Slashdot Mirror
The Boom (Or Bubble) In Federal Cybersecurity
Hugh Pickens writes "The Washington Post reports that the increasing number and intensity of cyberattacks has attracted the attention of the Obama administration and Congress, which have begun steering dollars to the problem. Much of that new spending, estimated at $6 to $7 billion annually just in unclassified work, is focused on the Washington region, as the federal government consolidates many of its cybersecurity-focused agencies in the area. 'I think it is a real growth opportunity in coming years,' says David Z. Bodenheimer, a partner at law firm Crowell & Moring in Washington, who leads the firm's homeland security practice and specializes in government contracts. 'The market is still rather fragmented and in flux, but is developing with a speed that it is attracting both the major defense and homeland security contractors who are establishing independent business units to pursue these opportunities, and it is also a real opportunity for the smaller players who have niche products.' One reason the field is attracting so many companies is that the barriers to entry are low — at least, relative to other defense industries. But as start-ups and others rush to stake claims, some wonder if a bubble of sorts is beginning to inflate and recall that many venture firms in the early 2000s chased similar prospects. 'A lot of the early people made significant money,' says Roger Novak, founder of Novak Biddle Venture Partners. 'But there were [also] a lot of "me too" companies.'"
It will suck when people get laid off, but you're not buying a huge quantity of equipment that you have to sell at rock-bottom prices. Or entire streets of homes which won't sell even if they are heavily discounted. You're probably ensuring that software is properly patched, hardware is not using default passwords and maybe some penetration testing. Apart from office furniture/computers, I don't see a great deal of capital investment. There may be investment in equipment, but that'll be for the client (government) to buy and maintain.
Hopefully it'll create some work for people who desperately need it.
Consolidation is the only word to describe what has been going on in Federal IT for the past 3 years. If there is money being "funneled" to the problem, than that money isnt reaching the folks in the positions who are actually doing the job to fix the problem. Perhaps this 6-7bn dollars is being sent to shovel ready projects or some other non sense that has nothing to do with cyber security.
20th century Marxism is not progress...
No, this money wont go anywhere near the people who need it. First, the jobs this money creates is only going to be available to people who are able to be "cleared". If you are unfamiliar with the security clearance process, you should check it out. Many people apply, few (with the exception to political appointees) are accepted. The job market for cleared people is nearly always good (but has gotten pretty tight under the anti-military/intelligence Democratic congress/white house), so this will only make life better for them.
Second, the money is going to the Washington DC area... where "skilled" jobs are always in abundance. The big loss in jobs has been in the "low/unskilled" and the trade markets, which this "bubble" will do nothing to improve outside of the support industries.
20th century Marxism is not progress...
and the real nasty bit about this is most folks that could really do this kind of thing well (and can prove it) have clearance "issues".
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Not political hacks and 30,000' studies. CYBER PEARL HARBOR - sow FUD
"where "skilled" jobs are always in abundance. Please, I am a Fed IT person who is surrounded by meeting making fed and contractors who produce nothing. Most feb security people can barley run a software update, let along stop a cyberattack. No one in the US Governments build secure code nor do they understand the importance of building secure code. The do the SDLC/FISMA thing and say we've done are part. Once they get hacked, then they have a tons of meetings, bring SAIC or CSC and declare victory, that is until they get hacked again. Good security people are rare breed who will always be in high demand. Hint, if a vendor shows up and that vendor is from China or India, tell him the position is closed. They know nothing about security. Now if a vendor is from Russia or Israel take them very seriously.
Great post! Your idea has been patented, and you are now prohibited from implementing it.
Translation follows:
"Nobody has the faintest fuck of a clue what they're doing, but they desperately want to be seen to be doing something and so they're throwing money at anything. Get in right now and make out like a bandit while you can!"
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
...about this.
I'm really not sure what but it seems to me that's an awful lot of money to be spending on something that can be addressed as simply as turning computers off.
On the flip side, quantum computing pretty much can make encryption pointless.
Realizing the direction of technology advancements its clear this cyber security thing is a bubble that will burst.
Considering spam is the number one cyber problem and that it is generally dealt with in addressing the symptom of people generating it, dealing with filtering the spam at the destinations rather than identifying the human generators and stopping them.....is after the fact.
It seems clear what is needed is the development of a different and disconnected (from the current network) network to handle secure communications. Where the use of it requires very clear identification of who. Like a drivers license.... dealing with security from the get go, not after the fact.
