Skip to content

Search the site

The State Department is running 27,000 end-of-life systems but its CIO has been hamstrung...

Two new women in charge as CIO and CISO aim to stop the rot

The US State Department is running 23,689 hardware systems and 3,102 network installations that have reached end-of-life – creating a potentially severe cybersecurity risk for US diplomats and other employees.

Some operating system (OS) installations running on State Department networks “had reached end-of-life over 13 years ago,” auditors from the US’s Government Accountability Office (GAO) have warned. (The Stack suspects this refers to a whole boatload of Windows XP systems...)

(End-of-life systems no longer get security patches from vendors and can pose a heightened security risk. Whilst they can be run securely with competent support and effective network segregation, it creates an expansive threat surface to do it at the 26,791-system scale.)

The State Department’s workforce includes some 13,000 members of the Foreign Service, 11,000 Civil Service employees, and 45,000 locally employed staff at more than 270 diplomatic missions worldwide. Two critical appointees since GAO began its investigations in 2019 include a new CISO, Donna Bennnett (2021) and a new CIO, Dr Kelly Fletcher ( 2022).

State Department IT: Legacy technology and deep siloes

The State Department's CIO is not entirely to blame for the malaise, says GAO – pointing the finger at an “insulated culture” and deep siloes across the Department’s many bureaus (its website lists 180 bureaus.)

“The ability of State's CIO to secure the department's IT systems is limited due to shared management responsibilities and a lack of communication” the auditor warned in a 92-page report published on September 28.

GAO said: “Bureaus perform many activities independently, purchasing much of their own equipment, managing many of their own IT systems, and obtaining their own funding [creating] confusion among information system security officers about the applicability of IT-related requirements.

"According to the CIO, system owners delay completing [required steps] due to competing priorities. State’s federated IT management
structure makes it challenging to enforce the CIO’s authority over the
system authorization process" GAO added  in the audit.

The GAO has now made 15 key recommendations for its CIO.

New CIO and CISO look to bring order

state department IT security
SD's CIO Dr Kelly Fletcher (l) and CISO Donna Bennett (r)

The State Department appointed a new CIO, Dr Kelly Fletcher, on October 3, 2022 – three years after the GAO investigations began.

She runs a team of 2,700 IT professionals and oversees $2.5 billion-worth of programmes. Her hire suggests that this is a known problem: Dr Fletcher was earlier CIO of the Department of the Navy, where she led a well-regarded Department-wide reorganisation of information technology governance and oversight and the State Department told The Stack that reforms are underway, saying: "The Department is prioritizing and addressing those recommendations that remain current and coordinating with the GAO to resolve those that the Department has already addressed.

"Since 2019, the State Department has made meaningful improvements in operational cybersecurity and cybersecurity governance, to include significantly increasing multi-factor authentication and data encryption and standing-up the Department Chief Information Security Office in 2021. The office has driven rapid improvements through the introduction of cybersecurity oversight and a shared responsibility model, including bureau-level cybersecurity scorecards" a spokesperson said this week.

The appointment of "Enterprise CISO" Bennett (an experienced CISO – with hands-on experience earlier in her career for the Department of Defence as an enterprise network architect – who also previously ran cybersecurity for the Unified Atlantic Region Network Operations Center) was also seen as a significant step towards fixing this malaise: "The E-CISO will have broad authority (on behalf of the CIO) to oversee all aspects of cybersecurity. Any bureau that maintains their own cyber infrastructure will be responsible to the E-CISO for meeting all required cyber standards,” outgoing CIO Stuart McGuigan said of her appointment at the time.  

State did not respond to a request for comment on the number of EOL systems still on its networks and GAO suggests that there is still work to do, pointing in particular to the need for more consistent annual testing of its incident response procedures. Among its more recent incidents was the theft of 60,000 emails after Chinese hackers breached a Microsoft engineer's account and used that to steal a powerful signing key to forge access tokens to email accounts, leading to at least one Senator, Eric Schmitt to warn that "we need to take a hard look at the federal government's reliance on a single vendor as a potential weak point."

See also: A powerful key was stolen from one of the world’s largest companies. It still has questions to answer.