inspector general for “comment.”
Moreover, the committee is pushing back hard against two IG recommendations. The first is that the deficiencies in State Department IT operations be labeled a “material weakness” a designation that would require the problems to be formally communicated to the Department of Homeland Security -- something that the IG’s office has urged at least twice before, without success.
Instead, State’s managers “respectfully disagree on the level of severity that these weaknesses collectively represent,” as Millette put it in his formal reply to the IG alert. They continue to insist that the problems are only a “significant deficiency,” meaning that their resolution -- and exposure -- stays within the department itself.
The bureaucracy also is pushing back against another IG recommendation, that “penetration tests” of the suspect information security systems be carried out by the National Security Agency -- which has had penetration problems of its own -- rather than State’s own security department.
The department’s top managers would prefer the in-house solution, but the inspector general argues that the issue is not whether State Department security personnel can carry out the tests, but “its independence and perceived independence.”
The two sides are apparently still discussing whether a third party of some kind might be able to carry out the testing.
So far as the overall management alert is concerned, a State Department spokesman “respectfully declined” a request from Fox News for an interview on the subject, and instead provided a written statement.
It announced the preparation of the “corrective action plan” and declared, “The Department takes its oversight of our Information System Security Program very seriously and values the cooperative input from the Office of the Inspector General into this critical program.”
George Russell is editor-at-large of Fox News and can be found on Twitter @GeorgeRussell