US State Department lacks any cyber-security whatsoever – report
Access classified data without authorization, use your account after you’ve been fired, or anonymously request a new account for an Afghan friend – these are just some of the features available in State Department’s SMART system, BuzzFeed reports.
In the wake of the Manning and Snowden classified US intelligence
leaks, internal documents obtained by BuzzFeed reveal that the US
State Departments’ security systems are vulnerable if not
providing open access to classified information.
The breaches in security, horrifying to any IT expert, are reported in the State Messaging and Archival Toolset (SMART) – a cable and messaging system which is based on MS Outlook. The SMART operates with working emails and cables, stored both in classified (ClassNet) and unclassified (OpenNet) enclaves.
SMART was initially created for improving information sharing after the 9/11 attacks. The internal messaging application has been built and maintained by a team of State Department employees and IT contractors under the $2.5 billion Vanguard contract.
It became fully operational in September 2008 under US State Secretary Hillary Clinton. However, it turns out the system never complied with all the requirements of the Federal Information Security Management Act and the National Institute of Standards and Technology requirements, according to a 2010 Office of Inspector General (OIG) report.
Failing to provide enough cyber protection, the system regularly received failing or below-failing grades from its internal monitoring system, according to documents obtained by BuzzFeed.
The SMART’s monitoring system, deployed for the purpose of determining whether there has been unauthorized access or modification of files, frequently fails to perform any of that, the report said. And with an existing backdoor between the classified and non-classified enclaves, state secrets can be accessed by a user without proper clearance, even unintentionally, BuzzFeed writes.
Access restriction is in fact one of the biggest problems with SMART, it’s well-known but nobody is willing to fix.
According to the report, in 2012 three SMART accounts were created for users in Kabul, Afghanistan. Internal audit had shown no one has any idea of who requested their creation or was using them. Since then the mystical accounts have been deleted, but no results on possible unauthorized activities via them have been made public.
That unauthorized access was not an isolated incident. According to the report accounts for former employees remain active for some time after they leave. In addition the State Department can only guess about the number of contractors who have access to the system, and whether those contractors have gone through proper security checks.
In some cases, the computer systems also allowed access to data to unregistered users through anonymous unsecured access points with default credentials.
Currently, the database has no hashing, time-stamping, or other capabilities telling that the records have not been accessed, tampered with, copied by unauthorized users, or even switched for a fake.
After the 2010 leak of hundreds of thousands of Pentagon and State Department documents by Army Private Bradley Manning to the anti-secrecy website WikiLeaks, the department has disabled the ability to forward messages, but failed to block the ability to cut and paste messages and cables, BuzzFeed reports.
Legitimate users are also contributing to potential classified data leaks with their routine actions. When a non-classified user’s email on an operating level is included in a classified group mailing list – he begins receiving all classified attachments. Users also regularly mislabel classified information as unclassified, BuzzFeed reports, because they just like unclassified system better and appreciate its user friendly interface.
There have also been complaints concerning service accounts with non-expiring passwords or with no passwords at all, despite federal requirements that they be reset every 60 days.
Over 19,000 of the 121,702 active accounts including users, service, and mailbox accounts, on the unclassified system alone, do not require passwords, said a 2012 independent audit of the system, conducted for the OIG.
There have been requests to fix the security problem, but it has always been delayed by the authorities, BuzFeed reported.
Back in 2009 the Chief Information Officer, Charlie Wisecarver, tasked the department’s current Deputy Chief Intelligence Officer in charge of the SMART program, Glen Johnson, to immediately fix the problem.
However according to email exchanges obtained by BuzzFeed, Johnson’s answer was that it might not be technically possible nor prudent to change passwords every 60 days, as both users and system operators could forget and be blocked from entering the system.
“It is equally easy to imagine the midnight shift trying to fix a problem and being frustrated because they can’t log in because of an expired or changed password,” he emailed the Wisecarver. “It is equally easy to imagine that regularly passing around a sheet of many passwords has its own risks.”
The IT managers proposed changing only the Active Directory user passwords, not the service accounts, however whether that was implemented is not clear.
The State Department’s security has been a standing problem since at least 2009, as earlier reports suggested a severe lack of security, including unsecured servers, workstations, unencrypted transfer of secret material, and the intermixing of classified and non-classified information.