Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Agencies Earn "D" For Computer Security

Posted by timothy on from the not-for-delicious dept.

Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology." Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."

33 of 302 comments (clear)

  1. How did by dan+dan+the+dna+man · · Score: 5, Interesting

    the Department of Homeland Security do?

    --
    I don't read your sig, why do you read mine?
    1. Re:How did by flamingnight · · Score: 5, Interesting
      According to the ZDNet article,
      The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission.


      Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.
    2. Re: How did by Anonymous Coward · · Score: 2, Interesting

      I'm a contractor doing part of the TSA network buildout. I'm kind of curious to know how they evaluated the DHS. DHS is largely a rollup of a lot of pre-existing agencies. I don't think any of those agencies have had their IT functions touched by DHS yet. As far as I know the only IT components of DHS that have really been built by the DHS since it's inception is the DHS HQ. DHS inherited TSA from the DOT as a project already in progress. Furthermore DHS/TSA aren't even doing their own IT, it's all outsourced to a large, Blue Bell, PA based integrator.

    3. Re:How did by kevlar · · Score: 3, Interesting

      I'm sure there is little to no standard on de-classified computer systems in the govt. When it comes to classified systems and networks, the government is pretty damn secure.

      The problem as I see it from the ZDNet article is that secretaries and such have unsecured linux/windows/etc machines sitting under a desk running some support application. Nobody really cares enough to secure it (if they even know it exists).

    4. Re:How did by Strange+Ranger · · Score: 4, Interesting
      Good!

      If they're so completely ineffective at one of the most fundamental tasks they've been assigned, maybe they'll be ineffective at further eroding our civil rights.

      They got off to a bad start much earlier, when they created the department, named it, and put Ridge in charge. Apparently he is well atuned to the media though...

      Remarks by Secretary Tom Ridge at the National Cyber Security Summit

      For Immediate Release
      Office of the Press Secretary
      December 3, 2003
      ** Remarks as Prepared **
      I was going to pull out some quotes, but the fact that it came out 6 days before their 'F' says quite a bit already.
      --

      Operator, give me the number for 911!
    5. Re:How did by cptgrudge · · Score: 2, Interesting
      I work for a mid-size school district. I found many of these problems in front of me when I started, but then I orchestrated the removal of my boss and took his job. Now I am the head of IT and I am somewhat of an ambassador of technology to the administration. Things are going well now.

      It's a political game. You gotta play it to get ahead or get things changed.

      (It really wasn't as bad as it sounds. I'm not a bad person, I don't think.)

      --
      Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
    6. Re:How did by calyphus · · Score: 3, Interesting
      When it comes to classified systems and networks, the government is pretty damn secure.
      That's wishful thinking on your part. The point of the review is to review all systems.
      Chairman Putnam added, "One of the most disturbing findings is that 19 of the 24 agencies reviewed had not completed an inventory of their mission critical systems. Obviously, an agency can't ensure its systems are secure if it can't account for all of its mission critical systems.
      If they can't even identify and inventory 'mission critical systems,' can't be claimed that those critical systems are secure.
      --


      The potato it is uninformed.
    7. Re:How did by demachina · · Score: 4, Interesting

      I haven't read the details of how this report is generated but the Washington Post said the agencies self report the data. As a result the whole thing should be taken with a grain of salt. Getting an "F" could be a cynical ploy by an agency to make itself look bad and get billions more dollars to spend on new computers. These are bureacracies and they tend to work this way especially when it comes to maximizing their budgets and the deficit.

      The report would be much be much more creditable if an independent inspector general or analyst audited the agencies and probed their defences. Perhaps someone who knows can describe how the report is produced and how likely it is to be a meaningful assessment of real security,

      --
      @de_machina
    8. Re:How did by HBI · · Score: 4, Interesting

      I'm sure there is little to no standard on de-classified computer systems in the govt.

      Totally not true. SBU systems (sensitive but unclassified) have very clear standards. Encryption and interconnection standards are very precise. Drives get wiped, etc.

