Press Releases

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the bipartisan Senate Cybersecurity Caucus, voiced deep concerns with the ability of the U.S. Department of State to address the surge of offensive cyber activity by Iran. In a letter, which comes on the heels of a U.S. airstrike that killed Iranian general Qassem Soleimani, Sen. Warner notes Iran’s growing cybersecurity capabilities and presses Secretary Mike Pompeo for answers on how the Department plans to defend its information security systems in light of its long history of information breaches.

The Iranian government’s state-sponsored cybersecurity capabilities have grown in sophistication and intensity in recent years, and they have developed a number of advanced persistent threat (APT) groups that conduct various offensive operations. Examples include prolonged espionage, destructive malware and ransomware attacks, and social media manipulation through influence campaigns,” wrote Sen. Warner. “These attacks serve both political and economic purposes, and use methods like password spray attacks, scanning for VPN vulnerabilities, DNS hijacking, spear-phishing emails, and social engineering.”

As recently as 2018, the Department of Justice indicted two Iranian individuals who conducted a 34-month-long international scheme, in which they used ransomware to extort hospitals, municipalities and public institutions, causing $30 million in losses.

In his letter, Sen. Warner cites two separate reports by the Department of State’s Office of the Inspector General (OIG) that detail a number of cybersecurity risks presented by the structure of the Department of State and by hiring freezes affecting the department. These risks include a diminished ability to respond to malicious cyber activity targeting personnel and information assets due to the hiring freeze, as well as a lack of cybersecurity oversight resulting in unauthorized and misconfigured network devices comprising the Department’s sensitive network.

“The State Department has a long history of information security breaches, beginning with a series of blunders in the late 1990’s, and including a massive and prolonged attack in 2014, when the National Security Agency (NSA) and Russian hackers fought for control of State Department servers,” wrote Sen. Warner. “In September 2018, after an email breach of unclassified systems, a bipartisan group of Senators asked you how the State Department was addressing the issue.  Two months later, hackers with suspected ties to the Russian government were found to be impersonating State Department officials in an attempt to infiltrate computers belonging to the U.S. government, the military, and defense contractors.”

Noting the Department of State’s cybersecurity vulnerabilities and the risks of Iran carrying out cyberattacks with disruptive effects, Sen. Warner posed the following questions for Secretary Pompeo, requesting an answer by January 31st:

  1. Currently, cybersecurity personnel are dispersed organizationally across different bureaus within the Department of State, and across embassies around the world. Since the OIG report was issued in August 2019, what personnel changes have you made to more efficiently and effectively address both the hiring freeze impacts and the earlier security and audit concerns presented by the OIG?
  2. The OIG report noted that the Chief Information Security Officer (CISO) of the Department of State lacked necessary seniority for effectiveness or accountability. My understanding is that the current CIO reports to the Undersecretary for Management to the Secretary of State, and that the CISO reports to the CIO. In 2018 a study by the Financial Services Information Sharing and Analysis Center (FS-ISAC) recommended that CISO’s have clear and direct communication with the CEO, rather than just to the CIO.  Most organizations provide at least a dotted-line reporting structure from the CISO to the CEO. What kind of direct communication do you have with the CISO, given that the position sits below a CIO and an Undersecretary?
  3. What kind of employee training changes have you made to protect employees from phishing and other social engineering attacks?
  4. What technical changes have you made within the information security organization of the State Department to protect against ransomware and wiper malware attacks?
  5. Have you addressed the August 2019 OIG report’s hiring concerns for information and IT security personnel at our embassies? Are you up-to-date on your information security audits? Does the State Department, at the very least, conduct routine scanning, patching, and utilize multifactor authentication?

Earlier this month, Sen. Warner cautioned the Trump Administration on the dangers of escalating tensions with Iran and urged the Administration to prepare for the long-term potential consequences of targeting Soleimani.

A copy of the letter can be found here and below.

 

The Honorable Mike Pompeo

Secretary of State

U.S. Department of State

2201 C Street NW

Washington, DC 20520

Dear Secretary Pompeo:

As tensions between the United States and Iran rise, and the risks of Iran carrying out cyberattacks with “disruptive effects” grow, I write to express my deep concern about the State Department’s ability to defend its information security systems and that of our embassies around the world, and request a plan for how you will bolster these systems. 