I thought that dubious honor fell to theodp.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
What kind of weird geek-humour is that, please tell!?
Good luck to the security professionals who think they can make a difference in the Federal government. I subcontracted at the GAO many years ago and saw some of the same issues. Mentioned them to higher-ups, and higher-higher-ups. No repsponse, no improved security, not even a formal recognition of the problem. The primary contractors themselves were just as much to blame. Their main goal seemed to be maintaining the contract at any expense, including bad security, including shooting the messenger.
Bottom line is that .gov security issues are not really security issues as such, they are organizational issues. As long as you don't address the fundamental problem of entrenched, mid-level, non-technical management all the money in the world won't fix it.
Sounds great, except for the part about living in the D.C. area ...
Most of work involves commodity certification & accreditation (C&A) that involves the following:
Phase 1
a "system owner" (Govt IT manager) has staff prepare documentation of the security controls implemented on a "system" (Logical grouping of computers). The security controls are in NIST 800-53, this is FISMA in action.
C&A process http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
NIST Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
NIST Audit process http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-A%20Rev.%201
Phase 2
A certification agent comes in, assesses the system using tools and configuration analysis. This is heavily slanted towards audit, instead of true security analysis.
Phase 3
A senior executive (Authorizing official) makes a decision about the risk acceptability of the system to operate, and may make the system owner do corrective action. The system then moves into continuous monitoring (phase 4).
That is how certification and accreditation operates in theory. Now I am going to tell you how the system is gamed.
During Phase 1, it implies you actually have competent IT security professionals on hand, performing work for the system owner. This is a false assumption. Most system owners don't know security, nor do their staff.
Phase 2 - First of all, have the certification agent companies don't understand security. They can talk the talk (CISSP) but have no solid IT / IT security expertise (not security testers). Many certification agents will not even test systems. They play a game of bringing in cheap staff or running vulnerability scanners then passing them off as "penetration tests". The amount of utter garbage in the field is amazing. Even more so are the reports they write up are audit garbage. If you asked most certification agents about a security methodology, they haven't heard of the OSSTMM or similar. They use NIST 800-53A (heavily audit driven) then they write up meaningless reports, equating technical weaknesses as just as relevant as a gap in a policy.
Phase 3 - The vast majority of government executives are clueless when it comes to IT. They know a little bit, like the name of an operating system (Linux - buzzword - yay!) but not much else. So, they are easily led astray. Most will allow a system to operate regardless of how bad it is, based on a horrible security review performed by incompetent certification agents, on a package made by the almost as clueless system owner and his staff.
After a system gets an authorization to operate, many staffs stop doing all security for 3 years, til the next C&A comes around.
It is not uncommon for a federal cabinet level agency to have 300+ systems, with 300+ system owners, with 300+ completely separate, unique and underfunded security implementations that have more holes than swiss cheese.
If you notice, what is missing from above is actually rigorous security analysis. Code is rarely audited. Configurations are rarely checked 100%. Policy is viewed as important as technical controls. Most testing is a wash. Penetration tests are vulnerability scans by nitwits.
And you wonder why the Chinese are plundering the US govt on a daily basis?
Could anyone here list some of "the major defense and homeland security contractors who are establishing independent business units to pursue these opportunities"? Buying some of these stocks could make for some nice returns if this news isn't already built into the stock price. Plus the market really isn't doing too hot right now. There might be a lot of opportunities for buying in the near future.
This cyber-security stuff is largely nonsense, IMO.
The fact is, the Internet was designed from the ground up to support flexible and open standards, and it makes certain assumptions about the credibility and honesty of those put in charge of its routing. (I was just reading an article complaining about the lack of "action" taken after the Bush administration did a security review of the Internet back in the 2003 time-frame and determined it was, indeed, quite possible to take down the entire Internet in a matter of hours or less, thanks to weaknesses in how traffic is routed. The fact is though, all the major ISPs expressed NO interest in changing the current system -- because they realize that would still require a "central authority" someplace to determine the "correct" routes traffic should follow to get from point A to B. The current system is rather like trying to drive on a road trip from, say, Dallas to San Francisco, except you have no road map in advance. You simply start out on your journey and follow the road signs as you go, until you arrive. Except in the case of the Internet, even those "road signs" aren't controlled by any central authority. If someone accidentally or purposely changes one, traffic gets shunted in the wrong direction (possibly to a destination router that just black-holes all of it, since it wasn't expecting it).