      I know in DoD these are taken seriously. In other departments? I think things are more slack at the Dept of Agriculture, for instance. :-)

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    9. Re:How did by NastyGnat · · Score: 3, Interesting

      I'll vote on the idiots side of it.

      A) Homeland Security E-mail is NOT encrypted and it is regularly sent to hotmail and other "webmail" based accounts. What IDIOT would allow that? (note: They are taking step to get rid of the webmail accounts)

      B) The bunch of folks I've been working with in regards to other homeland security stuff don't know the difference between a passive and active FTP session.

      I'm not saying they are all idiots... but toss a few idiots in with the PHBs and don't expect anything graceful to come out of it.

      --
      -- this space for rent --
  2. let me get this straight by perlchild · · Score: 4, Interesting
    As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State.

    so let me get this straight, if all those failed security provisions are hacked, you'd get:
    1) hacked into the place that controls whether or not you go to prison(funny they're also the ones that investigate election fraud if I recall, I could be wrong, I'm Canadian)
    2) hacked into the place that controls nuclear power plants
    3) hacked into debt(identity theft) through the place that controls employment, etc...
    4) hacked into the place that determines if there is war or not
    (agriculture, interior, and "housing and urban development weren't good targets)

    *notices how Canada doesn't announce that kind of thing, I think they're embarassed at how badly they do*
  3. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  4. Possible reasons by vchoy · · Score: 4, Interesting

    This is MHO:

    Look how much is spent on 'physical' security and you will see why. A Government agency that is physically attacked (eg bomb, chemical, bio) usually results in human casualties/lives...and is very hard to cover up.

    Now look at attacks on computer security (eg cyber attacks, worms, compromised systems). A Government agency that is 'electronically' attacked 'APPEARS' to not result in human casualties/lives.

    Notice I stressed the word 'appears' in my last comment. I say this because it may be the real situation OR it maybe we don't know as previous cases have been covered up...as it is easier for an organisation to cover up these types of attacks.

  5. I'm surprised it wasn't an 'F' Overall by instantkarma1 · · Score: 3, Interesting

    After my experiences dealing with DOD contractors, and their use of firewalls. Specifically, firewalls were used to strip out javascript on the fly; they were not used to block unauthorized access (that, of course, was left up to the administrator of each individual server).

    Needless to say, this does not lend itself to a centralized, comprehensive security plan.

  6. Sad.. by hookedup · · Score: 4, Interesting


    Added Chairman Davis, "I'm deeply concerned that too many agencies have not yet responded to FISMA's requirements; for example, the fact that 79 percent of agencies don't even have accurate system inventories casts doubt over the entire reporting process."

    I work in IT for a govt. agency here in Canada, and to not have an accurate inventory of our hardware is absolutely unthinkable. 79% of agencies having no idea where their systems are (and arent) is a recipe for disaster.
    This whole thing reminds me of a couple of years back, when a CSIS (Canada's spy agency) agent went to an Ottawa Senators hockey game, leaving her laptop in her car, only to have it stolen when the car was broken into.

  7. Ugh. by dwaggie · · Score: 3, Interesting

    The main problem with ALL government agencies is that almost all of their actually employed work is 90% opened only to internal candidates. And they try to fill it in that way. Why? Because background checks cost a lot of money, and getting clearance for people up into the higher echelons would cost even more. That's the main part of your problem right there, really. If they hired more people externally, and paid them what they're worth, no problem at all.

  8. Re:Again, not a surprise by cspenn · · Score: 5, Interesting

    I used to work for a government contractor a couple of years ago. Security - even when we got security guidelines, my fellow coders picked and chose which of them they actually felt like coding.

    Now, should they have been canned? Absolutely. Were they? No. Is that the government's fault? Only partially, in the sense that the government didn't have any way of verifying whether the work we were doing met the standards they specified. Management at the government and at the contractor simply agreed that things looked good, and that was that.

    Hence my comment.

    --
    Subscribe for free to my show!
  9. Take it with a grain of salt by ViolentGreen · · Score: 2, Interesting

    Did you actually expect anything different? Most anytime a report comes out about a government agencey, it is bad. The whole point of having a report is to show that it is bad. I sure the points that are raised are valid but I hardly think that the report was supposed to be balanced.

