Nearly six years after auditors first warned—back in then-Secretary of State Hillary Clinton’s day—that thousands of unused or neglected State Department e-mail accounts risked “being compromised by unauthorized users for unauthorized purposes,” thousands of similar accounts still exist, according to an internal watchdog report.
By federal rules, the inactive accounts are supposed to be shut down after 90 days. But according to the latest report from State’s Office of the Inspector General (OIG), issued last month, the majority of some 2,600 zombie accounts have been inactive for more than a year, despite department claims that they deleted them from the system.
According to the report, the State Department bureaucracy clean-up is “ineffective,” while the dormant accounts create potential conduits for hackers and a risk that could “compromise the integrity of the department’s network and cause widespread damage.”
If the clearance levels on the accounts were high enough, the report warns, State could suffer undetected losses of personal information from its system.
Despite the strongly worded current warning, bureaucrats at State are digging in their heels over the issue, continuing a longstanding battle over how information technology, and especially email accounts, are controlled—or not controlled.
The OIG e-mail warning got additional resonance from FBI Director James Comey’s assertion at a press conference Tuesday, in announcing the results of the long investigation of Hillary Clinton’s private e-mail servers and e-mail account, that “the security culture of the State Department in general, and with respect to use of unclassified e-mail systems in particular, was generally lacking in the kind of care for classified information found elsewhere in the government.”
The OIG’s warning, issued last month, is in fact only the latest in a long series of the watchdog’s alarms about the lax status of cybersecurity at State, often directed at the issue of unused e-mail accounts.
The most dramatic claxon came in a heavily censored report in October, 2014, that cited “control deficiencies” across 102 different State Department information technology systems OIG had tracked for five years—into Clinton’s tenure at State– and charged that “many of the same deficiencies have persisted” over all that period.
Within weeks, a wave of hacking attacks shut down State’s unclassified e-mail system entirely. In roughly the same time frame, an even more spectacular round of hacking, believed to originate in China, began at the White House Office of Personnel Management and later at private contractors, that led to the loss of some 25 million sensitive U.S. government personnel files.
The extent to which inactive email accounts contributed to OIG’s bleak 2014 cybersecurity assessment is unclear, since 22 of the document’s 33 recommendations, along with much of its analysis of State’s lapses, were redacted.
Nonetheless, the report notes that “thousands” of such accounts existed, “posing a significant risk for unauthorized access and use.”
Another OIG audit that was published at roughly the same time in 2014 noted that the bureau in charge of managing the issue had more than 44,000 e-mail accounts in excess of State’s total number of 78,791 employees, but did not mention how many were inactive. The same audit noted that at State, “there was no structure in place to prevent user accounts from being established without proper authorization by…system administrators.”
The auditors dryly noted that a heavy pruning of the undead accounts started to take place even as they began their work. That pruning evidently continued—in part because State handed out new so-called personal identity verification (PIV) cards to employees in the wake of the 2014 attacks, which undoubtedly focused attention on who was using their e-mail accounts, and who wasn’t.
The OIG notes that the roll-out plan for the PIV cards does not “prescribe a method for identifying and removing inactive accounts that are not required to complete the PIV process, such as mailbox, service, and terminated user accounts.”
Meantime the percentage of long-term dormant e-mail accounts in the latest OIG examination of State’s e-mail directories—6.4 percent– is not far different from what it was om 2015—7 percent.
The main issue, so far as OIG is concerned, is that State has steadfastly refused to centralize its system for managing e-mail accounts.
Instead, the bureaucracy depends, as the newest watchdog document puts it, on a “delegated model” where system administrators with State Department bureaus “manually disable inactive accounts rather than using an automated process to identify and disable inactive accounts as stated in the Foreign Affairs Handbook.”
The OIG auditors say that they are still tracking “open” recommendations from their previous report on the e-mail management issue—meaning those particular recommendations remain to be completed.
In their latest report they add two more recommendations: urging the appropriate State Department bureau to “develop a plan to effectively identify and remove” a variety of the inactive accounts left untouched by its PIV card system, and that the Department also actively “implement” the new plan –a reference to the fact that its previous recommendations have not spurred much action.
The State Department’s response to the two proposals: nothing doing. An official rejoinder attached to the OIG report says in response to both recommendations that the PIV card scheme has “been completed and does not lend itself to amendment.”
It also asserts that “we continue to routinely delete stale accounts,” and scrub for additional ones—a claim that OIG says the evidence contradicts.
In response to a query from Fox News, a State Department official said that “we continue to make steady progress in reducing the number of privileged users, improve the process whereby these users get accounts, and tighten the management of application specific privileged accounts.”
The official added that “as a matter of policy” the department “does not comment publicly on the specific OIG recommendations.”