Slashdot Mirror
U.S. Cybersecurity Not So Secure?
freaktheclown writes "According to CNet, 'government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be 'unprepared' for emergencies.'" The article discusses FEMA's handling of relief efforts for hurricane Katrina and how a very similar situation exists with electronic security measures in the U.S. In addition to a conjecture the department of cybersecurity has been "plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups."
... are given jobs because of their political affiliations.
Yes, unqualified people performing serious jobs leads to nothing but problems.
Cyric Zndovzny at your service.
Cybersecurity not so secure?
That's like jumbo shrimp!
I keep all my usernames/passwords on a Geocities hosted site.
Well duh, it's hardly surprising, when everything's considered.
My sig is too lon
The core of the problem is that users continue to not understand what they are doing or using. People expect things to "just work" and if it breaks they will have it fixed. Many people treat their cars this way. They know how to drive them, but not how to fix them if they break down. If we can't educate the users in the safe and proper use of their machines, we will continue to have such problems. If the mainstream OS continues to be riddled with security holes that grandma doesn't know how to patch, we will continue to have these 100,000 node bot nets.
Education and training actually does better security and society as a whole.
zork% mv *.asp
283 files eaten by a grue
And what good is a "federal overseer" when they have no jurisdiction over half of the network?
I say that we're no worse off for not having a top-dog. It's a meaningless, ineffective position. Why spend the money on it, much less promote the position to a direct report under the DIRHSA?
John
Let he who is without sin...
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
One group (govt) may understand the threat, but is clueless on the operations side. The other group (owers) don't have the classified intelligence data on the threat, but do know the operations side of the network.
Until the two sides share both info and operations knowledge, cybersecurity isn't possible.
Two wrongs don't make a right, but three lefts do.
they should be giving large bonuses/salaries & get creative in order to recruit people ASAP and get them out of this mess Of course since we're talking security-related government jobs they'll pay bottom dollar (practically poverty wages in high-cost markets like New York) and be incredibly invasive in terms of privacy.
My sig is too lon
Yep, shoot all computer users and make sure the damn things are never turned on agai35[cf(*^NO CARRIER
AT&ROFLMAO
Goodness, who wants the Federal government to be responsible for general IT security in this country? I mean, let's just think carefully through the kind of power over the network they'd need (or say they need) to be given to achieve it.
Brrr.
All year long, they have had no one at the helm for cybersecurity. It shouldn't surprise anyone. Let's take a job that many different agencies struggled to keep up with before, then add the requirement that they all reorganize into DHS, where instead of computer security being their number one focus, it is one of many concerns. I would bet the funding for DHS compsec is less than the total spent by the seperate agency committees. There is only so much you can save by pooling resources, and I would agrue it gets lost when you have to compete for attention with WMDs, IEDs and other serious physical security threats.
"Unqualified" can be handled by becoming qualified.
"Unqualified" can be handled by finding and hiring qualifed assistants / advisors / etc.
What we have is a situation where an unqualified person is put in charge of an agency and spends his/her time there working on his/her political connections using the agency's resources. So, over time, the agency is less capable of handling its mission than it was when that person started.
But that's how our current politicians reward those who've helped them get into office. And it's not likely to change.
Much of the Federal government has a sub-optimal track record in the security arena. In March of 2004 Rick Forno published an article (with links) that summarized Uncle Sam's security issues:
The farce of federal cybersecurity
(That's the title Rick used, btw.)
I want to drag this out as long as possible. Bring me my protractor.
9/11 was preventable. We got pwned by leaving the cockpit doors open even though it was "common" knowledge that the most effective way to thwart hijackings was to NEVER let the bad guys take control of the airplane. If they can manage to crash it, or kill every passenger, so be it. El Al figured this out in the 70's, yet the FAA was too fucking stupid to pay attention.
Similarly, the Bush administration ignored the valuable information it received from Richard Clarke and even their own Condoleezza Rice. Their motives are unknown, but it's worth considering that maybe they wanted a war from the beginning. The cost can be measured in the trillions of dollars and tens of thousands of lives.
