Thoughts Around Wikileaks Cablegate and Internal State Department Security
What I haven’t seen in the current media coverage of the Wikileaks U.S. State Department cable leak incident is any discussion about what might be wrong with the controls used inside that agency or the internal politics that might have led to not being able to establish and enforce the controls that might have prevented or detected the original data leak.
For example, did you known that the State Department has reported:
2104 CIRT security incidents in FY2008
3124 CIRT security incidents in FY2009
and have 6000 CIRT security incidents projected for FY2010?
These sharp year-over-year increases in the IT security incident count could arguably have indicated that there might be something amiss in the Department of State’s internal IT Security controls, and that a larger than necessary risk of a major incident or leak might have existed. The State Department is a large, complex organization with significant political complexity and far flung offices in every corner of the globe. Keeping utter chaos at bay in such an environment is a significant challenge, and despite everything I see right now I still believe that the State Department has the right leadership in place in the CISO office to handle the fallout and put the agency in a better place for the future.
What I don’t want to see as a result of the fallout from the Wikileaks Cablegate matter is State Department CISO John Streufert get fired. My understanding is that he has done a great job under difficult circumstances improving the State Department’s security posture – including a lot of work around improving processes and procedures for server and desktop vulnerability management. Just like any large organization, political, turf, funding, and other issues might be interfering with the CISO’s office extending their good work to other areas.
I had an opportunity before the Wikileaks incident to ask John Streufert directly if competent pentesters are telling him that the work he and his team had done so far was actually reducing the risk of a serious internal or external incident. His reply indicated that he felt he had only had an opportunity to improve matters in some areas, but other areas needed more work.
What I do want to see is:
1). the State Department CISO role being given more authority and influence in other agency areas that matter security-wise. From what I have seen, I believe extending Mr. Streufert’s security metrics and controls mindset to those other areas would be a good post-incident action item for the State Department after this Wikileaks incident.
2). the CISO’s office being given more direct authority over at least a larger percentage of State Department server and client endpoints. Right now my understanding is that the CISO only has authority over less than half of State Department machines. (A lot of infrastructure in remote offices, embassies, and other diplomatic facilities is under the direct supervision of local leaders (e.g. ambassadors), not the CISO’s office).
3). fold more metrics and risk scoring items that matter beyond vulnerability and patching scores into the existing State Department security metrics reporting system