Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Agencies Earn D+ on Computer Security

Posted by CowboyNeal on from the but-it-still-passes dept.

MirrororriM writes "Seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks. 'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'"

25 of 190 comments (clear)

  1. Psst... by Anonymous Coward · · Score: 5, Funny

    D isn't failing.

    1. Re:Psst... by JPriest · · Score: 5, Insightful

      I don't even have to read the article to guess that the suggested remedy is to secure more funds to spend more money on the problem. Anytime any government agency goes public with information it is because they need more money.

      --
      Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
    2. Re:Psst... by perlionex · · Score: 5, Informative
      D isn't failing

      You're right, it isn't. The agencies that failed got F. I was going to make a spiel on how /.ers never read the article, when I realised that the article didn't clearly state this.

      More info in links below:

      Washington Post

      Report Card

      Statement and links

      --
      Gan Family Homepage
  2. Oh, the dreaded D+ by Anonymous Coward · · Score: 5, Funny

    "You're below average, but you do it very well!"

  3. D+? by Anonymous Coward · · Score: 5, Funny

    Better work on that C++

  4. GW Bush says by Profane+MuthaFucka · · Score: 5, Funny

    "A D+ is NOT a failing grade. Sure, there's some room for improvement, and we're working on this. It's hard work. But the fact that these agency passed the test, even by a slim margin, is good news."

    Now watch this drive.

    --
    Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
    1. Re:GW Bush says by R.Mo_Robert · · Score: 5, Funny

      From what I hear, he's actually planning to put the department on a watch list in accordance with the No Department Left Behind Act.

      --
      R.Mo
  5. But I'm not... by Avyakata · · Score: 5, Funny

    If I was more involved in politics, and, for some unknown reason, absolutely hated Bush...my commment would read something like:

    Ah...stupidity is a communicable disease...

  6. The NSA? by tajmorton · · Score: 4, Interesting

    What about the NSA? I'm sure that they take computer security a little more seriously. - Taj

    --
    Tell the truth and you won't have so much to remember.
    1. Re:The NSA? by digitalchinky · · Score: 4, Interesting

      Not really. Only the public interfaces.

      Internally if you are cleared to see a certain group of things, the security is not so complex.

      If you need access to VRK/TK type stuff, you get anal probing prior to accessing the restricted area - airgap with a big chunk of concrete thrown in the mix.

      Why have 'huge' internal security when 'the man' already spends six months getting chatty with your friends, teachers, family, relatives, long lost loves from childhood, just to see if you can really be trusted with a clearance?

      A TS clearance basically means you are 'trustworthy' - or you go to jail. Security vetting gets repeated every couple of years - sucks when you're in the Military and they want to know who your bestest work friends are that you've known for at least ten years.

  7. It's Worse Than You Think by Anonymous Coward · · Score: 4, Funny

    We all know grade inflation runs rampant in the U.S.

  8. But the important thing is.. by Anonymous Coward · · Score: 5, Funny

    .. that they showed up for class and tried their best. It's all we can really ask for.

  9. Under new dept of education rules by Anonymous Coward · · Score: 5, Funny

    Grades of D and below can no longer be referred to as "failing" and are now to be referred to as "success challenged."

  10. Re:The Failing Grades by arootbeer · · Score: 4, Funny

    Yes...I would hate to think the Government would have to spend billions on something as unimportant as securing their computer systems. Couldn't they just do it as a supplemental request?

  11. US Agencies Responsible for "Dupe" Stories by lukewarmfusion · · Score: 4, Informative

    Dec 10, 2003: U.S. Agencies Earn "D" For Computer Security

    No, that's not a dupe. Yes, US Agencies have earned low "grades" for security for years. Considering that many of them were started for the purpose of increasing security, this begins to qualify as a complete FAILURE on their part (regardless of whether it's an F or a D+ or whatever).

  12. Re:The Failing Grades by ArmchairGenius · · Score: 5, Insightful

    But you would think (hope) that the Department of Homeland Security would at least be able to secure their own darn computers.....

    --
    Armchairgenius.com - Where everyone is a genius.
  13. One More Reason... by fupeg · · Score: 5, Insightful
    to get rid of government agencies.

    Seriously, it's obvious where this is headed. This report was done by a Congressional committee using reports from each agency's inspector general. That's a lot of ineffective bueracracy to start with, but it's only going to get worse. Next we'll have an agency devoted just to making sure these other agencies have proper security. And of course each of those agencies will need to hire specialized people and consultants to figure out how to fix their security problems, and then to diligently maintain the new security fixes on an ongoing basis.

    So what do we have at the end of the day? The government reports on itself and determines that more government is needed. Never saw that coming. At least there was one good thing to come of thus, from TFA:
    The poor grades effectively dampen efforts by U.S. policy makers to impose new laws or regulations to compel private companies and organizations to enhance their own security
    If only their sense of freedom was enough to "dampen" these efforts...
  14. Failed What Exactly? by Petsection · · Score: 5, Informative

    Maybe I could get a little more concerned about this is they let us know what the test was? When you are talking about government agencies, the words a computer and network security test could mean quite a few things. 10/200 computer are still running Win3.1 - you get a D+. You are missing meta tags on your intranet - D+.

    Hard to have any kind of opinion about that article unless they tell us more about this magical test.

  15. Re:FOIA makes computer security mute by GileadGreene · · Score: 4, Informative
    I think that you mean moot, not mute.

    Besides, FOIA does not mean that you can get all of the information that you want from the government. FOIA requests can be refused for a variety of reasons (these reasons are specified in the act). Requests for "sensitive" data are often refused. So computer security isn't moot anyway.

