State Dept. Uses Outdated, Unsecure, Poorly Monitored System to Spot Visa/Passport Fraud

Though it claims the 9/11 attacks “reenergized” its mission, the State Department branch responsible for spotting visa and passport fraud fails to practice basic security protocols, leaving the nation extremely vulnerable to foreign threats. To keep potential terrorists from entering the United States, the monstrous agency with a $37 billion annual budget uses outdated machines that are poorly monitored and fails to protect data and perform basic security scans, according to a distressing federal audit. The report documents the alarming inefficiencies in a decades-old system—Bureau of Consular Affairs Fraud Prevention Program (CA/FPP)—used by the State Department to determine if foreigners seeking U.S. visas are being candid about their identity and where they have traveled. The goal is to oversee and coordinate the integrity of U.S. visa and citizenship processes by stopping fraud in the visa and passport system, a crucial tool to protect national security.

It turns out that the State Department’s security team is a bit of a joke, according to the incredible lapses documented in the report, which was made public recently by the agency’s Office of Inspector General (OIG). The team doesn’t even bother to patch the system, scan it for computer viruses or audit for evidence of breaches or compromises by hackers. In short, the State Department consular division ignores basic information security practices in this essential program used to screen potential threats. Nearly two decades after the worst terrorist attack on American soil, this is incredibly disturbing. In fact, the report states that “the events of September 11, 2001, reenergized CA/FPP’s mission.” Not enough, apparently. “OIG found deficiencies that included shared passwords and lack of access control lists or visitor logs,” the watchdog writes in its report. In addition, the flawed system’s “security officer did not perform regular patch management or anti-virus scanning on the network or regular audit and accountability reviews to identify data loss or potential intruder activities.”

It gets better, or rather, more enraging. The OIG found that no one monitors the server and the State Department doesn’t keep adequate logs of who accesses the information on the database. In fact, a SharePoint site established by the agency a decade ago to track “possible consular malfeasance” has never even been examined. Auditors found that management was not even aware that the system had never undergone an assessment to determine whether it contained information that exceeded SharePoint’s security categorization. “Without applying appropriate controls, the case management system and its information are vulnerable to unauthorized access or compromise,” the report states. This indicates that breaches could very well have occurred, but we’ll never know for sure thanks to the government’s incompetence. This may seem inconceivable to most Americans as the nation faces serious threats from radical elements.

OIG investigators gathered mountains of evidence in the course of their probe, which considered interviews with hundreds of State Department personnel and contractors as well as observations of daily operations and written questionnaires. This includes 178 interviews and 224 questionnaires completed by consular officers in the field as well as 54 filled out by agency employees and contractors domestically. The watchdog makes a multitude of recommendations to fix this laughable “security” system, but this very basic one sticks out: “The Bureau of Consular Affairs should implement a website content management process for the Office of Fraud Prevention Programs that includes a dedicated team responsible for the regular updating of website content.” Another simple recommendation is that the State Department’s Office of Fraud Prevention Programs implement required security controls in accordance with federal standards. It’s troubling that the agency watchdog has to suggest these elementary, common-sense approaches to a program that is so imperative to national security.

Then again, this is the same agency that allowed Hillary Clinton to traffic highly classified information on an unsecure, personal email server. It is also the agency run by high-level officials that knew  weak security at U.S. embassies and consulates worldwide could result in a tragedy like Benghazi long before Islamic jihadists raided the Special Mission, killing four Americans.