There are governments that finish projects on time, use technology to improve performance and protect people from imminent harm. Then there's the US State Department's cybersecurity office. It seems to have a hard time just keeping the lights on.
A damning new report by the State Department's inspector general casts this anti-hacking office in a pretty dismal light. The so-called Bureau of Information Resource Management's Office of Information Assurance (IRM/IA) is responsible for safeguarding the secrets from dozens of embassies and consulates around the world, but based on the wording of the report, it operates like a rudderless ship. Broadly speaking, the report said that the office "wastes personnel resources", "lacks adequate management controls" and "has no mission statement". That's just the beginning too.
The inspector general's office has plenty more bad things to say about the IRM/IA and its performance. They also take a dim view of the head of the bureau who's apparently never around to provide leadership or even guidance for the employees. On top of that, the office's regulations haven't been updated since 2007, which is aeons ago in terms of developments in cybersecurity. All things told, the office "is not doing enough and is potentially leaving Department systems vulnerable," says the report.
Experts are unsurprisingly unimpressed with how the IRM/IA is performing. If this office isn't doing its job keeping America's secrets safe, it really does put our national security at risk. If any cybersecurity office should be held accountable for shortcomings, it should be this one, and this report is the beginning of that process. "This report reads like a what-not-to-do list from every policy, program, and contracting perspective," Scott Amey, general council for the Project on Government Oversight, told Mother Jones this week. "With stories about foreign entities hacking US government systems and questions about non-authorized access to classified information, this latest IG report causes major concerns about the State Department’s ability to protect government systems."
What's ultimately ironic about the IRM/IA's lackluster performance is that just two years ago, the State Department was being lauded for its cybersecurity practices. The Wall Street Journal called the department's approach "an unexpected model for big firms looking to bolster computer security." While it was certainly never a flawless approach, it was good enough to get companies like Microsoft and General Electric interested in emulating some of its practices. But as Amey pointed out in brutal terms, that's just not the case any more. If you want anybody to have airtight security, you want the State Department to have airtight security.
Then again, the US government's never been very good at cybersecurity. But at least it knows it. [Mother Jones]