The Iranian government’s state-sponsored cybersecurity capabilities have grown in sophistication and intensity in recent years, and they have developed a number of advanced persistent threat (APT) groups that conduct various offensive operations. Examples include prolonged espionage, destructive malware and ransomware attacks, and social media manipulation through influence campaigns. These attacks serve both political and economic purposes, and use methods like password spray attacks, scanning for VPN vulnerabilities, DNS hijacking, spear-phishing emails, and social engineering. Iran’s threat group APT33 has been linked to notorious disk-wiping malware including SHAMOON and SHAPESHIFT (which attacked industrial systems across the Middle East and in Europe). As recently as 2018, the Department of Justice indicted two Iranian men for deploying ransomware to extort hospitals, municipalities, and public institutions, causing over $30 million in losses. 

In August 2019, the Department of State’s Office of Inspector General (OIG) issued a report on the effects of the hiring freeze on the State Department, finding in particular, serious impacts on the cybersecurity functions of the Department. The IG found the following:

The bureau was unable to fill two Senior Executive Service positions responsible for cybersecurity, which it said delayed implementing an enterprise risk management program for IT systems. The DS [Bureau of Diplomatic Security] Computer and Technical Security Directorate reported that staffing shortfalls hampered its ability to develop tools and procedures to react and respond to malicious cyber activity targeting Department personnel and information assets. DS also reported delays in conducting penetration testing of Department networks and providing IT security support for integrating cybersecurity for new and existing systems, which they attributed, in part, to the hiring freeze.

That IG report followed a 2017 report by the State Department OIG that noted a number of cybersecurity risks presented by the structure of the State Department. The report noted that the Chief Information Security Officer was not well placed to be held fully accountable for State Department cybersecurity issues, and highlighted an incident in Guatemala City where unauthorized and misconfigured network devices comprised the Department’s sensitive network.

The State Department has a long history of information security breaches, beginning with a series of blunders in the late 1990’s, and including a massive and prolonged attack in 2014, when the National Security Agency (NSA) and Russian hackers fought for control of State Department servers.  In September 2018, after an email breach of unclassified systems, a bipartisan group of Senators asked you how the State Department was addressing the issue.  Two months later, hackers with suspected ties to the Russian government were found to be impersonating State Department officials in an attempt to infiltrate computers belonging to the U.S. government, the military, and defense contractors.  In March 2019, a State Department contractor was convicted of theft and embezzlement of 16 computers from your organization. 

Given Iran’s technical capabilities and threats to retaliate, as well as the State Department’s systemic organizational and functional problems addressing cybersecurity vulnerabilities, I ask you to answer the following questions on how the State Department will address a surge of offensive cyber activity by Iran:

  1. Currently, cybersecurity personnel are dispersed organizationally across different bureaus within the Department of State, and across embassies around the world. Since the OIG report was issued in August 2019, what personnel changes have you made to more efficiently and effectively address both the hiring freeze impacts and the earlier security and audit concerns presented by the OIG?
  2. The OIG report noted that the Chief Information Security Officer (CISO) of the Department of State lacked necessary seniority for effectiveness or accountability. My understanding is that the current CIO reports to the Undersecretary for Management to the Secretary of State, and that the CISO reports to the CIO. In 2018 a study by the Financial Services Information Sharing and Analysis Center (FS-ISAC) recommended that CISO’s have clear and direct communication with the CEO, rather than just to the CIO.  Most organizations provide at least a dotted-line reporting structure from the CISO to the CEO. What kind of direct communication do you have with the CISO, given that the position sits below a CIO and an Undersecretary?
  3. What kind of employee training changes have you made to protect employees from phishing and other social engineering attacks?
  4. What technical changes have you made within the information security organization of the State Department to protect against ransomware and wiper malware attacks?
  5. Have you addressed the August 2019 OIG report’s hiring concerns for information and IT security personnel at our embassies? Are you up-to-date on your information security audits? Does the State Department, at the very least, conduct routine scanning, patching, and utilize multifactor authentication?

I would appreciate your answers by January 31, 2020.

Sincerely,

###