DHS Gets Another "F" In Cyber Security

An anonymous reader writes "For the third straight year, the Department of Homeland Security -- which is charged with charting the federal government's cyber security agenda -- earned a grade of "F" for computer security from a key congressional oversight committee, according to a story at Washingtonpost.com. Not only did the overall government-wide computer security grade remain flat (at a barely-passing "D+" but several agencies -- mostly those on the "front lines in the war on terror" -- actually managed to fare worse this year."

Obviously...

[darnok]

...they're too busy ensuring the security of US citizens to worry about minor details like ... the security of US citizens.

Increased Demands?

[Mattygfunk1]

several agencies -- mostly those on the "front lines in the war on terror" -- actually managed to fare worse this year.

Considering that the findings are given back to the relevant departments to improve upon, going backwards requires that not only are services added but that their security efforts don't even improve or get worse with the new projects.

Perhaps the demands of IT in these departments have increased significantly to account for these services. Anyone know?

__
Funny Adult Videos @ Laugh DAILY

Perhaps they are

[metricmusic]

Perhaps they are purposely performing badly so they can get more funding?

Childish nonsense

I suspect these people are accountable to nobody, least of all the people. So what's with the infantile school grading?
B minus? D minus? Who cares. It's not like these institutions are going to go home and blub because they got bad school grades. Another propaganda stunt to make you believe your incompetent and unaccountable institutions are actually answerable to anybody imho.

Re:Do we live in a developed country?

[quarkscat]

Of course this country has slipped backwards from being a "developed country" into merely
a "developing country". That is a basic tenet of the neocon agenda - globalization of the
economy. High tech and skilled labor jobs are shifted to the lowest labor cost country --
whichever can barely "get the job done" and at the lowest price "wins the contract". USA
employers who cannot shift their labor costs overseas are busy importing cheaper labor
under increased numbers of L1-A and H1-B visas. That, or busy jumping on the neocon
bandwagon to legalize the 28 million illegal aliens that are already in this country. Hand-in-
hand with the influx of illegal alien labor is a massive spike in identity theft and fraudulent
identity documents. The GWB administration favors hiring fellow neocons, regardless of
either their real CV or their civil ethics. Helping to forward their neocon agenda by any means
possible outweighs any concept of good governance, or even of the Constitutional balance
of power, let alone the Bill of Rights.

Why, considering the response to 9-11, to the illegal Iraq war, the "Pharmacutical Company
Welfare Act of 2003", or the Gulf Coast-Katrina disaster, would any sentient being ever be
surprised by what the GWB administration is incapable of doing right?

The Department of Homeland Security is a non sequitor at best (oxymoronic?), and little more
than a tool of the emerging National Corporate Socialist state's grab for absolute executive
power, at worst.

...this is because there is NO threat.

[pixelone]

..other than the consequences of Bush's actions in the mid east. If the country was under a legitimate threat, then a lot of funding would go into many processes.. Bush is simply artificially exacerbating the threat by stepping on an ant's nest. Why ? they are far from stupid. This keeps them in power, and to the masses justifies their actions. Iraq was terrorist free, now it is creating 100s every day. It is this artificially created threat that is BUSH's masterplan,

Re:Bureacratic incompetence?

[asuffield]

Suggesting that makes you an anti-american terrorrist. The Department of Homeland Security will now investigate you at great expense, and if you happen to be a muslim, ship you off to a detainment camp to be held without trial.

The sad part is that this isn't a joke.

Re:Bureacratic incompetence?

In government, failure is typically rewarded with more revenue and/or power. You can observe this trend in basically any government program: welfare, education, national defense, all the way down to Amtrak and the postal service. If government actually did achieve its goals, then there would be no justification for more revenue or more power.

As it stands, the US government of today dwarfs the US government of only 50 years ago, both in revenue and power over the people. This wasn't achieved through success; it was achieved through failure. When you're spending other people's money, and collecting that money through a special "right" to sell your product through coercion, things work a little differently than if you had to obtain your revenue voluntarily.

Re:I think this is by design, folks.

[clydemaxwell]

My segment of DHS is up to spec. I wonder why we never hear about the others.

Re:Do we live in a developed country?

I many times wonder whether I live in a developed country.

Okay, I'll bite.

You act like Americans (or Republicans) have a corner on the incompetence market. Not hardly. Examine any other country and you will find the same crap, it's just not reported so widely in the news as it is here. Try working in an international nonprofit (as I do) working to improve healthcare delivery systems in other countries, and you will start to be very thankful you're an American. Blessed, or lucky, or fortunate; take your pick.

