State Department Says Hackers May Have Stolen Sensitive Data

Updated with comment from current and former State Department officials.

The State Department says sensitive data might have been breached during multiple hack attacks over the past year.

The revelation, buried in an inspector general report released Wednesday, is the first acknowledgment that foreign spies might have grabbed national secrets during a months-long hacking campaign last fall.

As State spent about $1.4 billion on information technology between Oct. 2014 and Sept. 30, at the same time "a number of cybersecurity incidents" illustrated deficiencies in the way department personnel went about protecting networks, department Inspector General Steve Linick said in the assessment.

"Malicious actors exploited vulnerabilities, potentially compromising sensitive information," he added. The intrusions also caused "significant downtime to normal business operations."

As previously reported, State disconnected unclassified systems last fall to try to eliminate concerning activity. The incident occurred around the same time intruders, believed to be working for the Russian government, penetrated the White House's unclassified email systems. The White House attackers successfully retrieved items such as President Barack Obama's schedule, according to CNN.

But State has been tight-lipped on what, if anything was stolen, during its run-in with cyber adversaries.

Former State officials say sensitive, yet unclassified, data would still be useful to those seeking to harm America. The contents could show, for example, which employees work on portfolios of interest -- say, Ukrainian relations -- and could aid in targeting those people more deeply, either in person or online.

The information copied from State "sounds like all the things you would normally get in the unclassified channel -- schedules, appointments, personnel moves, travel," said Jim Lewis, a former foreign service officer and current cyberspace policy researcher at the Center for Strategic and International Studies. "Far from the crown jewels but still a gold mine for a foreign opponent."

Christopher Bronk, a former diplomat and recent State senior adviser on information security, said there is a valid question as to whether officials can ever truly secure the department's unclassified system.Bronk was a State network user until June.

Bronk suggests that perhaps sensitive daily work should be stored on a network that is physically separated from the Internet.

The Pentagon's unclassified network is called the Non-Secure Internet Protocol Router Network, or NIPRNET, "because it's known to be nonsecure," said Bronk, who also serves as a Rice University computer science professor.  The military's highly-sensitive information travels through an air-gapped system called the Secret Internet Protocol Router Network, or SIPRNET.

Last winter, State requested $10 million to gut its classified and unclassified computer system, even though the agency says the previously reported hack only affected unclassified networks. The department’s budget plan also proposed spending $17.3 million on "architecture services."

"State has been bringing in a lot of people and a lot of expertise for cleanup -- expensive contractors," Bronk said.

State is not alone in the tendency to invest more in security, only after a major network intrusion, he added.

Citing cybersecurity concerns, State officials declined to comment on the timing or nature of the data compromises highlighted in the report. So, it is unclear if the incidents were part of the same operation or the work of separate cyber sleuths.

But, State officials told Nextgov on Thursday that  present information security procedures and policies are working.

"The department has executed -- and today has in place -- an effective cybersecurity program in support of its mission.  That will continue to be the case," State spokeswoman Pooja Jhunjhunwala said in an email.

"We are continuously making improvements, are well positioned today, and have demonstrated our ability to move swiftly and to good effect," she added.

The inspection is a management tool that State values, Jhunjhunwala said.  

"We work closely with our inspector general on their reviews of our information technology systems and processes, and always take their input seriously," she said. "Cybersecurity obviously is and will remain a priority and challenge across the federal government, as in the private sector."

Last November, State disclosed the discovery of abnormal behavior on its unclassified network, after the White House made public the identification of suspicious activity on its unclassified system.

The attackers allegedly hacked a State email account and used it as a launching pad for a malicious email "spearphishing" attack against White House email users.

The inspector general also found that State information security officers neglected their responsibilities, such as reviewing usage logs and reminding personnel about security hygiene.

"Failure to carry out these tasks leaves a system vulnerable to a wide range of threats, such as spear-phishing attacks," Linick said.

After the inspector's assessment was signed -- and following a historic nuclear agreement -- Iranian attackers apparently cracked the email and social media accounts of department Middle East experts, according to recent media reports.

A Nov. 24 New York Times article stated that "over the past month," hackers used the the personal accounts of young government employees to gain access to their friends across the department.

The Times reported that State personnel began to see a worrisome alert pop up on their Facebook pages:

“We believe your Facebook account and your other online accounts may be the target of attacks by state-sponsored actors,” the message read.