Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unisys Investigated For Covering Up Cyber-Attacks

Posted by kdawson on from the whadda-ya-know-a-trojan dept.

Stony Stevenson writes "Unisys, a major government IT contractor, is reportedly being investigated for failing to detect cyber-attacks, and then covering up its failings. Two US congressmen have called for an investigation into cyber-attacks aimed at the Department of Homeland Security, along with a contractor (that would be Unisys) charged with securing those networks. 'The House Committee on Homeland Security's investigations led them to believe the department is under attack by foreign powers, and could be at risk because of "incompetent and possibly illegal activity" by a US contractor. The congressmen didn't name the contractor in the letter. However, the Washington Post on Monday reported that the FBI is investigating Unisys, a major information technology firm with a $1.7 billion Department of Homeland Security contract, for allegedly failing to detect cyber break-ins traced to a Chinese-language Web site and then trying to cover up its deficiencies.'" Unisys denies it all.

9 of 114 comments (clear)

  1. Well... by Bananatree3 · · Score: 3, Insightful

    Security of critical gov't systems SHOULDN'T be left to some missionary IT support. It should be done in house. period.

  2. Typical govt C&A hokum by mbstone · · Score: 5, Interesting

    Among my various other gigs, I've often worked as a contractor doing certification and accreditation (C&A) paperwork for half a dozen fed. govt. agencies. "C&A" is the required paperwork that is supposed to certify that an agency's systems have been secured in accordance with applicable NIST, DoD, etc. standards. Understand that many, if not most, agencies devote far more time, money, and effort to making the paperwork look good than they do to actually securing the systems. Some agencies, and some of their contractors, think the NIST SP 800-37 C&A process, DIACAP, FISMA reporting, etc. is just a worthless paper shuffle. Some are even still using SP 800-26 risk assessment questionnaires in lieu of a full C&A. I can't tell you how many job interviews I've gone on where the contractor company's hiring manager would actually brag about how they are going to falsify the C&A and snow the agency's inspector general, OMB, or whomever. My standard response to that has been, "Can I visit you in prison?" (Usually this spells the end of that particular interview process.) Since, up to now, nobody has actually gone to federal prison for submitting bogus C&A documentation, some people thought they could get away with this kind of bogosity forever. A strange and unlikely confluence of events caused the Unisys situation: they (allegedly) cheated on the C&A process, AND the intruders pwned the DHS network, including the main admin password. The successful intrusions caused an audit which exposed the C&A fraud (which otherwise would have slid on by). Too bad, so sad.

    1. Re:Typical govt C&A hokum by Rich0 · · Score: 3, Informative

      I'd say the same thing applies in many regulated industries where it is required to document that a computer system meets various quality standards.

      Far more money gets spent on documenting that the system works correctly than actually making the system work correctly. Often you end up with a system that looks great on paper that has lots of bugs in actual operation. Lots of tests get written that look like they test something but which rarely uncover bugs. The whole exercise costs a fortune, and largely exists to satisfy auditors (whether internal or external to the company performing the exercise).

      Techniques like agile programming, automated testing, code reviews, etc are shunned because they're non-traditional and don't generate lots of paper. There is a fear that in an audit a government representative who hasn't signed on to the methodology might hammer you to death over not having a 2000 page design specification and a load of tests written and executed by everybody from the programmers, to IT QA, to end users (often the same exact test gets reformatted and run by all parties just so that it can be said that everybody had a hand in testing).

      I once had to evaluate whether it was safe to directly modify a particular database field in an application, and was relieved to see that this application had one of those aforementioned thick design specifications. Then I was dismayed to find out that the only documentation there was on the field was the fact that it existed, what table it was in, what it was called, what kind of field it was, and what it contained (WidgetCorrectionFactor = Factor used to Correct the Widget value - really helpful as if I couldn't have guessed that much from the field name!). Absent was any kind of documentation as to what code might reference that field or what tables might join to it. I could search the source for the field name, but then there wasn't any kind of documentation or flow charts indicating the typical system workflow or in what order the various routines might get called. It was like documenting all the cell types in an animal without bothering to indicate what the actual animal looked like and how everything went together. But the auditors loved the document.

      The issue is that most often QA and management and external auditors have no way of knowing whether a piece of code actually works or not. So, instead they look for stuff they can understand - paperwork. The paperwork does tend to lead to some basic form of quality, but rarely does it lead to code that doesn't break down on all the various one-off-cases that don't make their way into human-executed tests. I'll take a simple automated test that can be executed against a matrix of input values against a complex human-executed test that only ever gets run once (and is likely not repeated every time a piece of seemingly-unrelated code is touched) any day!