If "nothing seems to get done right in these United States of America these days" then maybe you should turn off the news and start trying to get something "done right"... you might find that a lot of good things are being done. Or, if you don't find anything you like (and you're not willing to change things), then move to another country. Canada, France, Germany, England, Japan, Hong Kong... you'd probably even find Italy or Spain better than the U.S.

Re:Do we live in a developed country?

[jcr]

nothing seems to get done right in these United States of America these days.

Fortunately, we have this other thing called the "Private Sector", which is where many things are done right, and organizations that consistently screw up have been known to go out of business...

-jcr

Cat and Mouse?

[martyb]

What if the government put out a bid for someone to undertake cyber attacks against them as well as provide funding for the repair/protection of these systems?

Offer, say, $1M to an organization to start cyber attacks on a specified date. These agencies would know full well that such an attack was coming. Do *YOU* want to be the one to try and explain why *YOUR* system was able to be broken into? Just as there was a huge effort to counterract the Y2K "bug", and we survived it relatively unscathed, I'm thinking a scheduled attack would do wonders in getting things secured, ASAP.

We could have nearly impenetrable systems by year's end.

Re:Do we live in a developed country?

[Mr.+Underbridge]

That, or busy jumping on the neocon bandwagon to legalize the 28 million illegal aliens that are already in this country.

Do you even pay attention to your own propaganda? I'm pretty sure Republicans aren't in favor of open borders.

And what's with the xenophobia? Worried that a foreigner can do your job better than you?

Re:I think this is by design, folks.

[bermudatriangleoflov]

Honey Pot!!

Re:Do we live in a developed country?

[troll+-1]

With all the incompetence being displayed in my government's administration .......

I'm from the UK and having lived in the US for a number of years I think the US can achieve anything it sets its collective mind to. But the electorate has a neat trick of getting what it wants. Goes like this: Congress passes a law to do XYZ. The electorate says great but then refuses to pay taxes to support it. It's not really incompetence.

Re:resembles department culture as a whole?

[argStyopa]

I'd say it has everything to do with the general age of the individuals running the depts, or if they have a particular 'understanding' of the internet beyond that of their peers.

Look at businesses in the late 90s: you had young tyros running companies that understood both the opportunities and (more significantly in this context) the risks of the internet. They flourished. Then you had the bricks and mortaor companies that took FOREVER to get off the ground, with their hidebound executive and department managers who were all of a generation for whome VCRs were 'new' and the internet something between cable tv and the telephone but not really understood. There were some foresightful managers who 'got it' but most of their peers didn't

I'm guessing, given the generally behind-the-curve nature of non-defense government agencies, that they are still just evolving out of this mindset. The departments with the occasional leader who 'gets it' are very clear on their understanding of what they need to do. The others? Well, until there's an administrative change, they're going to limp along, connecting to the web as ordered but not really understanding why they're doing it.

Reminds me of the Spanish Inquisition sketch

[hey!]

which is a fairly accurate portrait of organizational incompetence, or would be if the cardinals were a bit more apathetic.

I think, as a rule, governments can effectively only do one hard thing at a time. By "Hard" I mean something that in a organizational sense is like computational "hardness": you can't really do a perfect job of it, and you can exhaust all your resources trying to. You can walk and chew gum at the same time because both things are routine and use well trained motor programs. But if I gave you a marionnette, you could probably get it to walk or chew gum, but not both at the same time until by practice you managed to combine the two into a single action.

Governments can run a national park system and regulate food additives at the same time, because these are routine things like walking, well, walking and chewing gum. But organizating DHS at the time we did was, in my opinion, a bit of disasterous overconfidence.

DHS was established in January 2003, at the same time the administration was planning an invasion of Iraq in March. Homeland security is a "hard" problem. War and nation building -- in fact region building, are also "hard" problems. The only way you can do this is to find some way to combine the two into a single priority. The administration has done this rhetorically -- e.g. the well known "mushroom cloud" threat -- but on a practical day to day basis these efforts are completely separate. DHS so far as I know doesn't have anything to say about is happening in Iraq, and neither does the Iraq effort consider things like infrastructure security. The only point of contact between the two I can see is that they'd both like to have more of the Coast Guard's bandwidth.

Re:Do we live in a developed country?

[Halo-]

I'm glad to see we (the US) haven't completely alienated everyone yet. That said, it is worth pointing out that the DHS isn't "being built from the ground up". DHS is basically a conglomeration of a bunch of existing Federal agencies with a bunch of new infrastructure added in.

Of course, I'd argue that it's easier to build security in from scratch than to merge a bunch of government agencies in a clean and tidy fashion, so I agree that DHS has an especially hard task.

