Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Agencies Earn "D" For Computer Security

Posted by timothy on from the not-for-delicious dept.

Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology." Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."

14 of 302 comments (clear)

  1. How did by dan+dan+the+dna+man · · Score: 5, Interesting

    the Department of Homeland Security do?

    --
    I don't read your sig, why do you read mine?
    1. Re:How did by flamingnight · · Score: 5, Interesting
      According to the ZDNet article,
      The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission.


      Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.
    2. Re:How did by Strange+Ranger · · Score: 4, Interesting
      Good!

      If they're so completely ineffective at one of the most fundamental tasks they've been assigned, maybe they'll be ineffective at further eroding our civil rights.

      They got off to a bad start much earlier, when they created the department, named it, and put Ridge in charge. Apparently he is well atuned to the media though...

      Remarks by Secretary Tom Ridge at the National Cyber Security Summit

      For Immediate Release
      Office of the Press Secretary
      December 3, 2003
      ** Remarks as Prepared **
      I was going to pull out some quotes, but the fact that it came out 6 days before their 'F' says quite a bit already.
      --

      Operator, give me the number for 911!
    3. Re:How did by demachina · · Score: 4, Interesting

      I haven't read the details of how this report is generated but the Washington Post said the agencies self report the data. As a result the whole thing should be taken with a grain of salt. Getting an "F" could be a cynical ploy by an agency to make itself look bad and get billions more dollars to spend on new computers. These are bureacracies and they tend to work this way especially when it comes to maximizing their budgets and the deficit.

      The report would be much be much more creditable if an independent inspector general or analyst audited the agencies and probed their defences. Perhaps someone who knows can describe how the report is produced and how likely it is to be a meaningful assessment of real security,

      --
      @de_machina
    4. Re:How did by HBI · · Score: 4, Interesting

      I'm sure there is little to no standard on de-classified computer systems in the govt.

      Totally not true. SBU systems (sensitive but unclassified) have very clear standards. Encryption and interconnection standards are very precise. Drives get wiped, etc.

      I know in DoD these are taken seriously. In other departments? I think things are more slack at the Dept of Agriculture, for instance. :-)

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  2. let me get this straight by perlchild · · Score: 4, Interesting
    As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State.

    so let me get this straight, if all those failed security provisions are hacked, you'd get:
    1) hacked into the place that controls whether or not you go to prison(funny they're also the ones that investigate election fraud if I recall, I could be wrong, I'm Canadian)
    2) hacked into the place that controls nuclear power plants
    3) hacked into debt(identity theft) through the place that controls employment, etc...
    4) hacked into the place that determines if there is war or not
    (agriculture, interior, and "housing and urban development weren't good targets)

    *notices how Canada doesn't announce that kind of thing, I think they're embarassed at how badly they do*
  3. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  4. Possible reasons by vchoy · · Score: 4, Interesting

    This is MHO:

    Look how much is spent on 'physical' security and you will see why. A Government agency that is physically attacked (eg bomb, chemical, bio) usually results in human casualties/lives...and is very hard to cover up.

    Now look at attacks on computer security (eg cyber attacks, worms, compromised systems). A Government agency that is 'electronically' attacked 'APPEARS' to not result in human casualties/lives.

    Notice I stressed the word 'appears' in my last comment. I say this because it may be the real situation OR it maybe we don't know as previous cases have been covered up...as it is easier for an organisation to cover up these types of attacks.

  5. Sad.. by hookedup · · Score: 4, Interesting


    Added Chairman Davis, "I'm deeply concerned that too many agencies have not yet responded to FISMA's requirements; for example, the fact that 79 percent of agencies don't even have accurate system inventories casts doubt over the entire reporting process."

    I work in IT for a govt. agency here in Canada, and to not have an accurate inventory of our hardware is absolutely unthinkable. 79% of agencies having no idea where their systems are (and arent) is a recipe for disaster.
    This whole thing reminds me of a couple of years back, when a CSIS (Canada's spy agency) agent went to an Ottawa Senators hockey game, leaving her laptop in her car, only to have it stolen when the car was broken into.

  6. Re:Again, not a surprise by cspenn · · Score: 5, Interesting

    I used to work for a government contractor a couple of years ago. Security - even when we got security guidelines, my fellow coders picked and chose which of them they actually felt like coding.

