Security news that informs and inspires

Senators Question Lack of MFA at State Department


The pace of change in Washington is not always what you might call fast, and that certainly holds true when it comes to information security advancements. Some members of the Senate are not satisfied with that state of affairs and are asking why the Department of State isn’t adopting modern security technology, such as multi-factor authentication, as required by federal security standards.

In a letter to the secretary of State sent Sept. 11, five senators asked what the department was doing to address the lack of MFA in its network and also how many cyber attacks have hit the department’s systems in foreign countries over the last three years. The letter cites reports by the General Services Administration and the Department of State’s own Inspector General about security deficiencies in the department’s network. An assessment by the GSA this year found that just 11 percent of required systems in the department had enhanced access controls and the IG reported that 33 percent of diplomatic missions hadn’t conducted regular reviews and audits of their networks.

“For much of the Internet’s history, users have been prompted to enter passwords to access their email and other online accounts. This password-only approach is no longer sufficient to protect sensitive information from sophisticated phishing attempts and other forms of credential theft,” the letter says.

“We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA.”

The Federal Cybersecurity Enhancement Act has a requirement that every federal agency “implement multi-factor authentication consistent with standards and guidelines promulgated under section 11331 of title 40, United States Code, for—remote access to an agency information system; and each user account with elevated privileges on an agency information system.”

The letter to Secretary of State Mike Pompeo came from Sens. Ron Wyden (D-Ore.), Cory Gardner (R-Colo.), Edward Markey (D-Mass.), Rand Paul (R-Ky.), and Jeanne Shaheen (D-N.H.), and the lawmakers ask Pompeo for specific details about his department’s initiatives to implement MFA, if any.

“What actions has the Department of State taken to rectify the near total absence of multifactor authentication systems for accounts with elevated privileges accessing the agency’s network, as required by federal law?” the letter says.

Targeted attacks and phishing attempts against federal government employees are serious threats, especially during an election cycle that is sure to draw interest from well-resourced attackers. By requiring a second factor of authentication during login, MFA can help prevent account takeovers even if users fall for a phishing scam and their usernames and passwords are compromised.