As we can see though, it generally works quite well, because the people doing most of the heavy-duty routing are ISPs with a vested interest in making sure it keeps performing well. If and when something goes wrong, they tend to pick up the telephone and start making phone calls, getting people to intervene and make manual routing changes to eliminate the problem.
As you look past this supposed "security weakness" and get more detailed about security of individual destination points on the Internet, you see a similar situation. People bitch and moan about security issues (PCI compliance, for example), and spend thousands of dollars trying to address it. Yet in the end, you still HAVE to place trust in your employees. If they're willing to let outsiders in to get information you're trying to protect? All bets are off, no matter how much you spend on the latest "next generation firewall solution" or what-not. (Remember the huge credit card breach AOL had a while back? Turned out to be an inside job.)
Right now, as an I.T. manager, I'm seeing a large number of start-up and obscure "computer security" businesses trying to get my attention. I was just invited to listen to a presentation given by Palo Alto Networks, for example, followed by a free pre-screening of Iron Man 2. (Yep, I went.... not a bad way to get our attention, actually!) But the presentation honestly didn't tell me anything new. It was full of a bunch of well-heeled customers of theirs talking about liking the device, and their founder making a few rather arrogant comments - suggesting they were going to be huge in the future, because unlike most companies doing firewalls, they were focused on "innovation". He commented that "Checkpoint hasn't innovated in at least a decade." and "Cisco has NEVER innovated at all. They just bought a bunch of start-ups."
I can't speak for the quality (or lack thereof) of their product, but I CAN say that it was exactly what I was expecting them to try to sell.... another "next gen firewall/traffic flow controller" device that tries to "wow" middle and upper management types by acting like they've unlocked a huge revelation, by realizing that port and IP based firewall rules aren't the complete answer for companies today.
Funny, but I think Rapid7 was just calling, trying to get me to attend a seminar about THEIR product that was essentially the same idea, and to hear them talk, THEY thought of it all first, too.
A lot of people see a chance to grab some money thanks to fear of the unknown out there, and they may have products that really DO address specific scenarios really well. But I'm convinced most companies would b
Are your writing and communication skills an example of the kind of Fed person we should take very seriously?
Sounds like a great way to pass the buck to me :P
Also sounds exactly like a lot of what's going on in education.
Seems like there should be a way to give the professionals who administer systems the tools and resources to ply their trade. But all the money is tied up in political / administrative overhead so they can shuffle the accountability and blame around. Awesome that.
I can see it now.
Our [Crappy Product We're Selling] will lock you up so tight that if you take a crap, we'll be able to tell exactly what you had to eat a month and a half ago from the leavings! You will be secure, SECURE, SEH-CURE BABY!
Just fork over that phat gub-a-mint dole! MONEY MONEY MONEY MO-NEY! MO-NEY!
Truly the finest in buzzword-laden insecure security!
Broken the first time a government worker (or mabye A. Random Janitor) find out that their porn is blocked and get around it all.
Security through bullshittery.
Chas - The one, the only.
THANK GOD!!!
In a good desert, it can get hot enough to kill people and cold enough to kill people every single day/night cycle! But thanks for confirming an observation I made: we tend to seek the visceral conditions of our youth.
After growing up in the inland San Francisco Bay Area, I found living in Bangkok insufferable not only because it was stifling like summer in D.C. or Chicago but also the days never changed length and the nights never got cold. I need the cycle of long summer evenings and long winter shadows to feel like time is passing. I find coastal Los Angeles frustrating because it is "humid" all summer and dry all winter, backwards from my youth. Southern Italy feels extremely familiar to me, not only in climate but in the rolling hills covered in dry grass and sparse oak trees.
No, this money wont go anywhere near the people who need it. First, the jobs this money creates is only going to be available to people who are able to be "cleared". If you are unfamiliar with the security clearance process, you should check it out. Many people apply, few (with the exception to political appointees) are accepted. The job market for cleared people is nearly always good (but has gotten pretty tight under the anti-military/intelligence Democratic congress/white house), so this will only make life better for them.
Second, the money is going to the Washington DC area... where "skilled" jobs are always in abundance. The big loss in jobs has been in the "low/unskilled" and the trade markets, which this "bubble" will do nothing to improve outside of the support industries.
