State Department still vulnerable to WikiLeaks-style breach, say auditors

Tools

The State Department has been vulnerable to another breach of diplomatic cables in the 2 years since WikiLeaks created an international incident by posting online hundreds of thousands of U.S. confidential assessments of foreign leaders and states.

In a redacted report (.pdf) dated September 2012 not posted online until Nov. 5, auditors say Net-Centric Diplomacy--the system for sharing diplomatic reporting information within the department and with other government agencies, and a source of the leaked cables--has had logical access controls weaknesses.

"Progress in addressing the NCD weaknesses that made the WikiLeaks incident possible has been very slow," auditors say. Unless the weaknesses are resolved, "an incident similar to WikiLeaks could occur," they warn.

A description of the weaknesses is redacted from the public version of the report, but auditors say a February plan for redesign of the system called for the addition of user authentication, code changes "to reduce data vulnerabilities," addition of an audit trail and user-based download threshold alerts.

Officials from the department's Bureau of Information Resource Management told auditors at the time of their investigation that the enhancements had yet to be completed due to lack of technically qualified contractors and difficulty in understanding the application, because the Bureau of Resource Management didn't provide the system's full source code. Information technology officials also complained of the difficulty in finding contractors with sufficient clearances.

In their official response to the audit, State IT officials said they have since acquired "the necessary technical resources" to implement the February corrective plan and that as of June 11, a full team of developers was at work on implementing it.

For more:
- download the report, AUD-IT-12-44 (.pdf)

Related Articles:
DoD reissues directive to safeguard technical documents
Intel chief looks to metadata, identity management to prevent WikiLeaks redux
WikiLeaks inspires new White House cybersecurity policy