Slashdot Mirror
U.S. Agencies Earn "D" For Computer Security
Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology."
Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As
mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."
As long as the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks, the government will continue to be insecure. Compound that with the fact that the government remains married to Redmond for the majority of its end user systems, and it's no surprise that they received a "D".
Frankly, I wouldn't be surprised if the USG turns around and tries to pass additional "information security protection" legislation in response to this study, just like software vendors now do for reviewers. You can't say anything about USG systems under the rubric of anti-terrorism.
Sigh.
Subscribe for free to my show!
I think that until there is significant user-education on this topic, some of the issues raised (weak passwords for example) won't ever be fixed. I think that the movement to a smart-card (oh wait, directv will sue you if you try this but ..) based approach of authentication is the best way. You need the card and a PIN or other text-based password in order to authenticate yourselves. This is how a lot of people work, with these private tokens (eg: SecureID). They are a PITA, but help keep unwanted people out.
Let's flip this 180. Is there anything those agencies would get an "A" on? Didn't think so, so why should we be disappointed with this news?
See what we get when there's an agency ran mostly by the intellects and not bureaucrats?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
from Battlestar Gallactica.
The best security is good old fashioned non-networked computers. Wireless is bad. Know the source (code), and don't by applications and OSes from shifty A-Moral uber Geeks, even if they are smarter than you.
"The war is over, we lost"
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Welcome to the new America, where the "Forest Service" has finally completed its transformation into a lumber industry-owned and -operated body, the "Immigration and Naturalization Service" uses a voluntary registration program to evict the foreign residents who show up, and the "Environmental Protection Agency" has its rules set by the industries who're meant to be restrained by them. Meanwhile "Family Planning" is about keeping information away from women -- or about pushing false information to do with bogus correlations between abortions and breast cancer. Oh, and did I mention that when terrorists blow our kids' legs off that's a good thing, because it means we're fighting them where they live? (When they don't blow up our kids, naturally, that's also proof we're winning...)
We've had our moments before -- the idea of Nuclear deterrent never did quite convince anyone that "Peacemaker" was the perfect name for a missile -- but truly, there's never been a more quintessentially Orwellian moment in American history. This is the real goods. Take a look at that name: "Homeland Security."
"Fundamentalism" isn't about divine morality. It's about human authority.
The only reason that government agencies are able to get away with this is because nothing embarassing has happened yet. Wait until a hacker manages to get a few thousand social security numbers from a government agency computer - then we'll see some real change.
I think you nailed it on the head. I work at a large company that is very bureaucratic and it is absolutely soul crushing. No matter what you want to do or what needs to be done, there is always someone who will undermined you, attack you or make you jump through hoops. You can gain ground, but you will never win.
I completely understand why government agencies never have good computer systems or security. It is just not possible.
Linux O Muerte!
I did contracting work for the government and most of the blame lies in trying to do anything with a couple of goverment employees in charge of what actually gets done. The stereotype of them being lazy and generally slow to get anything accomplished is absolutely correct. When you mix a fast paced IT world with a "I can coast until retirement" attitude you get bad things happening. The other half of the problem is the users who put the password for their windows login and dialin on a stickynote on top of the laptop. On the other hand, any of the actual critical servers were well monitored and they would track down any breakin attempts, etc.
slashdot, news for crazed liberal socialist zealots
Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.
Not a federal govt IT guy, but I work for a state govt organization. The bureaucracy is a BIG PROBLEM. My fellow IT workers and myself are definitely not complete idiots. If we had our way, we'd ditch all the unsecure technology (i.e. MS stuff) in a heartbeat. The problem centers around our upper management *ordering* us to do insecure things, like place an unprotected windows server directly on a routeable internet segment outside of the firewall, because some cheesy piece of software they bought (and again, *ordered* us to install) will work no other way, and they just flat outright don't give a damn about our security concerns. Now when such a box gets hacked, all of a sudden it's our fault. This is much akin to the senior-ranking bigshots ordering the fire marshall to allow them to light up cigarettes at gas stations and/or ordering the police chief to not dare even think of hassle them for driving around while DUI.
You keep using that word... I do not think it means what you think it means...
Whatever you may think about the Department of Homeland Security, it has, in point of fact, the most honestly descriptive of almost any of the department names. That is to say, whether it does a good job or not, it is here to secure the American homeland.
