U.S. Cybersecurity Not So Secure?

freaktheclown writes "According to CNet, 'government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be 'unprepared' for emergencies.'" The article discusses FEMA's handling of relief efforts for hurricane Katrina and how a very similar situation exists with electronic security measures in the U.S. In addition to a conjecture the department of cybersecurity has been "plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups."

That's what happens when unqualified people..

[CyricZ]

... are given jobs because of their political affiliations.

Yes, unqualified people performing serious jobs leads to nothing but problems.

Re:That's what happens when unqualified people..

I think that attitude is part of the problem. The initial post laments:

..accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying...

I think those things are very intertwined. Whenever there is a governmental mistake, or failure to accurately foresee the future, accusations start flying. The media Queen of hearts shouts at everyone, "Off with their heads". No wonder there's an exodus of senior staff.
Help Wanted:Anyone want to fill the 'scapegoat' position? I didn't think so.

Re:That's what happens when unqualified people..

[CyricZ]

The media Queen of hearts shouts at everyone, "Off with their heads". No wonder there's an exodus of senior staff.

Except in the United States the media does not seriously question the government. That is why the Bush administration was able to preside over several of the worst incidents in American history, and have emerged basically unscathed.

Re:That's what happens when unqualified people..

[CyricZ]

If the American media were truly as anti-Republican as you seem to believe, then there would've been a massive outcry after Sept. 11. Of course, that never happened, because the media is not anti-Republican by any means. As we so obviously witnessed, the American mass media then proceeded to help out the Bush administration by hyping the wars in Afghanistan and Iraq.

Now, considering how wrong you were with your first couple of sentences, I'm not going to bother with the rest of your post, since it is probably just as factually incorrect.

Re:That's what happens when unqualified people..

[Doc+Ruby]

If the media weren't in Bush's pocket, the departure in disgust of every "cybersecurity czar" we've had (all under Bush) would be a running story about how we're begging to get hit. We pay taxes to a government we elected to protect us from threats, and those responsible for the cyber department won't accept liability for their useless department. That's not "scapegoating". If the department were competent, there wouldn't be any need to scapegoat anyone. Anyone watching their counterparts across DHS leave thousands to die in the wake of Katrina can tell that we're paying fools to pretend to protect us. And if reporters were more competent than these DHS personnel they cover for, it wouldn't take Katrina to show how screwed we all are.

Re:That's what happens when unqualified people..

[NMerriam]

Whenever there is a governmental mistake, or failure to accurately foresee the future, accusations start flying. The media Queen of hearts shouts at everyone, "Off with their heads". No wonder there's an exodus of senior staff.

But that's not what happens -- the media doesn't scapegoat invisible public service employees who've been dutifully showing up doing their job every day for 30 years. Those employees make it through scandals in administration after administration, because everyone knows the agency will not function without them -- ocassionally one may be scapegoated internally, but they don't have any "sex appeal" to the media.

This recent wave IS very different, because it is one of the first times that these guys do seem to be resigning in large numbers -- not because of "media pressure" (the media doesn't even know who these guys are), but because of inept cronies being put in place above them, and then the cronies not being smart enough to realize the career professionals should be running the show.

That's exactly what is happening with the CIA right now, where guys who have happily served both Republican and Democratic administrations for decades are suddenly being dictated to on how to perform their jobs by people who are barely qualified to operate the paper shredder.

"The Media" isn't pushing out the senior CIA officials, the Bush administration is, the same way they pushed Whitman out of the EPA (I mean, geez, the Republican governor of New Jersey is "too liberal" on the environment? Reality check! That's as crazy as suggesting a quadrupegic veteran isn't patriotic!)

Education

[AxsDeny]

The core of the problem is that users continue to not understand what they are doing or using. People expect things to "just work" and if it breaks they will have it fixed. Many people treat their cars this way. They know how to drive them, but not how to fix them if they break down. If we can't educate the users in the safe and proper use of their machines, we will continue to have such problems. If the mainstream OS continues to be riddled with security holes that grandma doesn't know how to patch, we will continue to have these 100,000 node bot nets.

Education and training actually does better security and society as a whole.

How important is it REALLY?

[plover]

Seriously, the intarweb has been little more than a stew of viruses, zombies and DOS attacks for years now. Yet we all manage to show up and do our jobs. How bad could a "cyberattack" really be, if we're living through the current levels of crap?

And what good is a "federal overseer" when they have no jurisdiction over half of the network?

I say that we're no worse off for not having a top-dog. It's a meaningless, ineffective position. Why spend the money on it, much less promote the position to a direct report under the DIRHSA?

And yet with GLB/HIPAA/Sarbanes-Oxley

[TykeClone]

They have claimed the right to regulate the networks of financial services and medical services outfits.