Hurricane Katrina was an act of nature. Maybe it was a side effect of intelligent design, but that doesn't matter. The lesson is that valuable information was ignored. It doesn't take a rocket scientist to know that category 3 levees won't hold a category 5 storm. A stomping wonder horse could have saved more lives than the horse judge BushCo put in charge of FEMA.
Cybersecurity is nothing to joke about, yet the one company which has been responsible for the most damage has already been given a walk for other serious crimes. This government will do nothing to make them act responsibly. MS isn't the only one, but they are the prime example. Banks are another obvious concern, but I don't think the Feds will keep them in control now any more than they did during the S&L scandal of the 80's. We shouldn't be surprised. Bush is a family man, and his family has historically put their own interests above those of the USA.
There was a plot to fly a plane into the Eiffel Tower. We've known planes were considered as weapons for years.
But planes are physical objects. They cause physical damage. Normal, healthy people can be killed from physical damage.
What's the very worst that can happen if the Internet goes down?
That's not a rhetorical question. Think of the worst situation you can and then think of whether it would be better/safer to not have the Internet connected to whatever it is. Nuclear plant cyber-attack? Why have them on the 'net in the first place? Dam flooding a town? Same thing.
The first thing any "cybersecurity czar" should be doing is making sure that the potential for damage is reduced.
If the worst thing that they can do is to steal your identify and money online, then you're "safe" in that it won't kill you or physically cripple you.
But that takes thought and expertise in evaluating the real threat.
FEMA can do nothing but react to an event and throw more debt at the problem. Unfortunately this leads to problems down the road - not only does it push the federal government closer to insolvency - but it leads to all kinds of expectations on the part of locals who develop the "we'll just sit back and wait for the calvary" mentality. Not only this, but you end up with gross inequity in the response: federal dollars to New Orleans for Katrina are already about 5 times the aid sent to Florida for four hurricanes combined. FEMA has given out some $600,000,000 in "emergency cash disbursements" so far, with many people upset that only the first 10,000 or so were given $2,000 cash cards. New Hampshire recently saw a few hundred people flooded out and it wouldn't shock me in the slightest if some of them file lawsuit under the equal protection clause asking for $2,000 cash cards, FEMA-paid apartments around the country and the like.
Local emergencies should be handled by city, the county, the state and then the federal. In that order. And the federal should not be allowed to call any of the shots: they should provide resources only but all decisions should be made by the local leaders.
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
Check TFA and you'll see where it's talking about those professionals leaving now.
If the Department of Homeland Paranoia were to implement such a system, I feel confident they'd score an A on their next evaluation, and would be as close to invulnerable as you can be using a computational system. People may disagee - and probably will - but I'd like to know where they think they'd be able to break in.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
>While I do agree that Bush is the poster boy for corruptness, dont forget that both parties are a bunch of corrupt criminals.
I'm a lesser evilist. No love for the DLC, but they are significantly easier on the long term health of the country and the standard of living of the lower income 99% of the population. Pop quiz: Who balanced the Federal budget and in what year? Question 2: Under which post WWII administration was the most national debt accumulated?
> Do yourself a favor and stop being an idealogue.
Why stop being an idealogue? I don't blindly accept dishwater corporate Democratic party me-to-ism, kneejerk lefty utopianism, sectarian rightwing culture warring or highschool libertarianism.
So if I complain about Clinton cheating on his wife I'm a patriot, if I complain about out of control cronyism or Haliburton overchages I'm (supporting the terrorists) an idealogue? The 'conservative' movement since Ronald Reagan is completely morally bankrupt (and not very conservative except socially).
> I give this post a 2/10 on the troll factor.
It's a start. I'll try harder next time. Why did the Bush dig get on your nerves? You vote for that idiot and the continued looting of the US and now have buyer remorse? Or should we stick to tech here in which case I USE FLASH (let the flame war begin)
Physics is like sex: sure, it may give some practical results, but that's not why we do it.
