State Department scores an F on 2FA security

Five Senators have discovered that the State Department is breaking the law by not using multi-factor authentication (MFA or 2FA) in its emails. They’ve sent a letter to Secretary of State Mike Pompeo, and they want answers.

The letter, from Senators Ron Wyden, Cory Gardner, Edward Markey, Rand Paul and Jeanne Shaheen, referenced reports from federal auditors that the Department of State was failing to meet basic federal cybersecurity standards.

The General Services Administration (GSA), which is the US department dealing with government procurement, property management and information delivery, analysed federal cybersecurity this year, stated the letter.

The GSA’s report found that the Department of State had deployed “enhanced access controls” across just 11% of required agency devices.

MFA or 2FA requires users to enter a second piece of information along with their password. This is linked to a physical asset that only they hold, thwarting imposters trying to steal their accounts remotely. That second piece of information could be biometric, such as your fingerprint; a hardware key, such as Google’s recently-announced dongle; or a code delivered to a mobile phone.

Federal agencies in the Executive Branch are legally required to enable 2FA for any accounts with elevated privileges under the Federal Cybersecurity Enhancement Act, passed as part of an omnibus spending bill in December 2015.

This wasn’t the only blot on Pompeo’s copybook, according to the Senators. They said that according to the Department of State’s Inspector General, one third of diplomatic missions failed to conduct…

…even the most basic cyber threat management practices, like regular reviews and audits.

Penetration testers also successfully hacked email accounts along with applications and operating systems at the Department, the letter said. It added:

We are sure you will agree on the need to protect American diplomacy from cyberattacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA.

The Senators demanded that Pompeo’s Department respond by October 12, telling it what actions it has taken to remediate the classification of its cyber-readiness as “high-risk” by the White House’s Office of Management and Budget (OMB). Although not explicitly mentioned, the letter is likely referring to a May OMB report on cybersecurity that categorised almost three quarters of the 96 Federal agencies as at risk or high risk.

The letter also asked what the Department of State has done to fix the “near total absence” of MFA-enabled accounts, and asked for statistics detailing the number of cyberattacks against Department of State systems located abroad.

The importance of MFA shouldn’t come as a surprise to the State Department. In February 2016, then-President Obama announced federal initiatives to improve cyber security awareness, including a national 2FA awareness campaign.

Unfortunately, not many people outside the government seem to be paying attention either. MFA is readily available to many consumer email users, including Gmail’s one billion users.

Seven years after Google introduced two-step verification (its own implementation of MFA), fewer than one in 10 people use it, according to one of its engineers.

It seems that Joe Public is even further behind the Department of State in the account security stakes.