DHS Gets Another "F" In Cyber Security

An anonymous reader writes "For the third straight year, the Department of Homeland Security -- which is charged with charting the federal government's cyber security agenda -- earned a grade of "F" for computer security from a key congressional oversight committee, according to a story at Washingtonpost.com. Not only did the overall government-wide computer security grade remain flat (at a barely-passing "D+" but several agencies -- mostly those on the "front lines in the war on terror" -- actually managed to fare worse this year."

Obviously...

[darnok]

...they're too busy ensuring the security of US citizens to worry about minor details like ... the security of US citizens.

Do we live in a developed country?

[bogaboga]

With all the incompetence being displayed in my government's administration, I many times wonder whether I live in a developed country. Should the meaning of "developed country" be re-defined? Remember, nothing seems to get done right in these United States of America these days.

Re:Do we live in a developed country?

[MichaelSmith]

I many times wonder whether I live in a developed country.

Speaking as an outsider (I am an Australian) I think the USA does many things very well. But because the US is a very big country, there are always plenty of stories to tell about people being incompetent. You could put any 10 European countries together and get a similar picture.

One problem, I think, is that homeland security (at least since 2001) is being built from scratch as an organisation. New outfits tend to get "business as usual" infrastructure much as would be used for an accounting firm or some such. If they went to an established agency like the FBI they might get less modern but more secure solutions.

Re:Do we live in a developed country?

[quarkscat]

Of course this country has slipped backwards from being a "developed country" into merely
a "developing country". That is a basic tenet of the neocon agenda - globalization of the
economy. High tech and skilled labor jobs are shifted to the lowest labor cost country --
whichever can barely "get the job done" and at the lowest price "wins the contract". USA
employers who cannot shift their labor costs overseas are busy importing cheaper labor
under increased numbers of L1-A and H1-B visas. That, or busy jumping on the neocon
bandwagon to legalize the 28 million illegal aliens that are already in this country. Hand-in-
hand with the influx of illegal alien labor is a massive spike in identity theft and fraudulent
identity documents. The GWB administration favors hiring fellow neocons, regardless of
either their real CV or their civil ethics. Helping to forward their neocon agenda by any means
possible outweighs any concept of good governance, or even of the Constitutional balance
of power, let alone the Bill of Rights.

Why, considering the response to 9-11, to the illegal Iraq war, the "Pharmacutical Company
Welfare Act of 2003", or the Gulf Coast-Katrina disaster, would any sentient being ever be
surprised by what the GWB administration is incapable of doing right?

The Department of Homeland Security is a non sequitor at best (oxymoronic?), and little more
than a tool of the emerging National Corporate Socialist state's grab for absolute executive
power, at worst.

Re:Do we live in a developed country?

[TubeSteak]

The first two phases of the "Trilogy" project - deployment of a high-speed, secure FBI computer network and 30,000 new desktop computers - have been completed at a cost of $600 million.

That $600M doesn't break down into $20k per desktop, a good chunk of that money went into building a highspeed secure network. If it's secure, that means it has to conform to a laundry list of standards.

Now, if those 30,000 desktops had to be tied into the FBI's secure networks, I can understand exactly how costs can go rediculously high.

Essentially, everyone from the company you're buying these products from to the people physically moving and installing the hardware have to be cleared to handle the equipment.

That costs a ton of money right there. Background checks and insurance aren't cheap and that jacks up the prices for everything. They aren't just buying computers, they're paying a contractor to do everything and then to provide support.

If you don't think through the situation, it can easily seem like they're just wastefully burning up cash. Very few things are as straightforward as they seem at first glance.

Muhammed drawings

[mixenmaxen]

Well then, time to deface some .gov websites with drawings of the prophet Muhammed...

Funding

[Detritus]

Many departments are run on a shoe-string basis. While the agency, as a whole, may have received a budget increase. That may mean that 20% of the agency saw a major increase in funding, 40% saw their funding stay the same, and 40% saw a 10% cut in their budget, again. Year after year of budget cuts can be very corrosive. You lose all of your support people and the survivors get new tasks that they may not have the time or skills to do properly. The infrastructure becomes a collection of obsolete equipment held together with bubble gum and bailing wire.

At one office that I worked in, we made regular trips to the agency's excess equipment warehouse to scrounge for parts that we used to build "new" (newer) computers. That was the only way that we could obtain computing hardware. There was no money in the budget for PCs, even though we were a software development group. We provided our own hardware and software support, by necessity.

resembles department culture as a whole?