I never heard of that even being possible. From what I've heard you apply for a job which requires a clearance and you either get the job or you don't. And despite what you think about the Democrats, they take national security just as serious and have pet projects of their own.
My conclusion is that you don't know what you are talking about if you believe all the jobs will go directly to DC.
It depends on the job. If it's something like writing a keylogger or understanding how to do stuff like that, you can experiment on your own network and learn 90% of what you need to know without ever having to break the law.
"This is where the big need for security comes from. How do you provide more access to more services and information while restricting that information to the appropriate parties. "
What type of services exactly? What services do you expect the government to provide? Do you mean a setup so we can instant message the FBI to report a crime in progress? Do you mean giving twitter accounts out? What services does the government provide that is so important that we will need e-government to provide it?
With the slow increase in population coupled with the dramatic increases in regulation and bureaucracy, the US government will simply grind to a halt if it does not provide more access to government services via the internet.
This is where the big need for security comes from. How do you provide more access to more services and information while restricting that information to the appropriate parties. Also, once these services become integrated and relied upon, they will become targets for hostile foreign elements. This is a "good" problem to have, but it is one that needs to be addressed now, before massive electronic outreach programs become part of our daily lives (even more than they are now).
WTF? What services? What exactly do you imagine we will be relying on the government for and since when did the government provide anything for free? The government expects you to serve it in exchange for whatever you get, nothing is ever free. If wifi is offered it will come with censorship. If healthcare is offered it will come with a draft and government control over human behavior down to the microscopic level.
How exactly is giving the government more control over us worth the services?
They might have to spend 4-6 billion on cyber security but it would be better to spend it on that than to spend it on fighter jets which will probably never be used anyway. The new kind of war involves cyberspace, information, and almost never involves fighter jets.
So how would the enemy attack? Probably by exploiting weaknesses in systems and networks. So those systems and networks must be secured and securing them wont be free.
So how would the enemy attack? Probably by exploiting weaknesses in systems and networks. So those systems and networks must be secured and securing them wont be free.
You missed my point. Infosec in the Government has needed funding for a long time now. Funding it is a good thing. However, I would prefer to see funding go towards programs and activities that are effective rather than powering additional levels of bureaucracy.
Having said that - don't get too wrapped up in your "new" war. When it comes down to it, physical control is still important. Those fighter jets will still have a use. AFter all, we've fought this war before - we just called it "espionage".
The reason it's hard to get security clearance for most is that private companies don't want to pay the thousands of dollars for the investigation, more people than you think could get a clearance, but it's just too expensive. If you want a piece of pie, do what I did and join the military for a few years, they're more than happy to give you a clearance if you choose the right job. The only people that really have trouble have financial issues, criminal records, or aren't citizens. I'm sure most of you on /. are good, well behaved nerds like me, so there you have it. IMO a lot of people just don't like the idea of the military, like war, or getting exercise. So here they are complaining about how hard it is to get a clearance, when the easiest opportunity for most to earn one is right under their noses.
Disclaimer: Spent 6 years as a USAF 2E2X1: A specialty pretty much cookie cut for the huge cybersecurity craze, now known as 3D1X2.
I have been in the DoD world for over 7 years now, all of those with a pretty good clearance. When the batch of people I started with were first getting our clearances, the first one to be finalized (adjudicated, as they say) was the guy who admitted to being a drug dealer in the past. Outside of treason like activities, or being a documented member of some anti-America movement there is nothing that is a clear cut NO for a clearance.
I can not say that the other types of clearance are the same (DoE, for example, has a complete different system). This is just what I know about the classic "Confidential Secret Top Secret" DoD style things.
You've got no idea what you're talking about when it comes to clearances, the job market for those with clearances, and the spending levels of the current Congress.
No, he is capable of using a computer. This puts him head and shoulders above your average Fed.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Too much morning coffee? Wired aren't we?
We use portable Ubuntu running off a read-only device.
The proper question should have been: Is he downloading porn while at those meetings? If he has, is he following the minimum guidelines of 8 hours a day?
Actually, there are some similarities with security background checks and the H1B issue. I believe for security clearance, you need to be sponsored by a company. While you are getting your clearance, you technically can't do clearance-required work. So, a company who wants to sponsor someone might have them on a project that doesn't require clearance, while they are in the process. The problem with most DC companies is that they don't want to pay for that. They'd rather try to find someone else that has gone through the process already on someone else's dime. That way, they can start billing more quickly.