    --
    Not everything is analogous to cars. Car analogies rarely work.
  10. Re:Again, not a surprise by div_2n · · Score: 4, Interesting

    The only thing that WOULD be good in my opinion is setting up liability legislation. If any contractor or software company KNOWINGLY designs and deploys a system whether hardware or software without making security a key design consideration in the interest of making the lowest bid, then they should be liable.

    There comes a point of accountability when contractors should stand up and say, "I won't do this project if you won't fund the proper security design issues."

    You wouldn't knowingly make cuts that would effect whether a system actually operates or not. Security shouldn't be any different.

    I have turned down jobs before when I knew that what they asked was completely at odds with the client's best interest. I told them that and they understood.

    Equally should agencies and companies be held liable if they knowingly deploy a system that is fundamentally insecure in the interest of just "getting it done." A bank would be held liable if they left their front doors wide open and their vault unlocked overnight. Leaving security unconsidered in computer and software systems should be treated equally if not more harshly.

  11. Re:As an employee by Kyoya · · Score: 2, Interesting

    Well that may be true internally but a spot check of that server list listed all 4 that I looked up as running Solaris with Netscape.

    Kyoya

    --
    To strive, to seek, but not to yield
  12. Re:Again, not a surprise by pointbeing · · Score: 2, Interesting
    I'm a sysadmin for an agency under DoD - those contractors work for me, sort of.

    The government's responsibility in IT is project management - at least in the agency I work for. You wouldn't expect your CIO or any other manager to be 100% up to speed on latest IA trends - that's what we have contractors for. Government IT professionals make decisions based on input from the people who actually do the work.

    I've worked both sides of the fence. I spent four years in this agency as a contractor heading up desktop support - at the time we had 3200 users in >100 locations. I started as a federal employee two years ago and now supervise the same contractors I was working with.

    I'm not bashing you, but if the government doesn't pay you enough, maybe getting another job is an idea? I don't know anyone who was forced to take a job with the feds - it's reasonable to expect IT professionals to do the best job they can and identify where their employer is deviating from best practices.

    That's why they call them professionals.

    --
    we see things not as as they are, but as we are.
    -- anais nin
  13. Re:Here's the score and grade breakdown by corbettw · · Score: 2, Interesting

    DHS 34 F

    Who's surprised that the department charged with protecting our nation's infrastructure got the lowest score?

    Tell me again that government is the answer to all life's problems.

    --
    God invented whiskey so the Irish would not rule the world.
  14. Another computer "security" planted story by base3 · · Score: 2, Interesting
    Notice how computer "security" gets a lot more press these days? Pretty soon, Joe Sixpack will be clamorning for his TCPA/Palladium/NGSCB "protected" PC that he believes will protect his data. Little do Joe and friends know what they'll be buying.

    Sure, non-locked hardware won't be illegal right away, but it'll get a lot more expensive when it isn't mass-produced because it can't run Longhorn.

    --
    One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
  15. Winding Up for the Throw by 4of12 · · Score: 2, Interesting

    All of these security problems at Federal Agencies, with Blaster, Welchia, spam, "piracy" etc. are going into a big hopper, where they will be used as reasons to justify TCPA, aka the Death of My Computer.

    In a nutshell,

    "Since IT security is in a such a poor state right now, the solution is obviously to put greater power in fewer hands."
    Yeah, right.
    --
    "Provided by the management for your protection."
  16. So here's how it worked for us by Anonymous Coward · · Score: 5, Interesting
    I'm a sysadmin at a non-secret DOE national lab, which is run under contract by a non-profit corporation. I'm posting anonymously 'cause people higher up don't like this sort of thing discussed publicly.

    So several years ago our Lab got handed an ultimatum that we had to come up with a security plan; our computing folks wrote up a proposal, it got sent back with issues needing clarification, there was another round, etc. This went on for about a year. Finally we get one of the drafts back, and we're told, in so many words, "this one's good, you have 6 months to have it in place".

