Senators want answers on State Department’s lack of multi-factor authentication

State uses enhanced authentication on just 11 percent of required agency devices, according to reports.
Mike Pompeo (State Department photo)

A bipartisan group of Senators is unhappy with recent reports that the State Department is woefully underprotected from cyberattacks.

Sens. Ron Wyden, D-Ore., Cory Gardner, R-Colo., Ed Markey, D-Mass., Rand Paul, R-Ky., and Jeanne Shaheen, D-N.H., issued a letter to Secretary of State Mike Pompeo on Tuesday questioning why the department’s authentication and cybersecurity management practices are so far behind.

The senators take biggest concern in the letter with the General Services Administration’s recent findings that the State Department has enhanced access controls — particularly multi-factor authentication (MFA) — on just 11 percent of required agency devices.

“We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA,” the letter reads.


They also cite a report from the department’s inspector general last year that found 33 percent of diplomatic missions failed to conduct even the most basic cyberthreat management practices, like regular reviews and audits.

“We urge you to improve compliance by enabling more secure authentication mechanisms across the Department of State’s information systems,” the senators wrote. “While certainly not a silver bullet, MFA is a simple step that makes it significantly harder for foreign governments or criminals to access accounts.”

The House Foreign Affairs Committee advanced a bill in May that would task the secretary of State with setting up a vulnerability disclosure process for researchers to hunt for and disclose flaws in the department’s public-facing websites and applications.

Latest Podcasts