Slashdot Mirror
U.S. Agencies Earn "D" For Computer Security
Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology."
Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As
mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."
the Department of Homeland Security do?
I don't read your sig, why do you read mine?
As long as the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks, the government will continue to be insecure. Compound that with the fact that the government remains married to Redmond for the majority of its end user systems, and it's no surprise that they received a "D".
Frankly, I wouldn't be surprised if the USG turns around and tries to pass additional "information security protection" legislation in response to this study, just like software vendors now do for reviewers. You can't say anything about USG systems under the rubric of anti-terrorism.
Sigh.
Subscribe for free to my show!
I think that until there is significant user-education on this topic, some of the issues raised (weak passwords for example) won't ever be fixed. I think that the movement to a smart-card (oh wait, directv will sue you if you try this but ..) based approach of authentication is the best way. You need the card and a PIN or other text-based password in order to authenticate yourselves. This is how a lot of people work, with these private tokens (eg: SecureID). They are a PITA, but help keep unwanted people out.
so let me get this straight, if all those failed security provisions are hacked, you'd get:
1) hacked into the place that controls whether or not you go to prison(funny they're also the ones that investigate election fraud if I recall, I could be wrong, I'm Canadian)
2) hacked into the place that controls nuclear power plants
3) hacked into debt(identity theft) through the place that controls employment, etc...
4) hacked into the place that determines if there is war or not
(agriculture, interior, and "housing and urban development weren't good targets)
*notices how Canada doesn't announce that kind of thing, I think they're embarassed at how badly they do*
Let's flip this 180. Is there anything those agencies would get an "A" on? Didn't think so, so why should we be disappointed with this news?
Agriculture 40 F
AID 70.5 C-
Commerce72.5 C-
DOD* 65.5 D
Education77 C+
Energy 59.5 F
EPA 74.5 C
GSA 65 D
HHS 54 F
DHS 34 F
HUD 40 F
Interior43 F
Justice 55.5 F
Labor 86.5 B
NASA 60.5 D-
NRC 94.5 A
NSF 90.5 A-
OPM 61.5 D-
SBA 71 C-
SSA 88 B+
State 39.5 F
Transportation 69 D+
Treasury* 64 D
VA* 76.5 C
Government-wide Average 65 D
Comment removed based on user account deletion
See what we get when there's an agency ran mostly by the intellects and not bureaucrats?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
This is MHO:
Look how much is spent on 'physical' security and you will see why. A Government agency that is physically attacked (eg bomb, chemical, bio) usually results in human casualties/lives...and is very hard to cover up.
Now look at attacks on computer security (eg cyber attacks, worms, compromised systems). A Government agency that is 'electronically' attacked 'APPEARS' to not result in human casualties/lives.
Notice I stressed the word 'appears' in my last comment. I say this because it may be the real situation OR it maybe we don't know as previous cases have been covered up...as it is easier for an organisation to cover up these types of attacks.
After my experiences dealing with DOD contractors, and their use of firewalls. Specifically, firewalls were used to strip out javascript on the fly; they were not used to block unauthorized access (that, of course, was left up to the administrator of each individual server).
Needless to say, this does not lend itself to a centralized, comprehensive security plan.
Added Chairman Davis, "I'm deeply concerned that too many agencies have not yet responded to FISMA's requirements; for example, the fact that 79 percent of agencies don't even have accurate system inventories casts doubt over the entire reporting process."
I work in IT for a govt. agency here in Canada, and to not have an accurate inventory of our hardware is absolutely unthinkable. 79% of agencies having no idea where their systems are (and arent) is a recipe for disaster.
This whole thing reminds me of a couple of years back, when a CSIS (Canada's spy agency) agent went to an Ottawa Senators hockey game, leaving her laptop in her car, only to have it stolen when the car was broken into.
The main problem with ALL government agencies is that almost all of their actually employed work is 90% opened only to internal candidates. And they try to fill it in that way. Why? Because background checks cost a lot of money, and getting clearance for people up into the higher echelons would cost even more. That's the main part of your problem right there, really. If they hired more people externally, and paid them what they're worth, no problem at all.
This report card was supposed to be classified.
"If you think you have things under control, you're not going fast enough." --Mario Andretti
You can have all the cyber security (firewalls, IDS ) etc you want however there is still the risk of someone just stealing a laptop and getting access to a load of secret files.
Your security is only as strong as your weakest link
Rus
Cheap UK and US VPS
Compsec... and they had so called mapped out plans for years now too... (NATIONAL PLAN FOR INFORMATION SYSTEMS PROTECTION EXECUTIVE SUMMARY). One quote I will always remember is something to the extent of "the feds are good at carrying guns not locking down machines."
There are so many variables involved with government, that they are the ones shooting themselves in the foot. Considering if you're using a machine right, and you know it's insecure, if you took it upon yourself to fix it, you could be charged with a crime. Hell slightly off topic but look at what the gov did with the so called chaplain spy (charged with downloading porn).