Actually I would say that Homeland Security is all about enforcing the US Government's control over it's own people, and a prime example of the Freedom that most US Citizens NO LONGER HAVE. Witness:
* The DMCA
* The PATRIOT act
* The increasing biocontrols at air and sea ports
* Mandatory fingerprints for all US citizens entering or leaving the country
* The scary ability that US police shows portray of any US citizen being seconds away from a database search, and the apparent acceptance by Hollywood that this is normal and good
* Unjustified arrests of Americans at protests
* Unexplained (and probably unjust) deportations of Americans from other countries, for apparent civil disobedience.
Homeland Security has done nothing about the safety of US Citizens because it is not really about that (that's just the excuse). It is in response to terrorism launched by naturalised americans against America.
I am not an American. I am living in a country that also enjoys the same Freedom by Constitutional right that Americans worship, only for Australia it was done without a war and without ammendments. I feel sorry for Americans as I watch their freedom being erroded by a runaway dictator president who was not even elected by the People of America. I feel shocked that so many Americans feel that they are still "the land of the free". And I watch in horror as my own country follows that same path.
“Our opponent is an alien starship packed with nuclear bombs. We have a protractor.” — Neal Stepnenso
When you have over 90% of all computers running on the same family of Operating Systems, with the other less then 10% trying to keep the features to work with the other 90% of the computers. Is a disaster waiting to happen. You can firewall every box, Windows could be the most secure OS in the world, but when you have 90% market share it is going to be a target. Secondly people are afraid to have an independent audits on their computer security, they worry about loosing their jobs if the auditors find a problem. Also you have the problem where people assume the first line of defence is all you need, so if a virus got threw the firewall and virus scanner it just spreads all threw the network.
To my experience, the major issues involved in a desktop procurement from a Federal manager's point of view are: what are my licensing costs? what are my training costs (it is nearly impossible in the Federal workforce to find someone who has never used any version of Windows or Office, and for any other solution the training costs are typically a significant multiple of MS licensing costs)? what are the security issues (it is very difficult for managers to see how open source could possibly be more secure than Microsoft, and most think that any software as heavily targeted would see a similar track record, though the security folks are often more open on this point)? how is his decision going to impact what he pays for IT personnel? will he even be able to find IT personnel? how will he answer his GS15 or SES boss who has just thrown his monitor through the window and into Constitution Avenue because he made a stupid mistake with an unfamiliar user interface ("I'll have Khalid bring up an XP build right away, sir!")?
Spend an hour with a Federal help desk operation and you will move on to achievable objectives, like ending world hunger. Serious inroads will be made in academia, business, and local government before widespread adoption by the Fed.
In the meantime, the Federal security folks are in the position of defending everybody's favorite target OS.
Free Adam Smith! (Or best offer.)
Am I the only person who is tired of the rhetoric "Since September 11th, each and every American's life has changed"? For those outside of the goverment, and particularly the military, has it really? Certainly we have mangled the Bill of Rights beyond recognition, but am I the only one whose reaction to the 2nd attack on the WTC was "well, it finally happened?" And the notion that using commercial airliners as weapons was unthought of? Given that Tom Clancy is a best selling author, the odds that no one in US security infrastructure read about that scenario is close to zero.
I'm not the CyricZ from GameFAQs. My name is Cyric Zndovzny. I think his name is Scott Zdankiewicz. We're different people. I am, however, a vocal opponent of the forums at their site. I found out about that site after somebody pointed out that he was also using the username I'm using here.
In any case, the mainstream media puts up token opposition. But it's not true opposition in any way. I mean, does NBC really want to point out his flaws? Probably not, considering they're owned by General Electric. And General Electric is in the war industry. And Bush has perhaps been the greatest thing going for such industrialists, considering his interest in starting numerous wars.
The media is neither conservative nor liberal. It's corporatist. And as such it won't act as the media should, truly questioning the government all of the time.
Cyric Zndovzny at your service.