    So now we have 6 months to redo every system on site, with no added budget to do so and no relaxation of other goals. To have any appearance of complying we basically had to set up a system for granting exemptions where each system exempted had to present a timeline for when it would be completed, etc. So at the end of the 6 months we were able to say that everything was either under the security plan, or had an exemption on file saying when it would be under the plan, or how it would be put behind a firewall, etc.

    But the real problem was that the proposal should have been met with discussion of a reasoned, planned schedule, and sufficient resources to implement it, rather than pretending a major security rework could be rolled out for free in 6 months. This goes all the way up to Congress, who passed this law about having agencies report on computer security, but so far as I know didn't designate any funds to pay anyone to do anything about it.

  17. Re:Again, not a surprise by pointbeing · · Score: 2, Interesting
    If you have administrators who are limited by inept guidance, what do you expect!

    Being a federal employee and a sysadmin I expect the contractor to inform his government.

    I just used the DoD Wireless STIG to draft an 802.11 policy for the agency I work for. It actually wasn't a bad piece of work :)

    DISA is still trying to make 802.11 impossible in DoD - but we're working out the kinks now.

    --
    we see things not as as they are, but as we are.
    -- anais nin
  18. Bureaucracy is the reason by Ignorant+Aardvark · · Score: 5, Interesting

    My father is a lawyer for the Department of Justice, and part of the reason for the insecurity is the federal bureaucracy. I'm a Linux advocate and my dad is a pretty techie guy. He was running a webserver on the WAN for his colleagues and wanted me to help him set up Apache. That was shut down directly by his superiors: Microsoft IIS is the only webserver "supported and recognized" by the IT department, and anything else is not allowed. In addition, the only browser you are allowed to use is IE and the only mail reader you are allowed to use is Outlook. I really wanted to help my dad secure his workplace by switching him away from a mailviewer that executes all attachments and a webserver known for its insecurities. But the Microsoft culture is so entrenched there that it wouldn't fly.

    --
    Cyde Weys Musings - Scrutinizing the inscrutable
  19. Why not see this as an opportunity to do good? by LazloToth · · Score: 2, Interesting


    Okay, I know, I know - - I'm the soft-hearted liberal who still thinks government does some good and stops some evil. Anyway, with such lousy marks coming out, why don't some of the Slashdot geniuses who are not yet employed go into consulting, get some security contracts, and make some dough while improving things for all of western society?

    Just a thought . . . .

    On the other hand, we could just go on talking about how lousy the government is in every aspect and wait for the whole thing to implode like a cow patty.

    --


    It's only funny until someone gets hurt. Then, it's hilarious.
  20. Re:The test is biased!!! by zulux · · Score: 2, Interesting


    We can't have this much failure in the US Govenment!!!

    These security grades are obviously created by the MAN to keep their security grades up while making everybody else look BAAAAAAD.

    We need a newer test that encompases more to make it fair. I sugues we measure the following to determine if their security grades.

    Are their packet-filter inclusive?
    Do they secure Appletack, Tokenring or just Ethernet?
    To the set aside special days and allow special packets in?
    To they support 2 letter passwords, and not just the 8 letter ones that advantaged people can type?
    Do their proxy servers filter out gender discriminatory words like 'He' or 'Mister'?
    Do their computers have master/slave IDE systems?

    Just and example of how the curent test is biasedh

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  21. Patriot Act by QEDog · · Score: 2, Interesting
    The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission

    The sad thing is that instead of fixing these things, they go on and take away liberties from the citizens to prevent ' terrorism '. Patriot Act anyone? So, for their ineptitude, we lose our rights.

    --
    "There is no teacher but the enemy."-Mazer Rackham
  22. Re:I'm a govt network admin... by Anonymous Coward · · Score: 5, Interesting
    I work for a government agency (also not federal but state.) And I'll back up what you are claiming. I'm probably one of the highest ranking technical people in the dept and definately the highest ranking in regards to network security. It's not uncommon for non-tech superiors to order very insecure things to be done, especially if their proprietary app "requires" it to work.

