State Department Email Breach

Last night, it was reported that the State Department has suffered a data breach. According to reports, some employees had their personal information exposed by a breach of an unclassified email system. Other reports stated that a report published earlier this year by administration watchdog Government Accountability Office said that the State Department had only rolled out some form of two-factor authentication to 11 percent of required agency devices, despite a legal requirement to secure all accounts with higher privileges.

Pleas see below for commentary from cybersecurity experts.

Sam Curry, Chief Security Officer at Cybereason:

“In the past, the State Department has turned down help from other agencies to help them identify problems and improve. There are a lot of reasons for this such as they don’t want national security agencies snooping through their networks, can’t afford any down time, etc. However, considering the immense target that the Department represents, it is not a very compelling case. One of the other challenges they face is the government procurement process. It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do and fundamentally this is likely a hack that led to a breach and not some type of insider issue. It’s no more or no less, and how it is handled, the context of it as an incident, the PII exposed, the response and the future readiness by the State Department and other agencies is what matters.”

Gary McGraw, Vice President of Security Technology at Synopsys:

“Sadly, many important departments in the US government continue to lag when it comes to computer security.  If the State Department has trouble rolling out two factor authentication to protect the majority of its users (something that many corporations have had in place for years), how can we expect other aspects of its operations to be secure?  This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector.”

Ryan Wilk, VP of Customer Success at NuData Security:

“Governments and online companies that provide services online, must secure all the links in their security chain. Bad actors look for the weakest point to access information, so companies have to be extra diligent in keeping their security up to date on all placements. Additionally, companies that identify users online need to devalue the data that bad actors steal and use to misrepresent legitimate users – like they do in account takeover attacks. By creating a new authentication framework that identifies customers by their online behavior instead of relying on credentials, personally identifiable information such as names and passwords become valueless to cybercriminals. New authentication technologies which incorporate passive biometrics and behavioral analytics can identify consumers by thousands of online authenticators. This way, if credentials or devices are stolen, entities can still recognize the person behind the device or block transactions altogether when fraud is detected.”