    Now, should they have been canned? Absolutely. Were they? No. Is that the government's fault? Only partially, in the sense that the government didn't have any way of verifying whether the work we were doing met the standards they specified. Management at the government and at the contractor simply agreed that things looked good, and that was that.

    Hence my comment.

    --
    Subscribe for free to my show!
  7. Re:Again, not a surprise by div_2n · · Score: 4, Interesting

    The only thing that WOULD be good in my opinion is setting up liability legislation. If any contractor or software company KNOWINGLY designs and deploys a system whether hardware or software without making security a key design consideration in the interest of making the lowest bid, then they should be liable.

    There comes a point of accountability when contractors should stand up and say, "I won't do this project if you won't fund the proper security design issues."

    You wouldn't knowingly make cuts that would effect whether a system actually operates or not. Security shouldn't be any different.

    I have turned down jobs before when I knew that what they asked was completely at odds with the client's best interest. I told them that and they understood.

    Equally should agencies and companies be held liable if they knowingly deploy a system that is fundamentally insecure in the interest of just "getting it done." A bank would be held liable if they left their front doors wide open and their vault unlocked overnight. Leaving security unconsidered in computer and software systems should be treated equally if not more harshly.

  8. So here's how it worked for us by Anonymous Coward · · Score: 5, Interesting
    I'm a sysadmin at a non-secret DOE national lab, which is run under contract by a non-profit corporation. I'm posting anonymously 'cause people higher up don't like this sort of thing discussed publicly.

    So several years ago our Lab got handed an ultimatum that we had to come up with a security plan; our computing folks wrote up a proposal, it got sent back with issues needing clarification, there was another round, etc. This went on for about a year. Finally we get one of the drafts back, and we're told, in so many words, "this one's good, you have 6 months to have it in place".

    So now we have 6 months to redo every system on site, with no added budget to do so and no relaxation of other goals. To have any appearance of complying we basically had to set up a system for granting exemptions where each system exempted had to present a timeline for when it would be completed, etc. So at the end of the 6 months we were able to say that everything was either under the security plan, or had an exemption on file saying when it would be under the plan, or how it would be put behind a firewall, etc.

    But the real problem was that the proposal should have been met with discussion of a reasoned, planned schedule, and sufficient resources to implement it, rather than pretending a major security rework could be rolled out for free in 6 months. This goes all the way up to Congress, who passed this law about having agencies report on computer security, but so far as I know didn't designate any funds to pay anyone to do anything about it.

  9. Bureaucracy is the reason by Ignorant+Aardvark · · Score: 5, Interesting

    My father is a lawyer for the Department of Justice, and part of the reason for the insecurity is the federal bureaucracy. I'm a Linux advocate and my dad is a pretty techie guy. He was running a webserver on the WAN for his colleagues and wanted me to help him set up Apache. That was shut down directly by his superiors: Microsoft IIS is the only webserver "supported and recognized" by the IT department, and anything else is not allowed. In addition, the only browser you are allowed to use is IE and the only mail reader you are allowed to use is Outlook. I really wanted to help my dad secure his workplace by switching him away from a mailviewer that executes all attachments and a webserver known for its insecurities. But the Microsoft culture is so entrenched there that it wouldn't fly.

    --
    Cyde Weys Musings - Scrutinizing the inscrutable
  10. Re:I'm a govt network admin... by Anonymous Coward · · Score: 5, Interesting
    I work for a government agency (also not federal but state.) And I'll back up what you are claiming. I'm probably one of the highest ranking technical people in the dept and definately the highest ranking in regards to network security. It's not uncommon for non-tech superiors to order very insecure things to be done, especially if their proprietary app "requires" it to work.

    I wanted to replace TELNET access with SSH to our most important server (manages all budgets, accounting, payroll, and also contains a LOT of data that would be considered a privacy breach if released.) I was informed that this could not be done because a hand full of people use an app from the vendor which requires telnet access to work. This server is on a LAN which is accessed by several hundred members of the public daily.

    So I ran ettercap and showing how trivial it was to capture my boss's password and capture the whole telnet session including root password. I was again told that "Yeah, that is a risk, however, you still can't disable TELNET. It is required."

    Of course, the right thing for my boss to have done would have been to pressure the vendor to move to SSH on their app. But that would have cost money after all. I couldn't even filter telnet from the public access systems because it was some of them which actually needed to run the application. In the end all I could do was send a memo detailing the risk to my boss so I could cover my own ass if something happened.