If you regularly engage with the internet in any kind of meaningful way, odds are you’ve either set up, or felt guilty about not setting up, multi-factor authentication. While MFA is far from foolproof (especially via text message), it’s an easy and accessible way for almost anyone to protect their online accounts from unauthorized access. Given all this, you’d probably imagine that the U.S. State Department would have set in place rigorous levels of security far greater than that of the average person — and would definitely use some form of MFA.
Well, you’d be wrong.
Even after hordes of confirmed reports of online foreign hacking targeting government computers (many of which required the tech sophistication level of a tween), the U.S. State Department still can’t get its employees to use MFA. Earlier this week, a bipartisan group of U.S. Senators, including Oregon Democrat Ron Wyden and Kentucky Republican Rand Paul, sent a letter deriding Secretary of State Mike Pompeo for the State department’s failure to implement and review basic cybersecurity protocols.
“We write in response from reports from federal auditors that the Department of State is failing to meet federal cybersecurity standards,” the letter reads. “For much of the Internet’s history, users have been prompted to enter passwords to access their emails and other online accounts. This passwords-only approach is no longer sufficient to protect sensitive information from sophisticated phishing attempts and other forms of credential theft.”
The word sophisticated might be giving the government undue credit. While more advanced phishing methods do exist, governments and officials are still getting owned by low-tech phishing attacks. When a group of Russian-linked hackers fooled then–Clinton campaign chair John Podesta into handing over his password, they did so with nothing more than a basic email containing a dirty Bitly URL under the subject head “Someone has your password.”
The company’s own computer help desk reportedly believed the message was real.
That was over two years ago, and despite numerous calls for reform and the passage of legislation mandating said reform, agencies throughout the government continue to fall flat. According to the senators’ letter, only 11 percent of State Department devices met sufficient cybersecurity standards.
Though this letter singles out the State Department specifically, this lack of security reaches across all levels of government. An investigation conducted earlier this year by the Office of Management and Budget labeled nearly three-quarters of all federal agencies’ cybersecurity programs as “at risk” or “high risk.” In addition to being unprepared to deal with cyberattacks, the report described an environment where the government is scraped for basic resources.
“The risk assessments show that the lack of threat information results in ineffective allocations of agencies’ limited cyber resources,” the report reads. According to that same report, over a third of all attacks against the government go completely unidentified.
In past reports, the government has fared worse than nearly every other major industry in terms of cyber hygiene. These statics come despite numerous proposals meant to bolster the nation’s cybersecurity. Government employees, for instance, can no longer use products from Russian cybersecurity firm Kaspersky Labs due to fears of Kremlin spying. With a stroke of his pen, President Trump also banned the use of Huawei and ZTE devices by government officials because of alleged threats to national security. The U.S. has even begun reevaluating its traditionally strict threshold for launching its own cyberattacks as a deterrent to future cyberattacks.
Recent measures like these opt for the appearance of strength over actual improvements. While the government calls out its adversaries for hacking attempts and threatens to respond with force, sensitive information continues to flow out by means of simple phishing attacks and poor security measures. Mind-boggling malware and undercover espionage make for compelling stories, but the vast majority of breaches and attacks still originate from stolen passwords. While not perfect, simple fixes like MFA and training employees to detect phishing work well in this regard.
President Trump promised to improve national cybersecurity by his 90th day in office, yet issues still abound. (In fact, the president has actually removed key cyber advisers from the National Security Council.) Meanwhile, outside threats refuse to relent. Political pundits and cybersecurity researchers are sounding off about a potential 2016 repeat at this year’s midterm elections. Microsoft already removed six Russian websites allegedly conducting phishing attacks against U.S. politicians, and 11-year-olds possess the capability to hack election systems.