My guess is that some of this motivation is to not lose money from having someone you sponsored for their clearance to just leave when they are finally cleared.
In some situations, a employee will get hired by a subcontractor while their security clearance is being processed, and once it is cleared, be hired by the company with the contract.
This is definitely true. There are plenty of jobs that require clearance, and only so many people that actually have it. It's kind of sad, as the clearance probably takes priority of skill/ability. I worked with a woman who had a clearance, left her previous job to a non-clearance position, and within three weeks quit to go another position that required clearance, because she didn't want to lose it. I believe if your clearance is inactive, meaning you weren't in a clearance-required position, for a certain period of time (6 months?), it's no longer valid. Of course, some of this is anecdotal, and I could be wrong. :)
Anyway, IT work in DC is a real joke. Plenty of money to be made there, but there's very little work being done. Lots of people just sitting around, waiting for their retirements. To an extent, I didn't really care who won any elections, because the civil service layer and the layer of contractors are such a drain on the system, that until something is done about it, you'll never really make much progress.
If all you have are silver bullets, everything looks like a werewolf.
Infosec in the Government has needed funding for a long time now
Funding alone won't have an effect on the organizational dynamics.
The only way .gov security is going to improve is if qualified people have the authority to enforce effective policies.
To get qualified people you have to require regular training and testing. You also have to go where the qualified people are (by not requiring them to move to DC, Baltimore, ...). To get effective policies you have to allow them to be written per business (not government) best practices without undue influence from special interests. Such policies would have to be created outside of the traditional groups such as the IETF, IANA/ARIN et al as those have all become as stifled by special interests (directly and through astroturfing/lobbyists) over the past decade. Lastly and most importantly such policies would have to be enforceable. That means an authority (like DHS should have been, could have been) that can cancel contracts and fire people.
Problem is the leadership needed to hire and empower qualified people and create enforceable policies does not exist at any level of the US Federal government.
Your clearance technically goes "poof" as soon as you stop working at a job that requires a clearance.
However, if you held a clearance in the past, that's an extremely good indication you'll be able to get a clearance again (assuming the clearance wasn't revoked). That makes you a significantly lower risk to your employer.
Nah, it's not actually that bad. For a TS, yes they interview a lot of people (albeit not "everyone", just most of the folks you regularly interact with over the last 10 years). But no, you don't have to do a polygraph nor a drug test (although some contracting firms might require the drug test for their own purposes; none of the ones I've dealt with have). The polygraph generally only comes in to play when you get certified for SCI access.
The polygraph is probably he most scary part of any investigation. NOBODY in their right mind would find being interrogated via polygraph a pleasurable experience. So what you are saying is the drug testing is determined by the agency or contractor and not by government mandate?
As for the scrutiny, no, I don't think it's really "non-stop" either. After the initial investigation (the worst of which, frankly, is filling out the stupid form, although some of the investigators can be annoying), they pretty much leave you alone until it's time to get it reviewed (5 years for TS IIRC; I'm not due yet), and that's not particularly intense either. I don't personally view it as a sacrifice, or giving 100% to the government, and can't say I've really noticed a negative impact on my quality of life.
Thats interesting. Some of the other people I've talked to have told me the exact opposite. That the government intrudes upon every aspect of their life, that they have not a single private moment, that everyone they know is questioned/interviewed, and more which I wont detail on this site. From what they've told me it certainly isn't worth it but maybe every experience is subjective. They did mention drug testing so I assumed that was necessary.
Considering the issues I had finding a position when I landed the one requiring a clearance, yeah, I think it was.
(BTW, in case it wasn't obvious, yes, I do have a TS clearance. That's also why I'm posting anonymously -- not so much that I'm worried about people knowing, as despite the clearance I know virtually nothing of interest, but more to stem the inevitable tide of other folks with clearances whining about opsec if I don't. Heck, they'll probably whine anyway...)
So it's not the TOP SECRET clearances that bring the intense scrutiny, but the special access programs? The SCI? Or are there clearances that exist beyond TOP SECRET which require the polygraph, drug testing, and this
http://en.wikipedia.org/wiki/Single_Scope_Background_Investigation
My questions are if TOP SECRET clearance isn't a hassle to get, why do so few people receive it?
And does the cost/benefit of a clearance depend more on the job/role of the work rather than the process/paperwork?