Let he who is without sin...

the ownership vs. threat info gap

[G4from128k]

One core problem is that the people that regulate cybersecurity don't own the infrastructure. This means they have little hope of understanding how real-world privately-owned (and vulnerable) networks operate. The flip side is that the government people that might have intelligence data on cybersecurity threats won't share that info with the people that actually own and operate the networks.

One group (govt) may understand the threat, but is clueless on the operations side. The other group (owers) don't have the classified intelligence data on the threat, but do know the operations side of the network.

Until the two sides share both info and operations knowledge, cybersecurity isn't possible.

Re:Hire new people asap and get creative

[clevershark]

they should be giving large bonuses/salaries & get creative in order to recruit people ASAP and get them out of this mess Of course since we're talking security-related government jobs they'll pay bottom dollar (practically poverty wages in high-cost markets like New York) and be incredibly invasive in terms of privacy.

Who wants a top-down solution anyway?

[Quadraginta]

Goodness, who wants the Federal government to be responsible for general IT security in this country? I mean, let's just think carefully through the kind of power over the network they'd need (or say they need) to be given to achieve it.

Brrr.

DHS bit off more than they can chew

[KerberosKing]

All year long, they have had no one at the helm for cybersecurity. It shouldn't surprise anyone. Let's take a job that many different agencies struggled to keep up with before, then add the requirement that they all reorganize into DHS, where instead of computer security being their number one focus, it is one of many concerns. I would bet the funding for DHS compsec is less than the total spent by the seperate agency committees. There is only so much you can save by pooling resources, and I would agrue it gets lost when you have to compete for attention with WMDs, IEDs and other serious physical security threats.

Not just "unqualified" but also "political".

[khasim]

"Unqualified" can be handled by becoming qualified.

"Unqualified" can be handled by finding and hiring qualifed assistants / advisors / etc.

What we have is a situation where an unqualified person is put in charge of an agency and spends his/her time there working on his/her political connections using the agency's resources. So, over time, the agency is less capable of handling its mission than it was when that person started.

But that's how our current politicians reward those who've helped them get into office. And it's not likely to change.

Of course, they are not ready

NSA and CIA disallowed any Windows based products in house except for unsecured desktop boxes and as a upfront web server (but they are simply traps). Now they are under extreme pressure from "above" to allow Windows and windows products in-house, no matter what the security costs are. When politicians make decisions, and not the experts, then we end up with 9/11s. After all, that is exactly what 9/11 and Iraqi invasion were.

Common sense, does it exist?

[Alien+Being]

9/11 was preventable. We got pwned by leaving the cockpit doors open even though it was "common" knowledge that the most effective way to thwart hijackings was to NEVER let the bad guys take control of the airplane. If they can manage to crash it, or kill every passenger, so be it. El Al figured this out in the 70's, yet the FAA was too fucking stupid to pay attention.

Similarly, the Bush administration ignored the valuable information it received from Richard Clarke and even their own Condoleezza Rice. Their motives are unknown, but it's worth considering that maybe they wanted a war from the beginning. The cost can be measured in the trillions of dollars and tens of thousands of lives.

Hurricane Katrina was an act of nature. Maybe it was a side effect of intelligent design, but that doesn't matter. The lesson is that valuable information was ignored. It doesn't take a rocket scientist to know that category 3 levees won't hold a category 5 storm. A stomping wonder horse could have saved more lives than the horse judge BushCo put in charge of FEMA.

Cybersecurity is nothing to joke about, yet the one company which has been responsible for the most damage has already been given a walk for other serious crimes. This government will do nothing to make them act responsibly. MS isn't the only one, but they are the prime example. Banks are another obvious concern, but I don't think the Feds will keep them in control now any more than they did during the S&L scandal of the 80's. We shouldn't be surprised. Bush is a family man, and his family has historically put their own interests above those of the USA.

That was known years ago.

[khasim]

There was a plot to fly a plane into the Eiffel Tower. We've known planes were considered as weapons for years.

But planes are physical objects. They cause physical damage. Normal, healthy people can be killed from physical damage.

What's the very worst that can happen if the Internet goes down?

That's not a rhetorical question. Think of the worst situation you can and then think of whether it would be better/safer to not have the Internet connected to whatever it is. Nuclear plant cyber-attack? Why have them on the 'net in the first place? Dam flooding a town? Same thing.

The first thing any "cybersecurity czar" should be doing is making sure that the potential for damage is reduced.

If the worst thing that they can do is to steal your identify and money online, then you're "safe" in that it won't kill you or physically cripple you.

But that takes thought and expertise in evaluating the real threat.

