Slashdot Mirror
U.S. Agencies Earn D+ on Computer Security
MirrororriM writes "Seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks.
'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'"
D isn't failing.
"You're below average, but you do it very well!"
Better work on that C++
"A D+ is NOT a failing grade. Sure, there's some room for improvement, and we're working on this. It's hard work. But the fact that these agency passed the test, even by a slim margin, is good news."
Now watch this drive.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
If I was more involved in politics, and, for some unknown reason, absolutely hated Bush...my commment would read something like:
Ah...stupidity is a communicable disease...
Honestly it isn't surprising that our government is behind on security, especially when it comes to computers. Technology moves really fast and I imageint the US would have to spend billions just to keep up. It isn't entirely practical. All they can really do is hope for the best. Those that are a threat to security will always be one step ahead.
What about the NSA? I'm sure that they take computer security a little more seriously. - Taj
Tell the truth and you won't have so much to remember.
Isn't the point of security to be mute? (about the secrets, that is...)
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
We all know grade inflation runs rampant in the U.S.
.. that they showed up for class and tried their best. It's all we can really ask for.
Grades of D and below can no longer be referred to as "failing" and are now to be referred to as "success challenged."
Dec 10, 2003: U.S. Agencies Earn "D" For Computer Security
No, that's not a dupe. Yes, US Agencies have earned low "grades" for security for years. Considering that many of them were started for the purpose of increasing security, this begins to qualify as a complete FAILURE on their part (regardless of whether it's an F or a D+ or whatever).
'We're also seeing some exceptional turnarounds.'
now, ianam (i am not a mathematician) but is there any other direction for them to go....?
The only way to get rid of a temptation is to yield to it.
-Oscar Wilde
Seriously, it's obvious where this is headed. This report was done by a Congressional committee using reports from each agency's inspector general. That's a lot of ineffective bueracracy to start with, but it's only going to get worse. Next we'll have an agency devoted just to making sure these other agencies have proper security. And of course each of those agencies will need to hire specialized people and consultants to figure out how to fix their security problems, and then to diligently maintain the new security fixes on an ongoing basis.
So what do we have at the end of the day? The government reports on itself and determines that more government is needed. Never saw that coming. At least there was one good thing to come of thus, from TFA: If only their sense of freedom was enough to "dampen" these efforts...
Remember what the 2 biggest parts of next years government budget are? Defense and Homeland Security. And the workers there will continue to get fat and wealthy, while being incredibly lazy and careless... as is typical in most government positions. Then when a product doesn't work, either they get rid of that contractor and get a new one (Who behaves the same way), or they just keep on going.
Oh yes, I forgot to mention: it's not just people employed by the government. Contractors are at fault too. Contractors are the ones who do a lot of the work!
It's a difficult situation to handle, I know I wouldn't want to be managing it right now.
Maybe I could get a little more concerned about this is they let us know what the test was? When you are talking about government agencies, the words a computer and network security test could mean quite a few things. 10/200 computer are still running Win3.1 - you get a D+. You are missing meta tags on your intranet - D+.
Hard to have any kind of opinion about that article unless they tell us more about this magical test.
Next time we attack a country and then the public finds out there was no evidence behind the attacks, they won't have to get Britain to cover for them.
They can just get a guy with a nerdy voice to go up to the podium and say "OMG WTF OUR DATA WAS HAX0RED."
At least that excuse is believable.
Besides, FOIA does not mean that you can get all of the information that you want from the government. FOIA requests can be refused for a variety of reasons (these reasons are specified in the act). Requests for "sensitive" data are often refused. So computer security isn't moot anyway.
I keep thinking that if government agencies are really having such a hard time with security and also the typical failure of their large and expensive it projects they should centralize their IT into a department that will manage all the government IT stuff so as to allow the other agencies to get back to their main business. Kind of the way that computers can be made more secure by not letting the users administer them. If one agency managed all the purchasing, support, and development for the other agencies it might make things work better. As it stands only a handful of agencies seem to be able to handle technology. They would also be able to more easily hold accountable the large contractor corporations that seem to just milk the government on IT projects that never work.
Here is a link to the full scorecard and the reporting methodology
Committee on Government Reform
-- Freedom means letting other people do things you don't like.
Unplug the network cable and lock it up in a guarded vault. Only power and no other access, instant A+ security. You don't even need to fiddle with password security.
You apparently have no grasp of how government contractors and civil servants work. Here is a hint .... the pay is the same.
If you are a civil servent filling this admin job its nearly impossible to fire you so you have absolutely no incentive to tear your hair out worrying about securing your systems. You punch in, you go through the motions, you punch out, and when you put in 20 years or so you retire with a handsome pension.
If you are a contractor you are working for a company whose only goals are to:
A. Win the contract with award winning prose about what a great job you will do
B. Once you win the contract you hire a small army of warm bodies whose one purpose in life is to put in billable hours which the company in turns bills to the government with a nice profit margin tacked on, and to buy and resell hardware and software to the government with a nice profit margin tacked on. There is NEVER any penalty in government contracting for failure. The worst thing that can happen is the project is canceled and your contract ends and you go bid for new ones. or when the term of the contract expires they might award it to another contractor and you go bid for new ones. Many of the warm bodies working for the contractor on the way out just go work for the new contractor and nothing actually changes except the name on the paychecks.
There is only occasionally incentive payments for success and those are just gravy, nice to have, but not if it means you have to expend a lot of money and effort to actually do a good job.