    I wanted to replace TELNET access with SSH to our most important server (manages all budgets, accounting, payroll, and also contains a LOT of data that would be considered a privacy breach if released.) I was informed that this could not be done because a hand full of people use an app from the vendor which requires telnet access to work. This server is on a LAN which is accessed by several hundred members of the public daily.

    So I ran ettercap and showing how trivial it was to capture my boss's password and capture the whole telnet session including root password. I was again told that "Yeah, that is a risk, however, you still can't disable TELNET. It is required."

    Of course, the right thing for my boss to have done would have been to pressure the vendor to move to SSH on their app. But that would have cost money after all. I couldn't even filter telnet from the public access systems because it was some of them which actually needed to run the application. In the end all I could do was send a memo detailing the risk to my boss so I could cover my own ass if something happened.

  23. Re:Again, not a surprise by k12linux · · Score: 3, Interesting
    I work for one of these contractors. Frankly, we do exactly what they ask us to do.

    If these departments want to be secure, they need to give guidelines up front

    Frankly I'm not surprised. The whole "lowest bidder" framework is crap in most cases. Here is the process for building our last new school (from a tech standpoint anyhow) if anybody is intersted:

    1. Meet with contractor and give very detailed instructions about required wireing closets, cabling, cable drops, etc.
    2. Eventually get a copy of the bid specs and floor plans.
    3. Go over very thick specs book with your stuff scattered all over it and look over floorplans.
    4. Meet with contractor again and point out that a) there are NO wireing closets, b) drops are not marked on plans, c) none of the fiber you asked for is included, and d) the cable types are not what you specified.
    5. Recieve adendum to specs which appear to fix everything.
    6. Specs go out for bid
    7. Vendor who you have worked with before realizes things still aren't right and doesn't want to lose out on the bid but doesn't want to get a bad image with you either sets up a meeting to point out all of the remaining problems with the specs. (This only happens if you are lucky.)
    8. Send revision request to the contractor/architech again and another adendum to the specs is released.
    9. Finally get everything out to bid.
    10. Choose who gets the bid (again, this was fortunate because often it just goes to the low bidder.)
    11. Sub-contractor contacts you to point out that architech put some copper runs over 400 feet long despite the fact that a wiring closet was right accross the hall.(This often doesn't happen with low bidder.. they just do the job as the specs/plans say... any mistakes.. too bad the job is up to spec.)
    12. Eventually building is done and you still find stuff that isn't right.

    With the "lowest bidder" mentality, your specs better be PERFECT and include EVERY little detail on the setup and configuration. You can't assume ANYTHING. You had better include all the details or at least reference standards which do. The vendors who care to do a good job won't get the contract because they'll come in with a higher bid.

    The ones who don't care usually win because they bid exactly what is in the specs... no more, no less. If there is a mistake, they'll build it with the mistake in place. If there is a security hole, guess what.. it goes into the system. And if you aren't writing the specs yourself, watch out. You might get an architech like we had who in one meeting finally admitted, "Well, I really don't know much about this computer cabling stuff."

  24. Bad person, probably not by h8macs · · Score: 3, Interesting

    You are most likely not evil, you just look like it because you like to get the job done, period.

    I have worked in several different companies in the IT field from small to very large. One trend that I have noticed is that a knowledgable "technical" manager is a rarity. Some may argue that this is not true, I apologize to those managers that are 'actually' hands on at least a little with their admins. I have been lucky and have had a couple of these rare species, to learn from

    From what I have seen, most managers are hired for the position because they have a degree, not a technical degree mind you but a degree (usually management).

    This is appropriate in the managerial sense, however I still feel that to be an appropriate 'technology' manager you can not base your technical experience on your "Intro to Microcomputers" (ASU - consisted of 8 weeks of introductory Java and 8 weeks of Autocad...WTF), or "Using Excel/Powerpoint" classes alone.

    I would be more inclined to have an highly (or moderately so) technical manager who merely has a BS in computer science (minor in business). Shows that his interest lies in the technical domain and supporting his employees in the proper ways (ie...training, mentoring, etc.), rather than someone with an MBA "climbing the ladder" to the next butt-kiss.

    --
    :-( --- argh. Despair, I owe again. :-b