  3. Re:Typical unisys by El+Torico · · Score: 4, Interesting
    As with most government contracts you have to have a clearance to actually work on it, something not easily obtained by a lot of U.S. Citizens...

    This is a big part of the problem. The vast majority of Government Contractors are only marginally qualified and got their jobs by having the clearance, not by being technically proficient. This is known as "warm bodies" syndrome since many contracts pay per position filled. Getting a clearance can take years, depending on the level, and usually takes months, so this is a high barrier to entry and keeps a lot of smart people out.

    There are many very capable and well-qualified people in Government Contracting, but they are a minority. Of course, Management, being what it is, doesn't want to give bad news to a customer, so sometimes they "muddy the waters".

    --
    In the land of the blind, the one-eyed man is usually crucified.
  4. Re:Typical unisys by chuckymonkey · · Score: 3, Informative

    Let's just say I have insight into the subject and it would be extremely difficult to do. Heavy auditing, random inspections, random pen testing, and many many myriad things would get in the way of that. Also most networks in govt. are totally segregated (reference air-gap) from the rest of the world, so with anything actually sensitive it would be completely impossible. I know that you're going to scoff at that statement, but trust me when I say that the cost of offshoring anything like that would be extremely expensive not to mention illegal and when dealing with govt. contracts you play by their rules. They are very lucrative contracts and one violation can lose the entire thing, so it really isn't in a company's best interest to even try it with govt. contracts the risk vs. reward is much to great.

    --
    "Some books contain the machinery required to create and sustain universes."-Tycho
  5. Re:Typical unisys by thejynxed · · Score: 3, Interesting

    Actually, Unisys hires through temp agencies and the temps only have to pass an FBI background check.

    I know this, because I worked for IBM in a government data center at the time. We handled the big iron (oddly enough, including some machines from Sun and some ancient AS/400s) and the Unisys flunkies did operations and tape library stuff (cartridge and reel to reel). DOT, IRS, etc stuff. Believe it or not, they had PCs in there running Win95 and NT4 with no egress filtering to the internet... There were quite a few Ukrainians, Chinese, Russian and Estonian employees working there for Unisys. Over in the other room Lockheed Martin had their stuff running. No one but U.S. citizens allowed in there, and no outside internet access. I pitied the network admins (not really).

    --
    @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  6. Re:Incompetence on both ends - Gov't BS by Anonymous Coward · · Score: 3, Insightful

    Anyone that has worked inside government IT whether directly or as a contractor will know that this is government politics at play. There are exceptions, but most highly skilled and trained system administrators are going where the money is, and it's not working as a gov't employee. I know. A gov't IT department may have policies and procedures up the wazoo, but at the same time no budget or authority to ensure compliance. Exception is the rule in gov't. Here's an example:

    "Sir, there appears to be attacks against our systems from China"

    "Are you telling me that China is attacking us? Can you provide proof beyond a doubt that it is China attacking our systems? How did you detect this attack?"

    "Sir, it shows up in the firewall and IDS logs"

    "What are firewalls or IDS? Did you get that report done...blahblahblah that I asked for? Why are you looking at the logs when I need real work done. What is the status of project A, B, C? Go help fix a computer somewhere."

    "Sir, should I not be looking at the logs?"

    "What, are you stupid, did I TELL you to look at the logs? Go fix a computer or something"

    So, you train a govt IT person in computer security and they get a CISSP and maybe a SANS cert or two. But, they have to continue working with people who won't allow them to use the knowledge. They're leaving.

    Generally speaking, my experience is that many departments in gov't don't follow their own process or rules and they breed an air of idiotic compliance. Then fire the blame gun when a problem erupts.

    I was told by a long term employee when I asked how to survive in gov't so long..."for every situation, always have a putz lined up." Smart sysadmins in gov't learn that they will be the putz and leave.

  7. And in any case... by BrokenHalo · · Score: 3, Informative

    Unisys are just another tech dinosaur that never made it out of the seventies.

    FWIW, Unisys didn't exist in the seventies. I was there. I worked on both types of kit (in those days you either went with the herd and learned to use IBM, or you learned to be versatile).

    IIRC it came about via the merging of Burroughs and Sperry/UNIVAC in about 1986 (in fact, to be specific, I think Burroughs swallowed Sperry).

  8. Re:Typical unisys by eudaemon · · Score: 3, Informative

    More to the point, when companies lose contracts they lose to them to a small
    circle of competitors and those competitors rehire most of the people who were on the contract.
    In fact that is so common you usually take your tenure / seniority with you to the
    next company. When a contract changes hands, it really means the management layer
    and the interface between management and the government is being changed. Workers
    by and large keep their jobs.