back to article US State Dept has no idea if its IT security actually works, say auditors

The US Department of State has largely failed to implement an effective cybersecurity risk program, auditors concluded in a report last week. That means a crucial arm of the American government is potentially wide open to cyberattacks it may not be able to identify or stop. The State Department, which handles diplomacy and US …

  1. Yet Another Anonymous coward Silver badge

    US State Dept has no idea if it works

    How do you know if the State Dept is working ?

  2. An_Old_Dog Silver badge

    Office Politics: The Root Cause of the Mess

    Factionalism, territorialism, jealousy, power-grabbing, and back-biting office politics all contribute to creating and maintaining a fragmented and ineffective IT landscape.

  3. ChoHag Silver badge

    > The department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected,

    No it bloody doesn't.

    > Like every large organization with a global presence

    Oh I see. Carry on.

  4. Pascal Monett Silver badge
    Trollface

    "no idea if its IT security actually works"

    Let's take the safe route and say no, it doesn't.

    And it is right, its IT security doesn't work. I'm sure there's a hacker somewhere that will be happy to demonstrate.

    Anybody in Moscow interested ?

    1. amanfromMars 1 Silver badge

      Re: "no idea if its IT security actually works"

      Anybody in Moscow interested ? .... Pascal Monett

      Да. Конечно. Есть ли сомнения? И из России с любовью. И из России с любовью.

  5. mikus

    If anyone bothered to actually properly audit, and not the old buddy wink and a nod audit, they'd find most State and Local Muni orgs across the US operate the same way. I used to consult at many of them locally, they certainly don't here, and having worked enough sampling of the rest of the US too, have no doubt. No one in government actually implements proper measures, they buy something, pay a consultant, pray it works to drop a bit extra in the hat in on sunday when done, and when it doesn't, hand a claim over to insurance to go back to waiting for their pension to kick in.

    1. Robert Helpmann??

      Been there, done that

      I've worked in security for State, Defense and HS. DoD consistently has been the best in my experience. That should not be a surprise. State was too chaotic for my taste. I certainly hope they get it together quickly, but I won't be asking to help with that.

    2. theOtherJT Silver badge

      It's not just in government, and it's not just the US. I have never worked anywhere where we would have passed an audit that I carried out to the actual letter of any of the ISO or BSI or whatever other rules we might claim to be complying with. It's always "Do just enough to get it by letter of the law according to the overworked auditor who won't actually look too hard" never "Do the actual thing the intent of the law meant for us to do" because actually complying will always upset too many people who don't want their day made harder by having to actually follow procedures and be seen to follow them.

      I like to imagine it actually works in say, nuclear, or aeronautics, because that lets me sleep better at night... but I wouldn't want to bet on it.

      1. Anonymous Coward
        Anonymous Coward

        but I wouldn't want to bet on it

        you are right, don't bet...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like