The real question is how subjective these "grades" are. What does "cybersecurity" really mean? Attack from the outside? Compartementalization? (that has to be spelled wrong) Prevention of abuse from within? All of the above? Some these are easy to fix, and some are very hard. For obvious reasons the public can't be given a report listing what and where the weaknesses are, but an unpatched Windows machine is a lot more serious if it is on the perimeter than if it's behind three layers of well-managed firewalls.

The government needs a data architect agency.

[plebeian]

I know lets name it the Central Intelligence Agency. Wait we already have such an agency. We should disseminate the other operations that the CIA currently manages to appropriate agencies. Foreign clandestine operations go to the state department...etc. Obviously we would have to maintain security standards across agencies. If the CIA has the mandate they can set standards. If we had one agency that mandated data storage, security and dissemination across government branches we may have been able to foil 911 with a simple data mining operation. As someone who supports a local Police Department we would be more than willing to have some of the more difficult technical requirements for data storage mandated.

The Emperor is stark raving naked!

Your friend is a stupid fuck.

Didn't learn at an early age that you don't dare tell the emperor that he's naked or you'll get your head chopped off.

Here's how it works...

[Morrigu]

The House Government Reform committee does some investigation and gives an agency a poor grade.

The Secretary for the agency gets grilled by Congress-critters on why their agency is failing, again. The Secretary doesn't really care about IT security, but (s)he does care about not getting grilled by Congress-critters.

The secretary authorizes some obscene amount of dollars to go towards "improving IT security" and signs off on some plans that purport to do this. Often these are bundled together with initiatives for IT centralization, better management practices, the yearly re-org plan, etc. If you're lucky, some fair portion of the obscene dollar amount actually goes towards something that might really help IT security.

Various political appointees (Deputy Secretaries, Assistant Deputy Secretaries, Associate Deputy Assistant Secretaries, etc.) get shuffled around in the post-Congressional-snitfit era and engage in vicious political battles that make Imperial ascension politics in the Roman Empire look like a shuffleboard tournament. This of course immensely helps the prospects of improving IT security.

Meanwhile, various Beltway contractors propose all sorts of interesting things the agency can do with the money. The ones who are already working with the agency make recommendations to steer the dollars towards projects they can successfully bid on and ways they can increase their headcount, and the outsiders try to weasel their way in. Vendors make extravagent promises about their gear and generously distribute dinners, trips, tickets and job offers in desperate attempts to land a multi-million dollar sale.

Somebody (no one ever admits to this later) actually buys off on some subset of these promises and signs a PO to Make This Happen.

The money eventually filters down to the GS-15s and 14s (career employees) and contractors who Actually Do Something instead of going to meetings all day and answering email. They often emulate the successful political appointees above them by holding lots of meetings and sending lots of email. However, they get to Actually Do Something as well. Lucky them.

Some random collection of program managers, unwitting new subcontractor hires, and government support employees are thrown together to Make This Work. If they're lucky, enough of the people on the task have worked together before to know how to navigate through the bureaucratic, corporate and technical obstacles to have something to show for their efforts after 6 months. If not, well, the government paid for Yet Another Jobs Program.

3 times out of 10, the proposed solution fails so miserably that they can't even convince the other contractors and govvies to put it into production.

6 times out of 10, it works just well enough to shoehorn the "solution" into production, as long as the duct tape holds and they can hire enough bodies for the Mongolian Horde approach to IT ("quick, get more people for the overnight shift, the ticket count's escalating again!"). But that's okay, 'cause the same contractors and govvies will get to fix it again next year when the problem still isn't solved.

1 time out of 10, they actually Make It Work. Wow. People stumble around in shock, awe and amazement at what they have created. Users are happy, management is off their backs. But don't worry. Something will change in another 6 months to bring completely new requirements into the picture, and you get to roll the dice again.

Re:Get some facts

[Mo+Bedda]

You know, DHS has many sub-organizations within it. There are different groups responsible for IT Security within the different organizations and there is nothing that says "You will do this..." because there are different requirements for each location.

Well, that is part of the problem isn't it. DHS has now had a couple of years to come up with a coherent security plan. While I could understand if they were having problem implementing it over all the different sub-organizations, I think they most certainly should have some "you will do this" documents prepared by this point.

How many of you techs work in an enviornment where you can't download drivers from an FTP site without approval and access to a specific machine that is locked down? A 2 min download takes a day to get signed off on.

