President Obama has called cybersecurity a top priority, but the State Department cable and messaging system, built and maintained — like the troubled ObamaCare system — mainly by large IT contractors, has routinely failed to meet basic security standards, according to internal documents obtained by BuzzFeed.
Emails and other documents suggest security has been a standing problem in State Department systems, handling both classified and unclassified material, since at least 2009. Earlier this month, BuzzFeed reported on the department’s systemic and severe lack of security, including unsecured servers, workstations, unencrypted transfer of secret material, and the intermixing of classified and nonclassified information.
These newly obtained documents add to the picture, revealing that the department lacks even a basic monitoring system to determine unauthorized access or modification of files. Security on the unclassified systems appears problematic, as there is potential access to classified information, even inadvertently, and back-door access to servers.
The State Department refused to discuss the security issue.
“For security reasons, the State Department does not comment on the technical aspects of our communication systems,” a spokesperson told BuzzFeed.
But experts in government security said it’s part of a broader pattern.
“Two years ago I would have said ‘yes’ if you asked me if I was surprised,” says Chester Wisniewski, a senior security expert at Sophos. “But seeing all that has happened in the last few years and how grossly incompetent the government is at protecting its secrets at all levels — it is disappointing.”
The State Department’s State Messaging and Archival Toolset (SMART) handles cables and emails, on both classified (ClassNet) and unclassified (OpenNet) enclaves. SMART also includes a searchable archive for cables and messages. The system, which is used by nearly 70 federal agencies, including the White House, FBI, Department of Defense, and ambassadors overseas, was created to facilitate better information sharing after 9/11. It was originally launched under then-Secretary of State Colin Powell — who joked at the time of the potential irony of the name if it wasn’t a success. The system, which went into production under Hillary Clinton’s watch, has been built and maintained by a team of State Department employees and private contractors under the $2.5 billion Vanguard contract. The SMART initiative includes the Net Centric Diplomacy system — the network accessed by Chelsea Manning — but technically the two systems are separate, though they handle much of the same type of material.
Due to its lack of security, SMART routinely receives failing or below-failing grades from its internal monitoring system, according to documents obtained by BuzzFeed. Formal certification and accreditation has not been completed for the main support system since as far back as 2007, and according to a 2010 OIG report, the system was not in compliance with the Federal Information Security Management Act and the National Institute of Standards and Technology requirements.
The Department of Defense would not comment on whether it is currently in compliance with these federal requirements. An internal report dated mid-September 2013 included failing grades on several of the system’s components.
Last November, an external audit conducted at the request of the OIG discovered three State Department user accounts that had been originally set up in Kabul, Afghanistan, which couldn’t currently be accounted for. The emails initiating the request for these accounts could not be found. According to the report, this was not an isolated incident. The computer systems were configured to allow unauthorized users to access the State’s system resources via anonymous log-ins and passwords, default credentials, and unsecured access points. In some cases, accounts are still active for terminated employees. To make matters worse, the department doesn’t know how many contractors have access to the system, and whether those contractors have gone through the proper security clearance and training.
The three Afghan accounts have since been disabled and removed. The State Department told the OIG that analyses have since been done to determine whether “any unauthorized activities had been performed on these accounts”; however, the results have not been made public.
Currently, the department systems offer very little information for security monitors. There is no auditing program to tell if archived files have been accessed by the operators of those accounts — or any accounts, authorized or unauthorized. There are no time-stamping or hashing capabilities to indicate if a file has been accessed, tampered with, or copied. A user could, potentially, access a file, change it, and place it back in the system undetected. BuzzFeed’s documents show the department has disabled the ability to forward messages in the wake of the Manning leak but neglected to block the ability to cut and paste messages and cables.
While the ramifications for security lapses in the classified system are obvious, unauthorized access to the unclassified enclave is also problematic, as it is possible to gain access to classified information, even by accident, as well as to servers through intentional hacks.
Classified cables, for instance, are blocked from being sent to unauthorized people. However, if a nonclassified user’s email address is added in a classified group email, the classified message is allowed to pass through. People also routinely mislabel classified information as unclassified, both by accident and because the unclassified system is easier to navigate.
Vulnerabilities in the department’s operating system enable back-end access to the servers holding restricted logs and cables through simple changes to the URLs. Since the State Department’s cable system is based mostly on out-of-the-box software as well as Windows 2003 components, there are multiple open trails and links to IP addresses.
But unauthorized users trying to obtain access to higher privileged information might not even need to bypass security with a hack, as many of the State Department’s accounts don’t have expiring passwords. Some don’t have passwords at all.
According to a November 2012 independent audit of the system, conducted for the OIG, over 19,000 of the 121,702 active accounts including users, service, and mailbox accounts, on the unclassified system alone, had been configured so as not to require passwords. Another 529 accounts had passwords set so they wouldn’t expire, despite federal requirements that they be reset every 60 days.
Today, the problem persists. Last month, the Information Security Officer Directorate formally requested a signed waiver — essentially, a permission slip — that would allow the organization to move forward despite its security flaws as long as her team promised to fix any issues down the line.
None of the aforementioned problems are new — security flaws have been sprouting up since as early as 2009. Concerns have been raised repeatedly by the Office of Inspector General, but the organizations have shown zero signs of improvement.
“In the corporate world these kinds of accidents happen because a system wasn’t designed to do something that it was later used for,” says Wisniewski. “In this case these system were designed to hold secrets from the start. You would expect that if you are planning to solve that from the beginning, you wouldn’t have these issues.”
Unlike the error-plagued Healthcare.gov system, which was developed by a large government IT contractor, CGI Federal, which has also done work for the State Department, SMART has not had the benefit of intense public scrutiny. Instead, internal requests to fix it were delayed, resisted, and outright quashed by superiors.
In 2009, while Clinton was Secretary of State, SMART received failing and below-failing grades over the course of five months, largely due to service accounts with non-expiring passwords. According to email exchanges obtained by BuzzFeed, when then-Chief Information Officer Charlie Wisecarver asked for an immediate fix, the department’s Deputy Chief Information Officer in charge of the SMART program, Glen Johnson, told the Wisecarver that it might not be technically possible to fix the issue nor prudent to change passwords every 60 days.
Johnson voiced his concern that both users and system operators would forget to change their passwords and be locked out of the systems. “It is equally easy to imagine the midnight shift trying to fix a problem and being frustrated because they can’t log in because of an expired or changed password,” he emailed the Wisecarver. “It is equally easy to imagine that regularly passing around a sheet of a many passwords has its own risks.”
Instead, Johnson suggested the department might need to apply for a waiver to move ahead without fixing the issue. “We are working our way to a solution that might require a waiver, but we will first see if we can comply with the stated policy,” he wrote in an email.
A member from the CIO’s office suggested fixing only the Active Directory user passwords, not the service accounts, and asking for a new score.
The question of whether service account passwords were ever fixed remains unanswered, though the severity of the situation does not. “The passwords are very, very sensitive,” said a former engineer working on the project. “If you compromise one, you compromise them all.”
Update: Sunday, October 27, 12:30 pm. There is hackable backdoor access to servers and the potential for spillage of classified information in the unclassified enclave. An earlier version suggested hackable backdoor access between the classified and unclassified enclaves.