The State Department’s communications system is operating without basic technical security measures in place, despite warnings about its vulnerabilities, according to documents obtained by BuzzFeed and sources who have worked on the project. The system, known as SMART (the State Messaging and Archive Retrieval Toolset), is used to share internal State Department documents, including sensitive diplomatic cables — the type of document released to WikiLeaks in 2010, in the biggest data breach in the history of the United States government.
The sources, who spoke to BuzzFeed on condition of anonymity, say the failures have left thousands of cables and messages, including highly sensitive and classified ones, vulnerable to espionage or leaks for the last four years. The State Department approved the project (and hundreds of millions of dollars in payments to contractors) in 2009 despite known flaws, and proceeded even after the 2010 Chelsea Manning leaks, despite two inspector general reports condemning the project’s lack of security, and even after then-Secretary of State Hillary Clinton promised to stop another leak.
“I have directed that specific actions be taken at the State Department … to protect State Department information so that this kind of breach cannot and does not ever happen again,” Clinton said in November 2010.
To people familiar with the SMART project, which was built with the help of Microsoft and managed by a giant contractor, SAIC, it was a surreal pronouncement.
“I’m talking IT security basics, standard fundamental things that a first-year admin would find,” a former SAIC deputy program manager with top-secret clearance told BuzzFeed. “There is this attitude that security didn’t even come into the picture.”
The issues were, from a technical and security perspective, basic: The system left workstations and servers unsecured; relied on unencrypted transfer of secret materials during the migration to SMART; and at times mingled classified and unclassified materials, contra State Department regulations, according to the sources and documents. In 2010, SAIC was awarded a $2.5 billion IT services contract; in 2012, it signed another worth up to $750 million. (The company is currently in the process of splitting in two.)
Software on 96% of the servers used for transmitting cables, for internal messaging, and for remote access were not compliant with the State Department’s own security standards, according to an internal report. Neither were 17 of the 23 workstations examined for the report. Half a dozen workstations had no antivirus protection.
SMART, which operates on a two-tiered classified and unclassified basis, carries almost all diplomatic cables, as well as emails saved by State Department personnel. The system hosts both live communications and archived documents, meaning that important information about diplomatic relations, schedules, personal details of the identity of key assets on the ground, and other highly sensitive information is at risk.
However, a sensitive but unclassified Inspector General’s report issued two years after the Manning leaks suggested proper security access controls still had not been fixed and warned that another WikiLeaks could happen. It noted “an increasing number of security incidents” had occurred over the “past several years.” The report also cites the lack of a “useful” way to track user activity. If cables are wrongfully accessed, it is difficult for the Department to trace the activity.
A State Department official, who refused to be quoted by name, declined to comment on specifics, telling BuzzFeed: “The U.S. Department of State takes every precaution to ensure the confidentiality, integrity, and availability of our SMART communications system, which includes providing controls and safeguards, and managing risk to protect information assets from possible threats.”
But the system, the sources said, was built with “out of the box” software, with only “commercial grade” services and applications, and with few additional security modifications. “For the importance of these kinds of messages and communications, it should be formulated from the ground up,” said the former employee.
The shortcomings also create indirect vulnerabilities to the communications of other state agencies, which routinely share messages with the State Department, including the White House, the CIA, FBI, the Pentagon, and the Department of Defense.
“People were able to pull cables and data out from this massive database without using secure terminals,” said the same former employee. “It would be like pulling up to a gas station going to vending machine, putting your money in, and all the candy falls out.”
SMART’s deployment was largely guided by Microsoft and uses its software extensively; operations maintenance is largely run by SAIC (Science Applications International Corporation) contractors, as well as State Department employees, some of whom used to be Allied Technology employees.
The issues began when SMART was still in its testing phase, when production data, or in other words, live communication data — including real text, real emails, real cables — was used without any security in place. Normally security during design implementation and test stages directly mirrors the security you would use in production.
During production and testing, unclassified, secret, and top-secret information were intermixed in one location, without proper security. As they transferred information from the old to the new system, classified documents — both live and archived — were sent in unencrypted form through unclassified channels (known as the “low side,” as opposed to the encrypted “high side”), giving all State Department employees potential access to all classified files.
“If you are processing classified information, it should be completely walled off, separated and agnostic of any other machines, transmission lines, connections, networks, servers, everything,” said the former manager. “That was not the case.”
For context, consider that it is against State Department rules to physically install classified servers within 6 feet of unclassified ones on a storage rack.
According to documents reviewed by BuzzFeed, several employees raised concerns starting from the beginning of the SMART rollout. They were told to not pursue the issue. Some were told, with stern overtones, that it wasn’t within their job descriptions to do so. At least two employees involved in the project also filed complaints with the Office of Inspector General.
“The pushback I received was, ‘We just have to get this thing moving,’” said the former program manager. “I felt it was [coming] from a reputation and promotion standpoint, from individuals who have been there for 12, 15, 20 years.”
“There was pushback and, long story short, that is when they started making peoples’ lives very difficult,” he added.
Eventually he and several other contractors working on SMART quit their positions in frustration over the lack of security remediation.
“Some of this was very, very disconcerting for us, because as engineers we knew what we are working on,” said the former manager. “As we have already seen with Manning and Snowden, when you have highly sensitive communications, you can’t forgo security. Period. We live by it.”
Besides brushing aside internal complaints, the State Department officials also used official channels to override security concerns. The department’s chief information officer signed official “waivers” — essentially permission slips — used to allow projects to move ahead despite known problems with the promise to eventually fix them. Some of these waivers have been renewed multiple times.
“You don’t tell someone, especially [someone] whose job is relied on for systems security, that you will just write a waiver and fix it later,” said the former manager. “It is a Band-Aid over a bullet hole. It is just not going to stop the bleeding.”
The Inspector General’s latest report, from July, criticized the waiver system, noting there are no clear rules about when and why they can be used. It called the current policy “inconsistent and ineffective” and said the State Department “has not taken the necessary steps to identify the common [security] controls.”
The July report also said the department’s security staff lacks a stated mission or specific goals, is disorganized, shows a “lack of active involvement in many of its stated responsibilities,” “is not proactive in meeting information security requirements,” and hasn’t updated its policies and regulations manual since 2007.
The practical implications of SMART’s shortcomings are manifold.
These cables are sent to international contacts as well as to agencies like the White House, Pentagon, NSA, or CIA. According to inside sources, the links to the agencies “are not as secure as they need to be” in terms of security and encryption, which creates potential backdoor access to enter and compromise those systems.
Gaining access to one of these external agencies this way would require a high degree of sophistication. But gaining unauthorized access to internal State Department files wouldn’t would not; it would be relatively simple for a motivated person with physical access to the department work stations.
“A regular, run-of-the-mill guy can basically get by with a tier-two-level education and be able to pull this information,” says the former manager. “It is not rocket science, but it would take someone with a little creativity.”
There is also potential for former employees, including those who have been terminated, to access the State Department’s internal communications. The September 2012 Office of Inspector General’s report noted that there is no standard or formal process for removing access for people who left the department, including those who have been fired. Accounts weren’t being regularly validated. Some people had multiple accounts. According to the report, “Without following a formal and consistent process, there is a risk of unauthorized users being granted access to the applications.”
The department has begun rolling out fixes, coinciding with rumors that employees were seeking media recourse. Engineers who have worked on the project have said that it could take up to several years to fix all the problems.
More likely, they say, the State Department will need to build and deploy a completely new system.