Report: DHS Failing On Cybersecurity

chicksdaddy writes: It's always interesting to listen to what politicians say on their way out of office — after the pressure to get re-elected and say "on message" has been lifted. Eisenhower's historic farewell address in 1961 warned Americans about the influence of the Military-Industrial Complex. Twenty years later, Jimmy Carter warned of the distorting influence of "single-issue groups and special interest organizations" on the political process. And, this week, outgoing Sen. Tom Coburn (R-OK) used his final days in office to issue a blistering report on the Department of Homeland Security. Coburn argued that DHS was failing on each of its five, critical missions, among them: cyber security.

The report, "A Review of the Department of Homeland Security's Missions and Performance (PDF)," was released on Saturday. In it, the outgoing Senator said that DHS's strategy and programs "are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat."

Despite spending $700 million annually on a range of cybersecurity programs, Coburn said it is hard to know whether the Department's efforts to assist the private sector in identifying, mitigating or remediating cyber incidents provide "significant value" or are worth the expense. DHS programs are still heavily weighted towards software vulnerability mitigation, Coburn says, an activity that "will not protect the nation from the most sophisticated attacks and cybersecurity threats."

No it isn't!

It's doing exactly what it was intended to do: bilk appropriations to well connected people and Corporations in the name of National Security. If anyone EVER thought it was something other than that, they're far too naive for the present reality!

Re:No it isn't!

[Required+Snark]

Remember, the real name of DHS is DHP: Department of Homland Pork.

Re:No it isn't!

[Noah+Haders]

Department of Hamland Pork?

Re:No it isn't!

[Opportunist]

Uh... care to elaborate? It somehow doesn't make a lot of sense that way.

Re:No it isn't!

[Cardoor]

you're forgetting providing 'jobs' for those who would be otherwise disenfranchised, and liable to cause problems.

Consider the source

[ISoldat53]

I would believe this more if it weren't coming from Tom Coburn.

Re:Consider the source

Tom Coburn isn't all bad. I believe that people with medical degrees who have taken the hypocratic oath make pretty good leaders. They often seem genuinely concerned with the welfare of people. Lawyers often get too involved with winning against the adversary. Tom definitely can grandstand and play politics, but he also seems to genuinely believe in what he is doing and care about people.

Re:Consider the source

[blue+trane]

Coburn cares more about figures in a ledger book than about people suffering needlessly just so his budget looks pretty to him.

Re:Consider the source

[blue+trane]

Coburn's fixation on budget deficits is absolutely contrary to humanitarian compassion. Deficits don't matter, as Reagan proved. To cut food stamps and suicide prevention programs in the name of "pay-go" is morally, ethically, and economically wrong.

Re:Consider the source

[Opportunist]

I can't speak for Detroit, but Greece I know fairly well. If you make a country cut back on everything that could keep the inland purchasing power from faltering completely (which it now did) but force it to honor its weapon purchases (or Germany would've had to find someone else to buy its subs), you should not wonder if the economy gets a wee bit lopsided.

Re:Consider the source

[DarkOx]

Deficits don't matter, as Reagan proved

Reagan proved nothing of the sort. Reagan proved nothing of the sort. He proved short term deficits are okay if anything and we pretty much always knew that.

Reagan's spending was in the context of a very different world. There was literally no economy or currency that could provide the secure wealth store the US and dollar offered at the time. Today there is plenty of mostly safe sovereign debt to buy out there. There was no possibility of the first world trading oil in anything but the dollar; while still along way off its imaginable today. Most importantly however there was a definable end in sight, eventually the USSR would be defeated at which time some of the most expensive weapons efforts could be scaled back, after which the budget would balance.

That brings us to the late Bush and Clinton economic boom, what was one of the characteristics of that, oh yes the budget nearly balanced, and if you did some really fucking creative accounting with lots of spin could even claim a surplus! So if anything Reagan might have proven deficits DO matter.