Probably more than you think. I don't think I've ever worked somewhere where things like driver upgrades to "locked down" production systems did not require somebody to signoff on it. Generally it required things like a deployment plan, some sort of certification of code on a test system, and a roll-back plan should things not go as planned. If you are interested in security, allowing folks to download drivers from the Internet on their own is not a good idea. Most software should be coming from some central organization which manages a secure software repository. While I understand your frustration, your attitude is part of the problem.

It may not be like this in all of DHS, but, I can tell you that there are locations where someone needs to do a review to relax the existing level of security to allow people to do some work. This whole issue is B.S. in my eyes. The only way to make a passing grade based on government standards is to kick out all of the users and build a token-ring that's not connected to the outside world.

Perhaps you should view keeping data secure as part of getting some work done. And if you are fail to do so, your work is a failure. View security as a requirement rather than an problem. Some agencies seem to be able to manage secure thanselves without cutting themselves of from the world. From TFA, "The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively."

Is Bush Working for the Terrorists?

[Doc+Ruby]

If the 9/11/2001 planebombs (including direct hit on the Pentagon) and the ever-increasing terrorism rate since we invaded Iraq aren't enough for Bush to get even a passing grade in Homeland Security, he never will. Even the Katrina flood disaster, in which an entire American city was destroyed while Homeland Security's FEMA agency flailed, wasn't enough to get their asses in gear. Meanwhile, that vast catastophic failure of DHS is used to justify spying on Americans. Including spying on completely peaceful pacifists, just because they peacefully oppose Bush's war policies.

We have never been weaker or more unsafe. Our union is divided everywhere, persecuted by our government, churning our experienced national security personnel (including our military) into a useless, expensive albatross around our neck. If someone actually attacked us, we'd be worse off than before we got all these "warnings", many of which are already killing thousands of Americans.

These clowns have got to go.

I work for DHS, help grade them, and...

[mgoodman]

...I wanted to reiterate that this is ONLY based on Federal Information Security Management Act (FISMA) reporting. Essentially, FISMA reporting is a basic assessment of system vulnerabilities and policies/procedures. Additionally, reporting is inaccurate, as the system being evaluated must be in the DHS systems inventory -- most systems are not because DHS has a poor inventory. Therefore, most systems are not even evaluated.

So, if this "report card" were properly reported, more systems would be in the population (and sample, since I feel sample size is too low). And if better, more in-depth security assessments were done, DHS would probably do even worse. I just wanted to give you the warm fuzzies...

Anyhow, people the under the CISO (Bob West) are working to get a better inventory and to improve FISMA reporting, but the processes are painfully slow due to growing pains, political battles and the typical laziness that consumes government workers.

We should get some more guys from the casino and porn industries in here to whip system security into shape...seriously...

Psha.

[mgoodman]

I don't know many GS-14's or -15's that actually do anything...and I've met a LOT.

The government needs to eliminate this bullshit job security and make people work for a living. If people don't work and meet performance standards, they should get fired.

But no, that's much too logical. Instead, we allow people to put in a good couple years when they're young (and want to work) and then support them through the rest of their life while they slack off and can't be fired. Most people need some sort of fear for their job or they won't work. It's as if every government worker past three years has won the lottery -- at least 50k/year for the rest of their life for doing nothing. Shit, I should stop contracting...

Re:Do we live in a developed country?

[quarkscat]

The GB Bush regime was swept into power in 2000 illegally -- first disenfranchizing
thousands of Florida voters accused of being ineligible to vote, then failing to recount
ALL Florida votes in a timely fashion, and then relying upon the SCOTUS (filled with
Reaganite nominees) to determine the Presidency.

After the illegal DeLay gerrimandering of Texas, the GOP made gains in the HR. Combined
with the no-paper-trail-audit electronic voting machine debacle of 2004, in which vote
tallies were wildly different from exit poll data, the GOP stole the 2004 election. (I think
that 24 states have now reverted to recount-enabled paper ballots for the mid-term
elections this fall. That, however, does not adequately counter the continued use of the
fraud-enabled electronic voting machines still in use - funded in 2002 to the tune of $6
  Billion USD by the appropriately misnamed "Help America Vote (Our Way)" legislation.

Between the full-court propaganda press by the GW Bush regime, partially funded by our
tax dollars, and the nearly total shutdown of information not following the official "party
line" from the Executive branch to either Congress or the Press, I hold out little hope for
this country to throw off the yoke of an increasingly totalitarian government in 2006,
or even in 2008. The opposition party doesn't have either a unified message nor a viable
party platform, AFAIK. Between the anthrax letters of October 2001 and the illegal domestic
spying that has continued against all political opposition, they are (apparently) scared shitless.