Re:Authority grab is the problem

Your idea is preposterous. A disaster by its nature often overwhelms local resources no matter what planning has taken place. Many local leaders don't know dick about dealing with disasters. If an earthquake hits San Francisco the day after a new mayor takes office, will he be able to handle it? Not likely. The head of FEMA should have known how to deal with disasters, but didn't. There's the real source of the problem.

By your proposal every single locality in the United States needs to have experts in disaster preparedness even though the likelihood is that it could be centuries between disasters for any give locality. It's ridiculous on it's face to believe that any locality could keep up an adequate level of readiness under those conditions. What happens when an unanticipated disaster occurs?

The other issue is that all the money being thrown around by GW isn't for disaster relief for Hurricane Katrina, it's to cover his exposed rear end after his pathetic lack of leadership. It's clear he's willing to promise any amount of our money for his damage control.

Re:culture of corruption == incompetence

[opencity]

>While I do agree that Bush is the poster boy for corruptness, dont forget that both parties are a bunch of corrupt criminals.

I'm a lesser evilist. No love for the DLC, but they are significantly easier on the long term health of the country and the standard of living of the lower income 99% of the population. Pop quiz: Who balanced the Federal budget and in what year? Question 2: Under which post WWII administration was the most national debt accumulated?

> Do yourself a favor and stop being an idealogue.

Why stop being an idealogue? I don't blindly accept dishwater corporate Democratic party me-to-ism, kneejerk lefty utopianism, sectarian rightwing culture warring or highschool libertarianism.

So if I complain about Clinton cheating on his wife I'm a patriot, if I complain about out of control cronyism or Haliburton overchages I'm (supporting the terrorists) an idealogue? The 'conservative' movement since Ronald Reagan is completely morally bankrupt (and not very conservative except socially).

> I give this post a 2/10 on the troll factor.

It's a start. I'll try harder next time. Why did the Bush dig get on your nerves? You vote for that idiot and the continued looting of the US and now have buyer remorse? Or should we stick to tech here in which case I USE FLASH (let the flame war begin)

Re:Homeland Non-Security

[sinewalker]

Actually I would say that Homeland Security is all about enforcing the US Government's control over it's own people, and a prime example of the Freedom that most US Citizens NO LONGER HAVE. Witness:

* The DMCA
* The PATRIOT act
* The increasing biocontrols at air and sea ports
* Mandatory fingerprints for all US citizens entering or leaving the country
* The scary ability that US police shows portray of any US citizen being seconds away from a database search, and the apparent acceptance by Hollywood that this is normal and good
* Unjustified arrests of Americans at protests
* Unexplained (and probably unjust) deportations of Americans from other countries, for apparent civil disobedience.

Homeland Security has done nothing about the safety of US Citizens because it is not really about that (that's just the excuse). It is in response to terrorism launched by naturalised americans against America.

I am not an American. I am living in a country that also enjoys the same Freedom by Constitutional right that Americans worship, only for Australia it was done without a war and without ammendments. I feel sorry for Americans as I watch their freedom being erroded by a runaway dictator president who was not even elected by the People of America. I feel shocked that so many Americans feel that they are still "the land of the free". And I watch in horror as my own country follows that same path.

Re:Duh!

[kcarlin]

When you have over 90% of all computers running on the same family of Operating Systems, with the other less then 10% trying to keep the features to work with the other 90% of the computers. Is a disaster waiting to happen. You can firewall every box, Windows could be the most secure OS in the world, but when you have 90% market share it is going to be a target. Secondly people are afraid to have an independent audits on their computer security, they worry about loosing their jobs if the auditors find a problem. Also you have the problem where people assume the first line of defence is all you need, so if a virus got threw the firewall and virus scanner it just spreads all threw the network.

To my experience, the major issues involved in a desktop procurement from a Federal manager's point of view are: what are my licensing costs? what are my training costs (it is nearly impossible in the Federal workforce to find someone who has never used any version of Windows or Office, and for any other solution the training costs are typically a significant multiple of MS licensing costs)? what are the security issues (it is very difficult for managers to see how open source could possibly be more secure than Microsoft, and most think that any software as heavily targeted would see a similar track record, though the security folks are often more open on this point)? how is his decision going to impact what he pays for IT personnel? will he even be able to find IT personnel? how will he answer his GS15 or SES boss who has just thrown his monitor through the window and into Constitution Avenue because he made a stupid mistake with an unfamiliar user interface ("I'll have Khalid bring up an XP build right away, sir!")?

Spend an hour with a Federal help desk operation and you will move on to achievable objectives, like ending world hunger. Serious inroads will be made in academia, business, and local government before widespread adoption by the Fed.

In the meantime, the Federal security folks are in the position of defending everybody's favorite target OS.