  16. Original Report Card by bornholtz · · Score: 5, Informative

    Here is a link to the full scorecard and the reporting methodology

    Committee on Government Reform

    --
    -- Freedom means letting other people do things you don't like.
    1. Re:Original Report Card by HisMother · · Score: 4, Insightful

      Looking at the list of metrics, I can understand why many of the larger agencies are "failing". Many of the metrics concern "agency-wide policies", "agency-wide plans", and "agency-wide inventories." The larger government agencies are very heterogeneous, by design. The DOE's laboratories, for example, are deliberately run by different contractors who each have a lot of discretion in how things are operated. And DHS, of course, is a hodgepodge, a loose federation of a large number of until-recently independent organizations -- of course they don't have a single unified IT oversight system. You think it makes sense to have a single, central, updated, accurate list of every single computer owned by the DHS, categorized by OS? What's the cost/benefit analysis there? Furthermore, another important metric on their scorecard is the extent to which the agency specifically acted on recommendations from a previous year. If an agency simply doesn't give a shit what Tom Davis' little committee has to say, then they get marked off for not caring. This report is completely worthless, IMO. I could say a lot more, but I think I'll leave it at that.

      --
      Cantankerous old coot since 1957.
  17. Re:The Failing Grades by Strudelkugel · · Score: 4, Insightful

    Having worked with government types, I can unfortunately guess that money is not the problem - attitude is. There are many civilians employed with US tax dollars who view their responsibilty as "I am going to do the thing I was hired to do 20 years ago and keep doing it." There's another variety of employee - "I'm not really familiar with this new technology, so I will resist it's implementation because I might look bad otherwise."

    Before some mod this as flamebait, I am not saying that all government employees are this way; you have to admire the CDC guys who suit up to go check out the latest hideous disease, for example. They deserve every dime they get. Of course there are other departments where people do a good job as well. That said, I suspect the US Government has the greatest number and probably the highest percentage of unmotivated, uninterested employees of any organization I have encountered. This is a huge problem. The only way to fix it is to curb spending, which can have the effect of making the government more cost efficient and proactive.

    --
    Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
  18. Re:Responsibility and Enforcement by demachina · · Score: 4, Insightful

    You apparently have no grasp of how government contractors and civil servants work. Here is a hint .... the pay is the same.

    If you are a civil servent filling this admin job its nearly impossible to fire you so you have absolutely no incentive to tear your hair out worrying about securing your systems. You punch in, you go through the motions, you punch out, and when you put in 20 years or so you retire with a handsome pension.

    If you are a contractor you are working for a company whose only goals are to:

    A. Win the contract with award winning prose about what a great job you will do

    B. Once you win the contract you hire a small army of warm bodies whose one purpose in life is to put in billable hours which the company in turns bills to the government with a nice profit margin tacked on, and to buy and resell hardware and software to the government with a nice profit margin tacked on. There is NEVER any penalty in government contracting for failure. The worst thing that can happen is the project is canceled and your contract ends and you go bid for new ones. or when the term of the contract expires they might award it to another contractor and you go bid for new ones. Many of the warm bodies working for the contractor on the way out just go work for the new contractor and nothing actually changes except the name on the paychecks.

    There is only occasionally incentive payments for success and those are just gravy, nice to have, but not if it means you have to expend a lot of money and effort to actually do a good job.

    In many spectacular failures involving government contractors the project will suffer massive cost overruns and schedule slips and the agency will just keep pouring ever more money at the contractor, and in to their profit margin, in the hopes they will eventually pull it through. In effect the contractor is rewarded for failure with more years of revenue.

    --
    @de_machina
  19. Irony by PineHall · · Score: 4, Insightful

    From the report card, the Department of Homeland Security got an 'F' this year and last.

  20. As a government contractor.... by Anonymous Coward · · Score: 5, Informative


    I work at as a government contractor in IT, in a large government agency. We don't handle secrets, so there is not a huge (legal) impetus for security there--that is, we're about as interested in it as any major corporation. Lives aren't at stake, like they might be at the NSA.

    That said, the agent officially in charge of security in my division is as dumb as a bag of nails. How they got that position I don't know--but I understand that it's not uncommon to take, essentially, someone in a bureaucratic position, give them a few night classes, and then they can call themselves chief of security.

    My officer is long on procedure--many meetings are attended in which they take copious notes on procedure--and then those procedures are handed down to us to implement. However, since the officer themself isn't technical, a great many gaps can occur between implementation and actual security need. Quite a few things are overlooked, which everyone in the trenches recognize as an issue, yet we don't have the authority to fix it ourselves; but on the other hand, there are often draconian implementations of security put in place, which have no real effect other than to frustrate the users who then circumvent it.

    Case in point: all users are required to use strong passwords, mixed case, number, punctuation, of over 7 characters; these passwords are rotated every 90 days. That's all pretty typical. But oh--our email is IMAP, and it's not over SSL. And you can get connected outside of our firewall. So all of the users with laptops merrily connect from home, sending this super strong password, in the clear, every night. Totally defeating the purpose. While I've recognized this issue, and made my immediate superiors aware, the person that could implement a change in policy is 6 levels above us; and our designated security officer is not technical enough to explain the issue to the folks who would listen. So it gets dropped, until it winds up on a report like this.

    Essentially--it's a checkbox method of management. Our officer has boxes to check, and they get checked off. Which means we're secure. Except real security preparedness requires thinking like a burglar, and thinking "out of the box"--but the folks that do aren't the same that make policy.

    That's at least the case at my institution. I hate to think that it might be the same where there are actual lives at stake--but who really knows?