A tiny, obscure agency responsible for the State Department’s cyber security is so dysfunctional and behind the times that it has left the department vulnerable to cyber-attacks, according to a new, scathing report from the inspector general.
The small agency has a big name – the Bureau of Information Resource Management’s Office of Information Assurance (IRM/IA). It is responsible for the security of the State Department’s more than 170 information systems. According to the report released Tuesday, the agency “wastes personnel resources and lacks adequate management controls.”
The audit also accuses the agency of not updating its regulations since 2007 and says it isn’t prepared to incorporate the latest technologies—including the Department’s new $1 billion cloud computing initiative. Idiotically, the database used by IRM/IA to track computer vulnerabilities is updated manually after it's printed out. “contradicting the main reasons to use electronic means,” the auditor noted.
The report also claims that the head of the agency, William Lay hasn’t provided the 22 full-time employees with priorities or defined goals since he started the job in September. As a result, Lay’s staff has “not been proactive in meeting information security requirements,” the IG said. The agency doesn’t even have a mission statement.
The majority of the agency’s work is being done by unsupervised contractors when they should be handled by full-time government employees, the auditor said.
It’s not clear what IRM/IA employees actually do. The auditor noted that the agency’s staff doesn’t show up for inter-departmental meetings, participate in strategic planning, or keep track of important documents.
The troubling report comes at a time of heightened concerns about government cyber security in the wake of the Edward Snowden NSA data leak scandal. Snowden, a former Booz-Allen contractor now holed up in a Moscow airport, illegally obtained and leaked massive amounts of classified U.S. documents concerning the National Security Agency’s secret-PRISM program.
Meanwhile, the trial of U.S. Army private Bradley Manning – charged with aiding the enemy and other offenses for giving hundreds of thousands of classified documents to WikiLeaks in 2009 and 2010 – enters its eighth week.
The State Department IG report offered 32 recommendations, including the agency create a mission statement and goals, so its employees know what they’re supposed to be doing.
The State Department said that it takes the “OIG feedback seriously and is committed to addressing the recommendations and the concerns that led to the assessment.”
