Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS Gets Another "F" In Cyber Security

Posted by ryuzaki0 on from the good-job-team dept.

An anonymous reader writes "For the third straight year, the Department of Homeland Security -- which is charged with charting the federal government's cyber security agenda -- earned a grade of "F" for computer security from a key congressional oversight committee, according to a story at Washingtonpost.com. Not only did the overall government-wide computer security grade remain flat (at a barely-passing "D+" but several agencies -- mostly those on the "front lines in the war on terror" -- actually managed to fare worse this year."

10 of 169 comments (clear)

  1. Funding by Detritus · · Score: 5, Informative
    Many departments are run on a shoe-string basis. While the agency, as a whole, may have received a budget increase. That may mean that 20% of the agency saw a major increase in funding, 40% saw their funding stay the same, and 40% saw a 10% cut in their budget, again. Year after year of budget cuts can be very corrosive. You lose all of your support people and the survivors get new tasks that they may not have the time or skills to do properly. The infrastructure becomes a collection of obsolete equipment held together with bubble gum and bailing wire.

    At one office that I worked in, we made regular trips to the agency's excess equipment warehouse to scrounge for parts that we used to build "new" (newer) computers. That was the only way that we could obtain computing hardware. There was no money in the budget for PCs, even though we were a software development group. We provided our own hardware and software support, by necessity.

    --
    Mea navis aericumbens anguillis abundat
  2. oh look! by lkcl · · Score: 4, Informative

    the "environmental protection agency", which uses linux, got a "grade A"!

  3. My story... by TomorrowPlusX · · Score: 4, Informative

    So, a friend who will remain unnamed, and works for an unnamed contractor called me one day a few months ago and asked me to scope out a ( unnamed ) Navy website. He said he saw something suspicious -- looking like a subtle defacement by a 3rd party. So, I went there and took a look and yes, in fact, there was a *tiny* javascript insertion in the page calling a javascript file from some random IP. I tracked it down -- several indirections later -- to a chinese website which was causing the insertion of an active x control. It was all very obfuscated and suspicious.

    So, my friend contacts the webmaster of the navy site and explains what he saw, how it was tracked down ( he left my name out -- thank god -- since my name is very islamic and happens to be shared with an at-large eastern european islamic terrorist. Bad enough that it's a disaster whenever I *try* to fly. Thanks, dad. ) and what did my friend get in return? Thanks? A "We'll look into that, good job, citizen". No, he was accused of hacking the site, and they informed the secret service of him and his "actions".

    Fortunately, the SS ( lol ) realized he'd done the right thing and was innocent.

    But, seriously folks, how fucked up is this?

    --

    lorem ipsum, dolor sit amet
  4. Re:Be careful what you say. by dusik · · Score: 2, Informative

    It's still unamerican, so there! ;-)

  5. Re:I think this is by design, folks. by Anonymous Coward · · Score: 1, Informative
    Mine does a pretty good job too. I wonder if we're at the same component...

    Here's the link to the full report from OMB:

    FY 2005 Report to Congress on Implementation of The Federal Information Security Management Act of 2002

    I read through the DHS scorecard... There are a number of initiatives at work in the Department right now that address a number of these issues. (For instance, the 2006 DHS Security Awareness training does talk about the department's policy on P2P networking...)

    I don't think anyone's done a good job of saying what this report actually is, and what it isn't. The report talks about FISMA compliance, and how each agency is doing in that respect. It's not a report about Penetration Testing, or anything to that effect.

    [Posting anonymously because I like my job a lot.]

  6. DHS has exclusive partnership w/ Microsoft for SW, by mclaincausey · · Score: 2, Informative

    according to this story, which is a kind of "Greatest Hits" for DHS that will curl your toes.

    --
    (%i1) factor(777353);
    (%o1) 777353
  7. Re:Increased Demands? by mgoodman · · Score: 4, Informative

    I work for the DHS Inspector General -- the agency that conducts the FISMA assessment.

    At least part of the reason that many agencies did worse this year than last can be attributed to:

    - A better DHS systems inventory, meaning a larger population of poor systems, as opposed to the big attention-whore systems that are inevitably going to have more money for security. Unfortunately, the systems inventory *still* isn't very good and is primarily based on what managers report as owning, rather than a combination of reporting and discovery via scanning

    - More information available to the Inspector General's office (and more information generally means more negative information, unfortunately). We could also more easily find exceptions/anomalies with the additional information

    - Better FISMA assessment methodologies/processes on the part of the OIG than previous years. The process has been much more streamlined so that more work could be conducted in a shorter period of time (i.e. more problems can be found).

    Those are just a few of the major reasons. There are other reasons that are more site specific, for example budget cuts, focus of efforts, etc.

    --
    01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
  8. Re:Bureacratic incompetence? by Malakusen · · Score: 2, Informative

    In the Air Force, shops are encouraged every budget cycle to go over budget. If you don't go over budget, then you must not need the money you're getting, and your funding gets cut. If you go over budget, you get more money. Multiply that exponentially and you have the whole government.

    --
    Never give in--never, never, never, never, in nothing great or small, large or petty, never give in except to conviction
  9. Re:Do we live in a developed country? by TubeSteak · · Score: 4, Informative
    The first two phases of the "Trilogy" project - deployment of a high-speed, secure FBI computer network and 30,000 new desktop computers - have been completed at a cost of $600 million.
    That $600M doesn't break down into $20k per desktop, a good chunk of that money went into building a highspeed secure network. If it's secure, that means it has to conform to a laundry list of standards.

    Now, if those 30,000 desktops had to be tied into the FBI's secure networks, I can understand exactly how costs can go rediculously high.

    Essentially, everyone from the company you're buying these products from to the people physically moving and installing the hardware have to be cleared to handle the equipment.

    That costs a ton of money right there. Background checks and insurance aren't cheap and that jacks up the prices for everything. They aren't just buying computers, they're paying a contractor to do everything and then to provide support.

    If you don't think through the situation, it can easily seem like they're just wastefully burning up cash. Very few things are as straightforward as they seem at first glance.
    --
    [Fuck Beta]
    o0t!
  10. Re:Do we live in a developed country? by Anonymous Coward · · Score: 1, Informative

    The problem is not that the DHS is being built from scratch. The problem is that the DHS is an effort to combine a number of agencies that may or may not have similar missions, goals, organization methods, etc. Just look at this (partial?) list and tell me what they have in common and why it makes sense to combine all of them:

            * The U.S. Customs Service (Treasury)
            * The Immigration and Naturalization Service (part) (Justice)
            * The Federal Protective Service
            * The Transportation Security Administration (Transportation)
            * Federal Law Enforcement Training Center (Treasury)
            * Animal and Plant Health Inspection Service (part)(Agriculture)
            * Office for Domestic Preparedness (Justice)
            * The Federal Emergency Management Agency (FEMA)
            * Strategic National Stockpile and the National Disaster Medical System (HHS)
            * Nuclear Incident Response Team (Energy)
            * Domestic Emergency Support Teams (Justice)
            * National Domestic Preparedness Office (FBI)
            * CBRN Countermeasures Programs (Energy)
            * Environmental Measurements Laboratory (Energy)
            * National BW Defense Analysis Center (Defense)
            * Plum Island Animal Disease Center (Agriculture)
            * Federal Computer Incident Response Center (GSA)
            * National Communications System (Defense)
            * National Infrastructure Protection Center (FBI)
            * Energy Security and Assurance Program (Energy)
            * United States Secret Service
            * United States Coast Guard

    Now tell me how easy it is to combine all these agency effectively and securely. All these agencies already have information systems and networks that will need to be joined together.