The two people said that GAO found that many U.S. embassies and missions use vulnerable legacy systems, including WindowsXP, an operating system Microsoft stopped providing any automatic updates to almost a decade ago. That means that Microsoft is not developing patches or fixes for any security holes that emerge that hackers could exploit to gain access to those networks.
“This is a huge problem in my opinion, if that’s true of course,” said Vahid Behazadan, assistant professor of computer science at the University of New Haven.
“If no other provider is available to provide the patch, then the attackers can walk right in.”
The assessment, which GAO began at the end of last year, also found that many State Department posts lack not only a chief information security officer, but any cybersecurity personnel whatsoever. The cybersecurity vulnerabilities that GAO identified are particularly significant at State’s missions — such as postings that are often located at international organizations rather than capital cities.
It’s not clear how many foreign posts use the outdated software.
The State Department said in an emailed statement that the agency’s networks are “constantly targeted by bad actors due to the critical work we do,” but that the department “maintains one of the most robust platforms in the federal government to identify malicious cyber activity.”
State Department Chief Information Officer Kelly Fletcher is working with diplomatic security on ways to strengthen the cyber posture of U.S. posts abroad, the department said in the statement.
A spokesperson for GAO declined to comment, noting the report is unfinished. It is expected to be complete sometime in the fall, according to the two people. GAO last year included improving cybersecurity as one of its priority recommendations for the State Department.
The report is likely to add to the pressure on the State Department to step up its cybersecurity following the recent breach of agency emails. Those perpetrators of that hack also accessed emails of Commerce Secretary Gina Raimondo. Lawmakers on both sides of the aisle are now looking into the incident, including the Republican leaders of the House Oversight and Accountability Committee.
The State Department’s Bureau of Cyberspace and Digital Policy has been working in recent months to increase the number of diplomats that go through cybersecurity training. Nathaniel Fick, the ambassador at large for Cyberspace and Digital Policy, said earlier this year that the agency aims to “have a basically trained cyber and digital policy staff member in every mission in the world that matters in the next couple of years, in the next two years.”
The agency has also stepped up efforts to root out vulnerabilities, submitting a report to Capitol Hill last month that outlined the steps taken to patch more than 500 vulnerabilities in agency systems reported over the past two years.
James Lewis, senior vice president at the Center for Strategic and International Studies and a former diplomat, said Friday that he believes the findings “get back to money,” adding that the State Department “hasn’t been able to afford to upgrade and no one pushed them to do it.”