In many spectacular failures involving government contractors the project will suffer massive cost overruns and schedule slips and the agency will just keep pouring ever more money at the contractor, and in to their profit margin, in the hopes they will eventually pull it through. In effect the contractor is rewarded for failure with more years of revenue.
@de_machina
Security isn't failing in most government agencies due to lack of attention or lack of aptitude. In fact, from what I see in the IT-heavy, defense agency I work for (as a contractor, thank God), the incredible bureaucracy of the process is what keeps them behind the times. There are several competent people, each capable of keeping an up-to-date, secure network running at full speed, but they are so strangled with the briefing, pre-approval, documentation, status reports, testing process, etc., etc., etc., that it takes them a week to get a simple patch approved and installed. All that leads to a apathetic, "I did everything that was specifically required of me" attitude.
There's a pretty high turnover rate for sys admins, which certainly doesn't make the overall maintenance any easier.
From the report card, the Department of Homeland Security got an 'F' this year and last.
And the nice thing about computers is that things change. And its amazing how long you can draw FOIA requests along. Those 2 factors are wonderful things for security. That and if it does expose a serious exploitable flaw, we dont have to release it.
You didn't RTFA before complaining that people didn't RTFA.
I work at as a government contractor in IT, in a large government agency. We don't handle secrets, so there is not a huge (legal) impetus for security there--that is, we're about as interested in it as any major corporation. Lives aren't at stake, like they might be at the NSA.
That said, the agent officially in charge of security in my division is as dumb as a bag of nails. How they got that position I don't know--but I understand that it's not uncommon to take, essentially, someone in a bureaucratic position, give them a few night classes, and then they can call themselves chief of security.
My officer is long on procedure--many meetings are attended in which they take copious notes on procedure--and then those procedures are handed down to us to implement. However, since the officer themself isn't technical, a great many gaps can occur between implementation and actual security need. Quite a few things are overlooked, which everyone in the trenches recognize as an issue, yet we don't have the authority to fix it ourselves; but on the other hand, there are often draconian implementations of security put in place, which have no real effect other than to frustrate the users who then circumvent it.
Case in point: all users are required to use strong passwords, mixed case, number, punctuation, of over 7 characters; these passwords are rotated every 90 days. That's all pretty typical. But oh--our email is IMAP, and it's not over SSL. And you can get connected outside of our firewall. So all of the users with laptops merrily connect from home, sending this super strong password, in the clear, every night. Totally defeating the purpose. While I've recognized this issue, and made my immediate superiors aware, the person that could implement a change in policy is 6 levels above us; and our designated security officer is not technical enough to explain the issue to the folks who would listen. So it gets dropped, until it winds up on a report like this.
Essentially--it's a checkbox method of management. Our officer has boxes to check, and they get checked off. Which means we're secure. Except real security preparedness requires thinking like a burglar, and thinking "out of the box"--but the folks that do aren't the same that make policy.
That's at least the case at my institution. I hate to think that it might be the same where there are actual lives at stake--but who really knows?
They've gone from D to D+ -- sure, there's still room for more improvement, but why do you guys always have to look at the negative side of things?
You know they graded on a curve.
Care about electronic freedom? Consider donating to the EFF!
I used to be employed at a large government agency in Washington, DC. There was no security in the building until you got onto the floor I was working. One day, I forgot my badge so I couldn't get in the door. Standing next to the elevators, I waited for someone to let me in even though it was pretty early in the morning and most people didn't arrive until after 9am. Finally, someone else showed up and showed me that you don't really need a badge. He passed his credit card along the door jamb and the door latch opened up just like in a bad spy movie. There were no cameras, nothing.
Also, we had a lot of private consultants who were using laptops to dial back to their respective firms. Since said laptops were simultaneously connected to the LAN, they basically did an end-run around our firewall and created a vulnerability....assuming we had a firewall which we didn't. The place was pathetic yet still required the Top Secret clearance, etc., etc., etc.
That's a knee-jerk reaction to stereotype faceless bureaucracies. To keep my soapbox short, I chalk up most of my negative experiences working within the gov't to the political side of human nature, and those inefficiencies are always going to be there. Until we fiure out how to breed perfect administrators.
each of those agencies will need to hire specialized people and consultantsA solution to this is being tried: NMCI (Navy Marine Corps Intranets) is one poor example of standardizing IT (and with it some security issues) across agencies. Unfortunately it's implementation is stifling to engineers, scientists and non-bureaucrats, and you really don't want to know how much the individual components are costing taxpayers. If NMCI is cutting edge for IT security, then security technology's got a long way to go to not throttle productivity! We'll take local IT mgmt over NMCI anytime.
Is it a rule, that there's an exception to every rule?
The real problem with government agencies is that it's almost impossible to get fired. You have to do something criminal to get the boot. Incompetance is not grounds for termination, it's standard business practice. Everyone looks the other way because they're doing the same thing. Think about it... If it was nearly impossible for you be fired, how long before you started to slack off and become part of the problem. People in the real world know that if they don't work, they'll be fired... And if you don't enjoy your job, that's all the motivation you need. Just as water seeks it's own level, if you work for the government long enough, you will become useless too. The only way to fix the government is to bring in an independent professional auditer and make everyone in government interview for their own jobs. This will weed out the dead weight and open up positions for new people who have not yet been assimilated by the system.