Do you have two-factor authentication enabled on your Instagram or Gmail GOOG, -0.24% account? Then you may have better cybersecurity than nearly 90% of State Department officials.
Like many apps, Instagram FB, +0.59% allows users to use two-factor authentication to reduce their risk of being hacked. The tool enables users to receive a text code to a device each time they log onto their account. It’s recommended by most security officials as a basic measure to keep social media accounts private.
But while many people use two-factor authentication to keep messages and memes safe on one of the most benign platforms online, the U.S. State Department is using even less security for sensitive government correspondence, according to a General Service Administration assessment of federal cybersecurity.
In a letter released this week, four U.S. senators noted that experts were able to easily exploit vulnerabilities in State Department email accounts and asked the State Department to increase its cybersecurity practices.
In a letter released this week, four U.S. senators noted that experts were able to easily exploit vulnerabilities in State Department email accounts.
“We are sure you will agree on the need to protect American diplomacy from cyberattacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of multifactor authentication,” the letter says. The GSA found that only 11% of devices on those accounts used by the State Department have “enhanced access controls’ or multi-factor authentication, the letter added.
The Department is required to answer by Oct. 12 and explain what actions it will take in response to its designation by the Department of State’s Inspector General as “high risk” for its lack of cyber preparedness. The State Department will also have to share the number of cyberattacks that have occurred against its systems in the past three years.
This would violate the Federal Cybersecurity Enhancement Act, a law passed in 2015 requiring officials to use multi-factor authentication for all accounts with “elevated privileges,” meaning those that have administrative duties on a computer network.
The letter from the senators is the latest indication that the government is having trouble keeping up with modern cyber threats, said Jessica Ortega, website security analyst at cybersecurity firm SiteLock in Scottsdale, Ariz.
The implications, she said, are huge. If government employees only protects their accounts with a password, they could potentially be exposing all diplomatic negotiations referenced in email, meetings saved on their calendars, and confidential contacts with foreign agents, she added.
Steve Durbin, managing director at London-based independent information security body the Information Security Forum, said he was “shocked” that so many employees at the State Department are not using multifactor authentication. “When we talk about security we often talk about the basics — and for us that is one of the basics,” he said.
Half of all passwords associated with .mil and .gov email addresses are ‘objectively weak’ according to a 2012 analysis from cybersecurity firm WatchGuard.
Studies have shown government passwords are lacking as well. Half of all passwords associated with .mil and .gov email addresses are “objectively weak” according to a 2012 analysis from cybersecurity firm WatchGuard of hacked data from LinkedIn. Of the 355,023 government and military account passwords within the database, 178,580 were cracked in under two days. The most common passwords protecting these accounts included “123456,” “password,” “linkedin,” “sunshine,” and “111111.”
Ortega said not only should government employees be using better passwords, they should rely on a physical token for multi-factor authentication. Two-factor authentication, while highly recommended by security experts for the layman’s average account, doesn’t always work for high-risk targets. Some dedicated hackers can spoof the phone numbers needed to verify a code, meaning they can make it appear they’re in possession of someone else’s phone number.
For even tighter security, people can use a physical token. That means rather than receiving a text or email, the user has a key, like a USB or a NFC-enabled token, to tap or plug into the device to verify they aren’t a remote hacker. (NFC is a radio technology that transfers data between devices.) These devices are sold by companies like YubiKey for $40 to $50 and Symantec for $20.
Get a daily roundup of the top reads in personal finance delivered to your inbox. Subscribe to MarketWatch’s free Personal Finance Daily newsletter. Sign up here.