[pimpimpim]

FTA: Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified.

It figures. Institutions like the DHS are completely focused on administrative, paper-tiger, security. Which in the end doesn't end up in a real security for anyone, but instead a freedom-diminishing administrative load on everyone.

The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively.

Good to see there are competent people out there, it should not be impossible. It's just sad that the more 'safety-critical' the organization is, the more sloppy they get on critical points in their organization.

oh look!

[lkcl]

the "environmental protection agency", which uses linux, got a "grade A"!

They want to be attacked

[Jeppe+Salvesen]

The departments are just waiting to be comprehensively attacked by some knuckleheads, so that their military industry sponsors can make money on further upgrading the war machine.

Childish nonsense

I suspect these people are accountable to nobody, least of all the people. So what's with the infantile school grading?
B minus? D minus? Who cares. It's not like these institutions are going to go home and blub because they got bad school grades. Another propaganda stunt to make you believe your incompetent and unaccountable institutions are actually answerable to anybody imho.

Perhaps they are using

[LarsWestergren]

prayer based security?

...this is because there is NO threat.

[pixelone]

..other than the consequences of Bush's actions in the mid east. If the country was under a legitimate threat, then a lot of funding would go into many processes.. Bush is simply artificially exacerbating the threat by stepping on an ant's nest. Why ? they are far from stupid. This keeps them in power, and to the masses justifies their actions. Iraq was terrorist free, now it is creating 100s every day. It is this artificially created threat that is BUSH's masterplan,

Re:Bureacratic incompetence?

In government, failure is typically rewarded with more revenue and/or power. You can observe this trend in basically any government program: welfare, education, national defense, all the way down to Amtrak and the postal service. If government actually did achieve its goals, then there would be no justification for more revenue or more power.

As it stands, the US government of today dwarfs the US government of only 50 years ago, both in revenue and power over the people. This wasn't achieved through success; it was achieved through failure. When you're spending other people's money, and collecting that money through a special "right" to sell your product through coercion, things work a little differently than if you had to obtain your revenue voluntarily.

Be careful what you say.

[Stephen+Samuel]

Criticizing DHS can be seen as being unpatriotic.

Cat and Mouse?

[martyb]

What if the government put out a bid for someone to undertake cyber attacks against them as well as provide funding for the repair/protection of these systems?

Offer, say, $1M to an organization to start cyber attacks on a specified date. These agencies would know full well that such an attack was coming. Do *YOU* want to be the one to try and explain why *YOUR* system was able to be broken into? Just as there was a huge effort to counterract the Y2K "bug", and we survived it relatively unscathed, I'm thinking a scheduled attack would do wonders in getting things secured, ASAP.

We could have nearly impenetrable systems by year's end.

Reminds me of the Spanish Inquisition sketch

[hey!]

which is a fairly accurate portrait of organizational incompetence, or would be if the cardinals were a bit more apathetic.

I think, as a rule, governments can effectively only do one hard thing at a time. By "Hard" I mean something that in a organizational sense is like computational "hardness": you can't really do a perfect job of it, and you can exhaust all your resources trying to. You can walk and chew gum at the same time because both things are routine and use well trained motor programs. But if I gave you a marionnette, you could probably get it to walk or chew gum, but not both at the same time until by practice you managed to combine the two into a single action.

Governments can run a national park system and regulate food additives at the same time, because these are routine things like walking, well, walking and chewing gum. But organizating DHS at the time we did was, in my opinion, a bit of disasterous overconfidence.

DHS was established in January 2003, at the same time the administration was planning an invasion of Iraq in March. Homeland security is a "hard" problem. War and nation building -- in fact region building, are also "hard" problems. The only way you can do this is to find some way to combine the two into a single priority. The administration has done this rhetorically -- e.g. the well known "mushroom cloud" threat -- but on a practical day to day basis these efforts are completely separate. DHS so far as I know doesn't have anything to say about is happening in Iraq, and neither does the Iraq effort consider things like infrastructure security. The only point of contact between the two I can see is that they'd both like to have more of the Coast Guard's bandwidth.

My story...

