IG raps cybersecurity at State

The State Department's cybersecurity plans are inadequate, the department's inspector general reported recently. But State's chief information officer said there aren't enough resources to do everything.

The recent IG report, "Critical Infrastructure Protection: The Department Can Enhance Its International Leadership and Its Own Cyber Security," found that State did not include foreign operations in its plans as required by Presidential Decision Directive 63 (PDD 63).

State's critical infrastructure protection plan does not, for example, assess vulnerabilities in its interagency connections, and it does not specify how the department will ensure that all employees and contractors are trained in required concepts and skills for protecting critical infrastructure systems, according to the report.

"Implementing well-organized approaches to ensure all employees receive required security awareness, training and education will strengthen the department's security readiness," the IG report stated.

Fernando Burbano, State's CIO, is working to address the IG's recommendations. But he also noted that State and other agencies have not had the resources to adequately fund cybersecurity mandates. "There's no money behind it."

PDD 63, signed by President Clinton in May 1998, requires federal agencies to protect information systems that support the nation's critical infrastructure, including electricity, telecommunications and government services.

State has had a number of security lapses recently, most notably last year's disappearance of a notebook computer containing classified information.

The IG also found that the department's critical infrastructure protection plan and vulnerability assessments did not address the minimum requirements for its overseas operations as required by PDD 63, nor did it address the role and responsibilities of the lead person at each post in protecting that infrastructure.

"Foreign operations are essential to U.S. government foreign policy and relations, national defense and U.S. interests abroad," the IG report stated.

Furthermore, the IG found that State officials did not address the requirement that they conduct periodic assessments of their security controls. The IG review was conducted in conjunction with a President's Council on Integrity and Efficiency assessment of PDD 63's implementation at agencies.

Although the Office of Management and Budget has argued otherwise, Burbano said that many of the requirements are new and that agencies need money to implement those security provisions.

He has been pushing for a pool of money for security fixes similar to the emergency fund that enabled agencies to address the Year 2000 problem.

Furthermore, Burbano said that because of the government's drawn-out budget cycle, there is typically a two-year gap between when agencies request money and when the funds are approved.

"Until we get the proper amount of money and get the budget cycle in sync, we are stuck in this gap," he said.