I'm sure gov's IT staff throughout the branches are overwhelmed with things, so it's a bit unfair to call them all clueless gimps or similar. However, and I will throw this out as a `story` someone stated they worked for a gov agency. Person stated the procedures for daily wipes to ensure things are wiped, etc., ... According to person he had never seen it done, because they never bothered with it.' Now imagine if one of these machines were thrown out and the machine had material on it that was highly sensitive. It happens more often than some think.
MoFscker
The only reason that government agencies are able to get away with this is because nothing embarassing has happened yet. Wait until a hacker manages to get a few thousand social security numbers from a government agency computer - then we'll see some real change.
In addition, those of you who sound surprised, try reading The Myth of Homeland Security by Marcus Ranum (here. It is surprisingly accurate, and not just another 'chicken little' diatribe.
...we are from the government - we are here to help...
The problem has been traced to kindergarten hackers and has been fixed. Please disregard the following terror-alert color codes:
Brick Red
Flesh
Lemon Yellow
Prussian Blue
Spring Green
Sincerely,
Homeland Security
Here is the link to the actual page containing the report card.
Yes, this is truly pathetic. But honestly, folks... how many people are surprised by it? The U.S. government has something of a history of neglect when it comes to technology, as several have pointed out. After all, it's a sad day when major government systems can be compromised by worms of any sort. It simply shouldn't happen. Period. And yet it has. And then, there are the constant sad stories coming out of the U.S.P.O., where people are patenting things that are blatantly not their own.
So, here's what we need: A government office that is responsible for the electronic welfare of the country. Not merely a minor department in some other place, but a significant entity of its own. It would be able to stop all these government technological blunders before they happen, being comprised of tech-savvy individuals. Or at least, it would have some people who specialized in the field. Yes, it may sound Orwellian, but it wouldn't be much more so than what we have now: Now, several government agencies work completely apart from one another to regulate electronics, and each government department is responsible for its own security. This would simply take this task out of the hands of the overworked and unknowledgable, and might actually boost those grades.
I did contracting work for the government and most of the blame lies in trying to do anything with a couple of goverment employees in charge of what actually gets done. The stereotype of them being lazy and generally slow to get anything accomplished is absolutely correct. When you mix a fast paced IT world with a "I can coast until retirement" attitude you get bad things happening. The other half of the problem is the users who put the password for their windows login and dialin on a stickynote on top of the laptop. On the other hand, any of the actual critical servers were well monitored and they would track down any breakin attempts, etc.
slashdot, news for crazed liberal socialist zealots
So several years ago our Lab got handed an ultimatum that we had to come up with a security plan; our computing folks wrote up a proposal, it got sent back with issues needing clarification, there was another round, etc. This went on for about a year. Finally we get one of the drafts back, and we're told, in so many words, "this one's good, you have 6 months to have it in place".
So now we have 6 months to redo every system on site, with no added budget to do so and no relaxation of other goals. To have any appearance of complying we basically had to set up a system for granting exemptions where each system exempted had to present a timeline for when it would be completed, etc. So at the end of the 6 months we were able to say that everything was either under the security plan, or had an exemption on file saying when it would be under the plan, or how it would be put behind a firewall, etc.
But the real problem was that the proposal should have been met with discussion of a reasoned, planned schedule, and sufficient resources to implement it, rather than pretending a major security rework could be rolled out for free in 6 months. This goes all the way up to Congress, who passed this law about having agencies report on computer security, but so far as I know didn't designate any funds to pay anyone to do anything about it.
Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.
Not a federal govt IT guy, but I work for a state govt organization. The bureaucracy is a BIG PROBLEM. My fellow IT workers and myself are definitely not complete idiots. If we had our way, we'd ditch all the unsecure technology (i.e. MS stuff) in a heartbeat. The problem centers around our upper management *ordering* us to do insecure things, like place an unprotected windows server directly on a routeable internet segment outside of the firewall, because some cheesy piece of software they bought (and again, *ordered* us to install) will work no other way, and they just flat outright don't give a damn about our security concerns. Now when such a box gets hacked, all of a sudden it's our fault. This is much akin to the senior-ranking bigshots ordering the fire marshall to allow them to light up cigarettes at gas stations and/or ordering the police chief to not dare even think of hassle them for driving around while DUI.
My father is a lawyer for the Department of Justice, and part of the reason for the insecurity is the federal bureaucracy. I'm a Linux advocate and my dad is a pretty techie guy. He was running a webserver on the WAN for his colleagues and wanted me to help him set up Apache. That was shut down directly by his superiors: Microsoft IIS is the only webserver "supported and recognized" by the IT department, and anything else is not allowed. In addition, the only browser you are allowed to use is IE and the only mail reader you are allowed to use is Outlook. I really wanted to help my dad secure his workplace by switching him away from a mailviewer that executes all attachments and a webserver known for its insecurities. But the Microsoft culture is so entrenched there that it wouldn't fly.
Cyde Weys Musings - Scrutinizing the inscrutable
You keep using that word... I do not think it means what you think it means...
Whatever you may think about the Department of Homeland Security, it has, in point of fact, the most honestly descriptive of almost any of the department names. That is to say, whether it does a good job or not, it is here to secure the American homeland.
