Zero Trust Presents 'Doable' Cybersecurity Goals, State Department's CIO Says
To shore up its cyber defenses, State is identifying potential vulnerabilities across its many disparate systems and working to boost its use of multifactor authentication.
The State Department is working to enhance its internal cybersecurity and promote more efficient technology practices across its global operations, the agency’s chief information officer said during a webinar hosted by Billington Cybersecurity on Thursday.
Dr. Kelly Fletcher, State’s CIO, said that the department—which maintains more than 250 posts around the world and has over 130,000 users on its systems—is “one of the most attacked organizations in the world” because of its global reach and diplomatic mission.
“I think our adversaries are getting more and more capable, and that's putting us in a tough spot,” she added, noting that, in addition to modernizing technology services and streamlining operations for its employees, the department is focused on bolstering its own cybersecurity capabilities to better defend against increasing digital threats.
Fletcher said that one challenge is that State has “organically stood up a lot of networks and systems that are not part of the broader enterprise,” largely in response to its goal of communicating with foreign nationals and the U.S. public, but that it has become “a terrain that's tough to defend, especially when we don't have visibility into it.”
“So one of the key things we're working on is do we still need these non-enterprise networks?” she noted. “If so, how do we make sure that Diplomatic Security can see into them?”
To better secure State’s systems from intrusion, the department is also moving toward implementing a zero trust model across its operations. Federal officials across government have been working to strengthen their cyber postures after President Joe Biden issued an executive order in May 2021 that, in part, required agencies to “develop a plan to implement zero trust architecture.” Fletcher said this approach will help State, in particular, limit the harm that adversaries can cause if—and even when—they breach the department’s systems.
“If somebody said to me, ‘it's your goal for the adversary to never be in your network,’ I would say, ‘I can't win, that's not winnable, it's not winnable today,’ ” Fletcher said. “What zero trust is, and what I think it’s going to help us to do, is to say, ‘listen, the adversary was in our network, but we won because they didn't move laterally, they didn't exfiltrate data, and we found them fast and we got them out fast.’ That's doable; we can do that.”
Part of this departmentwide effort includes increasing the use of multifactor authentication across State’s systems. Fletcher said that “a couple of years ago,” less than 20% of the agency’s systems used MFA; today, she said, that number is up to “around 80%.”
And Fletcher said it also includes the implementation of an internal cybersecurity scorecard, which she said is “an incredibly powerful tool” when it comes to promoting transparency and accountability across the department’s systems and information technology services.
“What it does is it allows leaders to look at the IT assets that they have built, and to see how secure they are,” she added. “And then they can see how they compare to their peers.”
Beyond securing State’s systems and networks, Fletcher said the department is also working to transform the ways in which critical State employees have access to the technologies they need to do their jobs.
This includes State’s recent “Tech For Life” initiative, which is designed to help foreign service officers—or FSOs—maintain possession of a phone and laptop, regardless of their posted assignment. Fletcher said that, currently, FSOs move approximately every one to three years, and have to turn in their devices when they are not on assignment.
“This sounds not that complicated until you start to think about it,” she said. “We've been operating in a very federated way. So, you know, access management of these devices, configuration management of the devices, all of the settings relating to allowing folks to have access to the right information, and then having that access when they move.”
Fletcher added that, under the initiative, FSOs can configure their devices “the way that we need them to be configured, and that includes all the security.”
She added that this initiative fits in with State’s broader focus this year on implementing zero trust to better secure internal networks from potentially harmful intrusions.