U.S. Agencies Earn "D" For Computer Security

Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology." Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."

Again, not a surprise

[cspenn]

As long as the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks, the government will continue to be insecure. Compound that with the fact that the government remains married to Redmond for the majority of its end user systems, and it's no surprise that they received a "D".

Frankly, I wouldn't be surprised if the USG turns around and tries to pass additional "information security protection" legislation in response to this study, just like software vendors now do for reviewers. You can't say anything about USG systems under the rubric of anti-terrorism.

Sigh.

news alert: not shocking

[jaredmauch]

I think that until there is significant user-education on this topic, some of the issues raised (weak passwords for example) won't ever be fixed. I think that the movement to a smart-card (oh wait, directv will sue you if you try this but ..) based approach of authentication is the best way. You need the card and a PIN or other text-based password in order to authenticate yourselves. This is how a lot of people work, with these private tokens (eg: SecureID). They are a PITA, but help keep unwanted people out.

NSF got A

[KD5YPT]

See what we get when there's an agency ran mostly by the intellects and not bureaucrats?

Re:How did

[Mullen]

Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.

I think you nailed it on the head. I work at a large company that is very bureaucratic and it is absolutely soul crushing. No matter what you want to do or what needs to be done, there is always someone who will undermined you, attack you or make you jump through hoops. You can gain ground, but you will never win.

I completely understand why government agencies never have good computer systems or security. It is just not possible.

You keep using that word...

[neocon]

You keep using that word... I do not think it means what you think it means...

Whatever you may think about the Department of Homeland Security, it has, in point of fact, the most honestly descriptive of almost any of the department names. That is to say, whether it does a good job or not, it is here to secure the American homeland.

Now, if you want to talk about `Orwellian' names, meaning names like 1984's Ministry of Truth (which handled propaganda), Ministry of Peace (which handled war), and Ministry of Love (which handled torture and brainwashing), let's look at some of the big social-program departments which you seem more fond of:

• The Department of Agriculture -- which pays farmers not to grow crops
• The Department of the Interior -- which mainly handles subsidies for Indian casinos
• The Department of Labor -- which pays the unemployed not to work

just to pick a few examples.

Of course, since the rest of your post is at least as confused as your use of the work ``Orwellian'', right down to your last example (the `Peacemaker', of course, was a famous Colt firearm, as used by the sherrif in just about any old western -- though if you want to wax philosophical, even Gorbachev has admitted that it was the inability to keep up with American defense spending that brought about the Soviet Union's collapse, so the missile made peace in a very literal sense as well), and the general tendentiousness of your claims shows that your looking for political points more than accuracy anyhow...

Re:Here's the score and grade breakdown

[jd]

To put this in a bit of context, the DoE has its own network intrusion detector package, which is encrypted so that only DoE people can use it. (Which is dumb, as it also means nobody can audit it, and it's so much extra work, it's likely little used.)

NASA passed a directive over 5 years ago that all machines were to be behind a firewall, and that public webservers were to be accessed via proxies. In practice, a lot of servers stayed outside of the firewall and security procedures are often ignored.

Probably the worst cases are servers that are accessed by rsh (not ssh - just plain rsh) with .rhosts enabled and used. These servers are amazingly vulnerable. Why? For three reasons.

• First, the servers need to be accessed by archaic scripts on a range of external servers. This would almost be a reasonable excuse, if other authentication systems didn't exist.
  
• Second, NASA (and other Govt agencies) are kept rigidly to the FIPS-180 standard. So rigidly, in fact, that many Govt. agencies are extremely wary of using software that is not specifically stated as approved, even if all the internals are approved. For example, let's say you have an approved implementation of DES, and you then have either NIST's or the DoD's version of IPSec use that for the encryption. Sorry, not OK. IPSec is not on the list. It may be 1000% better than rsh with .rhosts, it may eliminate one of the stupidest vulnerabilities, but they aren't authorized to use it.
  
• Ancient software. This is a killer for many organizations. We are not talking a few weeks out of date, here. We're talking five to ten YEARS out of date, where there are more advisories on vulnerabilities than there are lines of code. In a few cases, vulnerable code that is decades old is still used. I've seen this in virtually every place I've worked. If you want to be secure, you can't just ignore these things. So why do they? There's no incentive to clean things up. Admins get paid to keep the bosses happy. They are not paid to perform major in-depth security audits, and are certainly not paid to find problems. Those cost money to fix. Finding problems is BAD.
  

Why are skript kiddies so successful? Because their code is any good? Don't make me laugh. They're successful because the rules and regulations any organization needs to be successful are wantonly abused, preventing essential maintenance, often because reloading from backup tape is a cost that can be written off, whereas paying for decent security might hurt the balance sheet.

In the case of Government, cost is usually not the reason. Power politics, computer-illiterate officials and self-preservation are far more common. Hackers can be passed off as inevitable. Finding gross failures in the system, though - that would be embarassing and potentially fatal to a career.

It's time to wake up. It's time forn Government departments to realize that the rules are intended to promote security, by ensuring that buggy code is prevented from being used. The rules were never intended to impose buggy code! Nor were they intended to encourage faulty practices.

I do not consider it acceptable that an organization that has taken on the responsibility of running the country cannot be relied upon to even run a server properly. If you cannot be trusted with something minor, how can you be trusted with something major?

This will never happen, but I believe that any Government agency that scores below a "B" on any task that it performs should be relieved of that task. I would like to see something similar in the private sector, with shareholders actively enforcing high standards (and thereby raising the value of the stock) rather than relying on the price to magically rise of its own accord.

These are the kinds of standards an employee would be held to, for designated work. Why, then, should implicit work be held to a lesser standard?

govt IT

I work for one of the agencies that failed (and thus am posting AC because I don't think they'd like this).

I'm in a general research facility (nothing classified, etc.) with about 70 people, most of whom have one or more computers. We have 30% of one person's time as IT staff because our agency will not give us funding to hire anyone else. This person has little or no training in computer security. I worked as a unix sysadmin for a few years, and know more about the nuts & bolts of IT security than our IT person. Given the way the govt determines pay grade, we couldn't hire a compenent IT person even if we had the money, because we couldn't offer enough money.

Anyway, what this boils down to is that everyone is responsible for the security on their own computer. With no training, and no time allocated for doing so, since everyone has a full slate of tasks of their own (yes, despite being federal employees we do work pretty hard). My location doesn't have an enforced security policy, even on things so definitely hazardous as enforcing the use of antivirus, not using un-passworded windows shares, etc.

Even worse, the agency in question requires admin staff to use custom-written and obsolete administrative programs that won't run on an OS newer than Windows 98. The people dealing with payroll and personnel data have the least securable computers. Nice, no?

Our regional IT staff don't seem to have much formal security training, and have made some decisions I consider questionable. The agency IT staff have also done some odd things, like recently forcing us all to switch our email to GroupWise.

From my perspective, yes, we deserved our failing grade. It's primarily due to lack of support for creating and maintaining a coherent security policy. There's no substantive training, and very little awareness among the higher-ups of the needs of facilities like mine, where everyone has different technology requirements to perform their duties. The administrative legacy software issues don't help either.

just sign me... not admitting to anything. :)