The US government's General Accounting Office (GAO) released a report on the cybersecurity situation over at the State Department, and it doesn't paint a rosy picture. One might think the department tasked with handling foreign diplomacy and setting the agenda for our foreign policy would be buttoned up pretty tight, but that doesn't appear to be the case. The report highlights numerous areas needing improvement, the most notable being the presence of systems using an operating system that reached end-of-life "over 13 years ago," which sounds like Windows XP to us.
The full report from the GAO is full of contradictions, as it states the department's cybersecurity program "meets federal requirements" since it's developed a risk management strategy. However, it also reports that the program hasn't been fully implemented. What's mildly humorous about the report is it breaks down the good and the bad into two categories, with the good being that it's developed a strategy and identified "risk management roles and responsibilities." The bad is that it hasn't done much about either of them, which makes you think, "Only in government could this be a thing."
The most damning portion of the report, as noted by TechSpot, is the portion that highlights the State Department's use of outdated hardware and software. It mentions it detected "23,689 hardware systems and 3,102 occurrences of network and server operating system software installations that have reached end-of-life." It says these systems were EOL'd over 13 years ago, indicating it is likely Windows XP, which hit that date in 2009.
Windows XP stopped receiving security updates in 2014, and its last embedded variant was officially killed off in 2019. But seriously, Department of State—Windows XP? This department has a budget this year of $73.77 billion, and it can't at least afford to upgrade to Windows 7? The report dryly notes that due to this outdated arrangement, "the department risks being unable to fully detect, investigate, and mitigate cybersecurity-related incidents."
The report also details a heavily siloed organization with centralized management and sub-groups that buy and maintain their equipment without communicating up the chain about it. It says that although the CIO sets the standards for the organization and manages the main network, bureaus operate independently. This arrangement and a lack of communication up and down the chain of command allow for a confusing situation about the applicability of IT standards, according to the report.
Overall, it's a pretty concerning look at a department that deals almost exclusively with foreign contacts. If there was any section of the US government you'd think would be locked down, aside from Homeland Security and the Pentagon, we suppose, you'd think it'd be the State Department. However, that does not appear to be the case, despite it meeting the Federal requirements for cyber threat mitigation.