Now, if you want to talk about `Orwellian' names, meaning names like 1984's Ministry of Truth (which handled propaganda), Ministry of Peace (which handled war), and Ministry of Love (which handled torture and brainwashing), let's look at some of the big social-program departments which you seem more fond of:
- The Department of Agriculture -- which pays farmers not to grow crops
- The Department of the Interior -- which mainly handles subsidies for Indian casinos
- The Department of Labor -- which pays the unemployed not to work
just to pick a few examples.Of course, since the rest of your post is at least as confused as your use of the work ``Orwellian'', right down to your last example (the `Peacemaker', of course, was a famous Colt firearm, as used by the sherrif in just about any old western -- though if you want to wax philosophical, even Gorbachev has admitted that it was the inability to keep up with American defense spending that brought about the Soviet Union's collapse, so the missile made peace in a very literal sense as well), and the general tendentiousness of your claims shows that your looking for political points more than accuracy anyhow...
I work for one of the agencies that failed (and thus am posting AC because I don't think they'd like this).
:)
I'm in a general research facility (nothing classified, etc.) with about 70 people, most of whom have one or more computers. We have 30% of one person's time as IT staff because our agency will not give us funding to hire anyone else. This person has little or no training in computer security. I worked as a unix sysadmin for a few years, and know more about the nuts & bolts of IT security than our IT person. Given the way the govt determines pay grade, we couldn't hire a compenent IT person even if we had the money, because we couldn't offer enough money.
Anyway, what this boils down to is that everyone is responsible for the security on their own computer. With no training, and no time allocated for doing so, since everyone has a full slate of tasks of their own (yes, despite being federal employees we do work pretty hard). My location doesn't have an enforced security policy, even on things so definitely hazardous as enforcing the use of antivirus, not using un-passworded windows shares, etc.
Even worse, the agency in question requires admin staff to use custom-written and obsolete administrative programs that won't run on an OS newer than Windows 98. The people dealing with payroll and personnel data have the least securable computers. Nice, no?
Our regional IT staff don't seem to have much formal security training, and have made some decisions I consider questionable. The agency IT staff have also done some odd things, like recently forcing us all to switch our email to GroupWise.
From my perspective, yes, we deserved our failing grade. It's primarily due to lack of support for creating and maintaining a coherent security policy. There's no substantive training, and very little awareness among the higher-ups of the needs of facilities like mine, where everyone has different technology requirements to perform their duties. The administrative legacy software issues don't help either.
just sign me... not admitting to anything.
Speaking as someone who spent many years fighting various Good Fights against government idiots, I will say that government agencies will continue to get failing grades on security because they place the whims of incompetent managers above the advice of their technically competent employees. Not all government IT people are idiots, but most of them have no interest in challenging their pointed-haired bosses because those who do suffer pay discrimination and -- if they're really stubborn -- termination. So government sites will remain a monoculture of poorly patched and insecurely configured MS products just waiting for a new virus to slip in and lay waste to everything in site. In other words, most government sites are like most corporate sites, and for similar reasons.
I wanted to replace TELNET access with SSH to our most important server (manages all budgets, accounting, payroll, and also contains a LOT of data that would be considered a privacy breach if released.) I was informed that this could not be done because a hand full of people use an app from the vendor which requires telnet access to work. This server is on a LAN which is accessed by several hundred members of the public daily.
So I ran ettercap and showing how trivial it was to capture my boss's password and capture the whole telnet session including root password. I was again told that "Yeah, that is a risk, however, you still can't disable TELNET. It is required."
Of course, the right thing for my boss to have done would have been to pressure the vendor to move to SSH on their app. But that would have cost money after all. I couldn't even filter telnet from the public access systems because it was some of them which actually needed to run the application. In the end all I could do was send a memo detailing the risk to my boss so I could cover my own ass if something happened.
Yeah, that is a risk, however, you still can't disable TELNET. It is required."
I was in a similar situation, and I modified the telnet daemon so that a password wasn't required and put the telnet app on a different port and tcp wrappered that port. Granted this wasn't financial info, but I could not have a plaintext password going to a mission critical system.
You are most likely not evil, you just look like it because you like to get the job done, period.
I have worked in several different companies in the IT field from small to very large. One trend that I have noticed is that a knowledgable "technical" manager is a rarity. Some may argue that this is not true, I apologize to those managers that are 'actually' hands on at least a little with their admins. I have been lucky and have had a couple of these rare species, to learn from
From what I have seen, most managers are hired for the position because they have a degree, not a technical degree mind you but a degree (usually management).
This is appropriate in the managerial sense, however I still feel that to be an appropriate 'technology' manager you can not base your technical experience on your "Intro to Microcomputers" (ASU - consisted of 8 weeks of introductory Java and 8 weeks of Autocad...WTF), or "Using Excel/Powerpoint" classes alone.
I would be more inclined to have an highly (or moderately so) technical manager who merely has a BS in computer science (minor in business). Shows that his interest lies in the technical domain and supporting his employees in the proper ways (ie...training, mentoring, etc.), rather than someone with an MBA "climbing the ladder" to the next butt-kiss.
:-( --- argh. Despair, I owe again.