Now, if you want to talk about `Orwellian' names, meaning names like 1984's Ministry of Truth (which handled propaganda), Ministry of Peace (which handled war), and Ministry of Love (which handled torture and brainwashing), let's look at some of the big social-program departments which you seem more fond of:
- The Department of Agriculture -- which pays farmers not to grow crops
- The Department of the Interior -- which mainly handles subsidies for Indian casinos
- The Department of Labor -- which pays the unemployed not to work
just to pick a few examples.Of course, since the rest of your post is at least as confused as your use of the work ``Orwellian'', right down to your last example (the `Peacemaker', of course, was a famous Colt firearm, as used by the sherrif in just about any old western -- though if you want to wax philosophical, even Gorbachev has admitted that it was the inability to keep up with American defense spending that brought about the Soviet Union's collapse, so the missile made peace in a very literal sense as well), and the general tendentiousness of your claims shows that your looking for political points more than accuracy anyhow...
I'm also an employee of a federal agency, and one thing I do have to say is there are two distinct levels of security.
There are the workstations, which are all Win2k, with tons of security holes, and we still have a horrible blaster/welchia/nachi problem. However, while they are insecure, they primarily deal with administrative stuff. The most you'd be able to get from hacking 90% of these systems is like a calendar or memo's about the christmas party.
The REAL data is all kept off-site, locked down in unix machines, with real, professional systems administrators and far, far, better security. You're not even allowed to LOOK at secure data unless you've gone through an IT security course.
We've also got a firewall that's locked down pretty tight, and very tight controls on outside access to the network -- very few people get in through the firewall, and they all have to use secureID and the access is monitored closely.
So, while there's SOME reason to be concerned, I don't think the problem is NEARLY as bad as this makes it seem. Basically, I think the main worry with regards to security are internal things like disgruntled employees, not external threats like hacking.
That said, after I read about what happened to Valve with the Half-Life 2 binaries, I think we are probably vulnerable to a determined cracker like that, who knows exactly what he wants and how to get to it. But then you're talking about a serious criminal endeavor and I don't know how many systems could withstand that kind of attack.
NASA passed a directive over 5 years ago that all machines were to be behind a firewall, and that public webservers were to be accessed via proxies. In practice, a lot of servers stayed outside of the firewall and security procedures are often ignored.
Probably the worst cases are servers that are accessed by rsh (not ssh - just plain rsh) with
Why are skript kiddies so successful? Because their code is any good? Don't make me laugh. They're successful because the rules and regulations any organization needs to be successful are wantonly abused, preventing essential maintenance, often because reloading from backup tape is a cost that can be written off, whereas paying for decent security might hurt the balance sheet.
In the case of Government, cost is usually not the reason. Power politics, computer-illiterate officials and self-preservation are far more common. Hackers can be passed off as inevitable. Finding gross failures in the system, though - that would be embarassing and potentially fatal to a career.
It's time to wake up. It's time forn Government departments to realize that the rules are intended to promote security, by ensuring that buggy code is prevented from being used. The rules were never intended to impose buggy code! Nor were they intended to encourage faulty practices.
I do not consider it acceptable that an organization that has taken on the responsibility of running the country cannot be relied upon to even run a server properly. If you cannot be trusted with something minor, how can you be trusted with something major?
This will never happen, but I believe that any Government agency that scores below a "B" on any task that it performs should be relieved of that task. I would like to see something similar in the private sector, with shareholders actively enforcing high standards (and thereby raising the value of the stock) rather than relying on the price to magically rise of its own accord.
These are the kinds of standards an employee would be held to, for designated work. Why, then, should implicit work be held to a lesser standard?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I work for one of the agencies that failed (and thus am posting AC because I don't think they'd like this).
:)
I'm in a general research facility (nothing classified, etc.) with about 70 people, most of whom have one or more computers. We have 30% of one person's time as IT staff because our agency will not give us funding to hire anyone else. This person has little or no training in computer security. I worked as a unix sysadmin for a few years, and know more about the nuts & bolts of IT security than our IT person. Given the way the govt determines pay grade, we couldn't hire a compenent IT person even if we had the money, because we couldn't offer enough money.
Anyway, what this boils down to is that everyone is responsible for the security on their own computer. With no training, and no time allocated for doing so, since everyone has a full slate of tasks of their own (yes, despite being federal employees we do work pretty hard). My location doesn't have an enforced security policy, even on things so definitely hazardous as enforcing the use of antivirus, not using un-passworded windows shares, etc.
Even worse, the agency in question requires admin staff to use custom-written and obsolete administrative programs that won't run on an OS newer than Windows 98. The people dealing with payroll and personnel data have the least securable computers. Nice, no?
Our regional IT staff don't seem to have much formal security training, and have made some decisions I consider questionable. The agency IT staff have also done some odd things, like recently forcing us all to switch our email to GroupWise.
From my perspective, yes, we deserved our failing grade. It's primarily due to lack of support for creating and maintaining a coherent security policy. There's no substantive training, and very little awareness among the higher-ups of the needs of facilities like mine, where everyone has different technology requirements to perform their duties. The administrative legacy software issues don't help either.
just sign me... not admitting to anything.
