Summary: With malicious attacks on computer systems on the rise, GAO assessments have found that computer systems at the State Department are vulnerable to hackers, terrorists, and others seeking to damage the Department's operations or reap financial gains. For example, by accessing State's systems, someone could obtain sensitive information on diplomatic negotiations and agreements. Although State has some projects under way to improve the security of its information systems and help protect sensitive information, it lacks a security program that allows State officials to comprehensively manage the risks associated with the Department's operations. Clearly, State needs to speed its efforts to address these serious information security shortcomings. So far, however, its top managers have not shown a commitment to doing so. Internet security was the only area in which GAO found that State's controls were adequate. Plans to expand Internet use, however, will create new security risks. If State increases its use of the Internet before instituting a comprehensive security program and addressing the additional vulnerabilities unique to the Internet, it will unnecessarily increase the risk of unauthorized access to its systems and information.
