At the State Department, where Russian-backed hackers allegedly embedded for at least six months, bureaus are not required to tell the top tech official about system threats, an internal watchdog discovered.
Another technical error uncovered? System operators can plug in rogue devices to the department’s network without the chief information officer’s knowledge.
These findings by the department inspector general follow a network intrusion that allowed nation state attackers to jump between State and White House unclassified email system systems beginning last fall. Cyberspies are believed to have accessed messages dealing with President Barack Obama’s private itinerary and other national security-sensitive documents.
“The CIO is not properly positioned within the organization to ensure that the department’s information security program is effective,” said auditors from Williams, Adley & Company, an independent public accounting firm hired to conduct a cyber inspection.
The Bureau of Diplomatic Security and other offices, for instance, are “not required to communicate information security risks to the CIO,” according to a heavily redacted inspection report, which was released Nov. 20 to the public.
IT managers currently have the ability to “add and remove devices from the network without communicating the information” to the CIO, the auditors found.
In response to a draft report, State officials agreed with the audit’s recommendation to review the CIO’s position within the department’s organization chart, with respect to federal law. Specifically, the 1996 Clinger-Cohen Act tasks each department CIO with monitoring the performance of its IT programs.
Congress further emboldened CIOs in 2014,…