Take a moment and visualize an octopus with its long slimy limbs protruding out from its large round ugly head. In your mind, gently place the octopus head down onto C Street in Foggy Bottom. And then carefully stretch the various limbs across the entire world to each of our several hundred embassies and consulates located in places such as the Middle East. You now have a general idea of the complex network supporting email for the US State Department.
Now take a moment and visualize each of these embassies and consulates having a local culture of power and autonomy – one that is not easy for wonky information security professionals to control remotely with strong data handling policies developed back in Washington. And if you embed a nervous system throughout the octopus so that a cyber wound felt anywhere on the octopus is immediately felt everywhere else, then you have a general idea of the massive cyber attack vector associated with the global Department of State network.
Given this dangerous situation, it is my view that nation states such as Russia have already compromised official US State Department email – and I mean all of it. If you believe this – and most of my cyber security colleagues do – then the urgent architectural consequence is to isolate the critical data, including email, from that vulnerable network. And that means scattering servers across distributed segments that are not part of any default-trusted enterprise. (If you are a geek, then you know this is done either virtually with data security micro-encapsulation or physically via network segmentation.)
None of this is a political statement, by the way. It is just basic Cyber Security 101. Take Chris Wallace at Fox, for example. He probably has a PC sitting on some Fox server on their corporate network, and I’d bet anyone a dinner that the Russians are already onto his PC. This is because any successful breach to any PC, server, or application on the Fox data network provides a direct path to Chris Wallace’s PC. If he asked me how to better protect his data, I’d recommend that he, ahem, set up a server away from the corporate network.
So if the new Secretary of State asks for help next year, my sincere advice based on three decades of experience protecting email, will be to do two things: First, the old fashioned perimeter protections found at the State Department need to be virtualized, distributed, and upgraded. This will be a big project and will require considerable technical expertise and resolve. But second, while the infrastructure kitchen is being painted, I’d take the afternoon off to quickly move all of the email appliances out of the network and down into some isolated basement, where they’ll be much safer.