[TomorrowPlusX]

So, a friend who will remain unnamed, and works for an unnamed contractor called me one day a few months ago and asked me to scope out a ( unnamed ) Navy website. He said he saw something suspicious -- looking like a subtle defacement by a 3rd party. So, I went there and took a look and yes, in fact, there was a *tiny* javascript insertion in the page calling a javascript file from some random IP. I tracked it down -- several indirections later -- to a chinese website which was causing the insertion of an active x control. It was all very obfuscated and suspicious.

So, my friend contacts the webmaster of the navy site and explains what he saw, how it was tracked down ( he left my name out -- thank god -- since my name is very islamic and happens to be shared with an at-large eastern european islamic terrorist. Bad enough that it's a disaster whenever I *try* to fly. Thanks, dad. ) and what did my friend get in return? Thanks? A "We'll look into that, good job, citizen". No, he was accused of hacking the site, and they informed the secret service of him and his "actions".

Fortunately, the SS ( lol ) realized he'd done the right thing and was innocent.

But, seriously folks, how fucked up is this?

Here's how it works...

[Morrigu]

The House Government Reform committee does some investigation and gives an agency a poor grade.

The Secretary for the agency gets grilled by Congress-critters on why their agency is failing, again. The Secretary doesn't really care about IT security, but (s)he does care about not getting grilled by Congress-critters.

The secretary authorizes some obscene amount of dollars to go towards "improving IT security" and signs off on some plans that purport to do this. Often these are bundled together with initiatives for IT centralization, better management practices, the yearly re-org plan, etc. If you're lucky, some fair portion of the obscene dollar amount actually goes towards something that might really help IT security.

Various political appointees (Deputy Secretaries, Assistant Deputy Secretaries, Associate Deputy Assistant Secretaries, etc.) get shuffled around in the post-Congressional-snitfit era and engage in vicious political battles that make Imperial ascension politics in the Roman Empire look like a shuffleboard tournament. This of course immensely helps the prospects of improving IT security.

Meanwhile, various Beltway contractors propose all sorts of interesting things the agency can do with the money. The ones who are already working with the agency make recommendations to steer the dollars towards projects they can successfully bid on and ways they can increase their headcount, and the outsiders try to weasel their way in. Vendors make extravagent promises about their gear and generously distribute dinners, trips, tickets and job offers in desperate attempts to land a multi-million dollar sale.

Somebody (no one ever admits to this later) actually buys off on some subset of these promises and signs a PO to Make This Happen.

The money eventually filters down to the GS-15s and 14s (career employees) and contractors who Actually Do Something instead of going to meetings all day and answering email. They often emulate the successful political appointees above them by holding lots of meetings and sending lots of email. However, they get to Actually Do Something as well. Lucky them.

Some random collection of program managers, unwitting new subcontractor hires, and government support employees are thrown together to Make This Work. If they're lucky, enough of the people on the task have worked together before to know how to navigate through the bureaucratic, corporate and technical obstacles to have something to show for their efforts after 6 months. If not, well, the government paid for Yet Another Jobs Program.

3 times out of 10, the proposed solution fails so miserably that they can't even convince the other contractors and govvies to put it into production.

6 times out of 10, it works just well enough to shoehorn the "solution" into production, as long as the duct tape holds and they can hire enough bodies for the Mongolian Horde approach to IT ("quick, get more people for the overnight shift, the ticket count's escalating again!"). But that's okay, 'cause the same contractors and govvies will get to fix it again next year when the problem still isn't solved.

1 time out of 10, they actually Make It Work. Wow. People stumble around in shock, awe and amazement at what they have created. Users are happy, management is off their backs. But don't worry. Something will change in another 6 months to bring completely new requirements into the picture, and you get to roll the dice again.

Re:Increased Demands?

[mgoodman]

I work for the DHS Inspector General -- the agency that conducts the FISMA assessment.

At least part of the reason that many agencies did worse this year than last can be attributed to:

- A better DHS systems inventory, meaning a larger population of poor systems, as opposed to the big attention-whore systems that are inevitably going to have more money for security. Unfortunately, the systems inventory *still* isn't very good and is primarily based on what managers report as owning, rather than a combination of reporting and discovery via scanning

- More information available to the Inspector General's office (and more information generally means more negative information, unfortunately). We could also more easily find exceptions/anomalies with the additional information

- Better FISMA assessment methodologies/processes on the part of the OIG than previous years. The process has been much more streamlined so that more work could be conducted in a shorter period of time (i.e. more problems can be found).

Those are just a few of the major reasons. There are other reasons that are more site specific, for example budget cuts, focus of efforts, etc.