Speaking as someone who spent many years fighting various Good Fights against government idiots, I will say that government agencies will continue to get failing grades on security because they place the whims of incompetent managers above the advice of their technically competent employees. Not all government IT people are idiots, but most of them have no interest in challenging their pointed-haired bosses because those who do suffer pay discrimination and -- if they're really stubborn -- termination. So government sites will remain a monoculture of poorly patched and insecurely configured MS products just waiting for a new virus to slip in and lay waste to everything in site. In other words, most government sites are like most corporate sites, and for similar reasons.
An upper level government employee gets 50k a year before taxes. The government contractors may get paid more, but it's usually not that much more. Government operates on a lowest bidder mentality, even for it's contractor work which will equate to low paid employees.
The highly skilled people in government work are taken full advantage of. Eventually they get tired of low pay and the long hours and they go find a private company who can pay them 80k+ a year to administer their systems/networks/applications or develop software.
So, unless you get a person who is good at their job, and will accept low pay in trade for the pride of doing your duty as a patriot(which is quickly becomming a mocked trait), the cream almost always gets taken by the private industry.
Then there's the fat. Because of beurocracy and unions, it's nigh impossible to fire a waste of space employee. Those are generally the people who get shuffled around a lot. A lot of the rules that the government has been put into place to protect the employee from being shafted has allowed useless people to come in and collect a paycheck every week.
So, now that we know the problem, what's the solution? Do we raise taxes so that it's IT can be paid competitive wages? Do we abolish laws that protect the disabled, or the laws that protect employees rights?
I know I would love to have a solution. It's embarassing to be immediately be associated with ineptitude because I'm government IT.
My thoughts exactly! As the executive branch is hell bent on removing the checks and balances our founding fathers intended and pursuing a martial/fascist agenda it is strangely comforting that they may have a soft white underbelly should they go too far.
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
This thype of activity, and other similar activity is, unfortunately, not limited to Goverment agencies. Managers everywhere simply don't grasp the need for security. My present client, which is in NOT in the government, acutally had a Production Environment web server residing, fully exposed, on the DMZ. The project manager wanted it that way. At least, he did so until we started asking why they didn't move it fully behind the firewall.
In short, inside every manager is a pointy-haired boss. It's not just limited to government.
Ah! The answer to bad government is more government!
Orwellian isn't the only problem with that answer. I'll grant you, it's one of them.
If you notice a systemic problem, you should presume that there is a basic design flaw in the system. I'm sure that one could create models that would display similar characteristics, and then compare them to see what characteristics of the system cause the problems. What would fix them. And what the expectable side effects of the fix would be. This should be a project for a Sociology Thesis or so, and should be done at a University. (I.e., outside of the government.) What the government should do is establish an annual prize for the best computer models of government activity. Possibly accompanied by a few SMALL grants to get it started. (Say enough to hire one grad student full time [What's the going rate?] and buy said student a fancy [$5,000] computer.) Start with several small grants, each to a different school. The winning project gets, say, $300,000 to be divided equaly between the student, the professor, and the department.
I think we've pushed this "anyone can grow up to be president" thing too far.
The gubmint that hides everything from the people and their pesky FOIA requests by abusing the excuse of "national security" can't secure its computers?
.torrent files, people. :)
Let's see those
Who knows... the terrorists might break in and delete something important. A well-armed militia backs up the critical files of a government too lame to secure them itself.
1950: "My dog ate my homework."
2001: "My homework is classified for reasons of national security."
2003: "Some hackers deleted my homework."
Do you really want to hear Bush / Cheney / Ashcroft say "sorry folks, those files no longer exist, I guess some hackers deleted them. But we really did find WMD, I promise, and I'd show you the proof if those darn files hadn't been deleted"...?
The best boss I ever had was not technical. He had only technical people working for him, and understood enough of the technology that his nods weren't trying to stay away. What he did though wasn't understand the technology, he translated the technical talk into managerese, and vise versa. He made sure we got the resources we needed, work to do, fair raises, and most of the time wasn't in our way.
Technical managers are better than average, but they suffer from wanting to be engineers. So they try to fit in, not remembering that it takes a long time to really understand a problem and they don't have the time to focus on any one problem to help, much less the particular problem each of us is solving now. A few have made the transisition, most fail.
Remember, everyone is hired to do a job. The worst manager I knew (bosses bosses boss) was an excellent manager, motivated and worked hard to get a lot of things that needed doing done. However in seeing and solving all the other problems that weren't her job, she ignored some things that were her job. Eventially she "resigned for personal reasons", but in the mean time those of us who needed her to get things done lost.