Securing State from Cyber Attack

Security experts criticize little-known State Department IG report

March 11, 2013

Cyber security experts criticized a recent, little-known report by the State Department's inspector general on the department’s information security program, warning the report fails to test major vulnerabilities within the system.

The report, released in December 2012, "identified control weaknesses that significantly impact the information security program. If these control weaknesses were exploited, the department could experience security breaches."

The report listed vulnerable security protection for UNIX, the State Department’s basic operating system, as well as a poor ability to monitor firewalls in iPost, a system that lets State Department officials "monitor network, computer, and application resources and check for potential problems"

However, cyber security experts said the inspector general report does not address or test the major threats to cyber security.

"I don’t know if they are even aware of the problem," said James Lewis, senior fellow at the Center for Strategic International Studies (CSIS).

Lewis cited a report by the Australian government after Chinese hackers took over email accounts of senior government officials. They found 35 components that reduced risk and effectively blocked hacking capabilities.

Of those 35, the Australian government cited four areas in particular as the major components for reducing hacking risk: Whitelisting, patching operating systems, patching applications, and restricting administrator privileges.

Whitelisting, which allows only approved software to be used and does not allow users to download inappropriate programs, is the most vital component to protecting security, Lewis said. Patching is an update either to the operating system or to an application that fixes problems.

The inspector general report tested only the patching of operating systems in the State Department, failing to test the other major components.

However, some cybersecurity experts said the State Department has been unduly criticized by the IG report and that the IG would be better off testing different aspects of security.

"[The IG] has been measuring things that are easy to measure," SANS Institute director of research Alan Paller told the Free Beacon. Paller said that sources within the State Department have told security experts they are working on solving the whitelisting problem. As a result, he believes the inspector general report to be misleading and painting a picture that is too bleak.

Paller said that patching of applications, the only security measure recommended by Lewis on which the State Department focused, was the least important of the four. The other three measures—whitelisting, operations system patching, and restricting administrator privileges—needed to be tested to provide an accurate assessment of the security of the system.

An official with the inspector general disputed its office was focused on the wrong problems.

"I can put 30 experts in the room and get 60 different opinions," an official at the inspector general office told the Free Beacon. The official said that whitelisting was not tested because it was not part of the methodology used by the National Institute of Standards and Technology (NIST) in its audits.

The NIST requirements are not reflective of the real threats, Paller said. He criticized the IG for arbitrarily picking certain aspects from NIST while ignoring the real issue.

The report comes amidst increased concerns about Chinese hackers targeting specific business and government departments as well as a soft stance by the president on cyber security.