Re:Consider the source

[kilfarsnar]

Coburn's fixation on budget deficits is absolutely contrary to humanitarian compassion. Deficits don't matter, as Reagan proved. To cut food stamps and suicide prevention programs in the name of "pay-go" is morally, ethically, and economically wrong.

ORLY?

Ask Greece.

Or Detroit.

Unlike Greece or Detroit, the federal government can print its own currency. Thus it is not constrained by its ability to tax or borrow. It literally has all the money it needs all the time. So it is correct that deficits don't matter. We could pay off the entire national debt tomorrow if we chose to. I'm not saying we should; it would have other ramifications. But the idea that we just don't have the money for a given project or program is just not true. The US cannot go bankrupt and has all the money it needs.

Re:Consider the source

[ISoldat53]

No and yes

Were good at spying on ourselves

Just ask the NSA on how good we are at spying on ourselves. But we seem to be looking at ourselves as the biggest threats when in fact our enemies have been accruing more and more technology and intelligence to attack what would hurt the US the most, commerce. People have said for decades that the US is too cozy with China and that makes us vulnerable. The US used to make almost everything it consumed in commerce and now we have lost that edge and even in technology and its security we seem destine to ignore the gorilla in the room. DHS is another waste of a government agency, created by politicians to sooth the American people. We have a military, CIA, FBI, Boarder Patrol, Local and State Police, National Guard, Coast Guard, and other well oiled national defense organizations. Did we need a Department of Homeland Security? NO. What we needed was to beef up our long standing defenses and make offensive moves to thwart attacks. Let's not be stupid and wait for our homeland to be attacked. Let's make sure they won't attack us by using measured attacks, be it electronic, physical, or restrictions to make sure we are protected. Another agency we did not need.

Gee, wonder why

[Snotnose]

Take a bunch of overly bureaucratic organizations that have needed weeding out for decades, create a huge new bureaucracy to oversee them all, and WTF can you expect?

/ Bush was the worst president in my 50+ year lifetime
// Homeland security never made any sense to me
/// I vote Republican prolly 70% of the time

Re:Gee, wonder why

[oDDmON+oUT]

You sir have restored my faith in humanity.

Re:Gee, wonder why

[AHuxley]

It was such a good idea. Replace all the well paid union workers sitting around at small and remote sites with new computer systems and cheap networks.
Less staff cost, less union workers and a few experts could care for a larger system of networked equipment over wide areas.
So a lot of once secure air gapped sites where connected with low cost networks and everything seemed ok. Fewer on site workers, the same oversight and maintenance.
Now for the next huge boondoggle. Remote site security upgrades. Shared logs to see who is trying to map the networks.
What the "huge new bureaucracy" needs now is news "stories" about ip ranges and malware from distant regimes and their educated experts.
All the new domestic upgrades and staff with a new legal system for the growing cyber bureaucracy :)
For all the new cyber costs, a human team back on site with less networks will not be so expensive soon.

Re:Gee, wonder why

What's the ranking criteria?

By most criteria, Bush Jr is the worst president of my lifetime. If you're a billionaire, maybe he ranks better because of who he appointed to the supreme court. But, on almost all counts, he was disastrously bad, and everything he touched turned to shit.

I guess I'd have to begrudgingly rank Clinton best, although I don't like him or Hillary at all. But, the economy did pretty well under his watch, and he didn't run up a lot of debt.

I really don't get the Obama hate. I'd rank him in the middle, because he hasn't done anything super great, but he hasn't made any huge mistakes, either. He was a steady hand with middle-of-the-road policies during a very trying time. All the winging about Obama destroying America seems like pure fantasy to me.

I'm curious, what do you think would have happened to America without the new deal? I wasn't alive then, but from what I've read, the country was teetering on revolution, and the new deal might have been what brought us back from that cliff.

Re:Gee, wonder why

[Opportunist]

Looking back, the US had a few good, a few bad, a few shining and a few shady characters as presidents. I liked Bush Sr., well, ok, I did not like him, but his politics was fairly sensible. I loathed Bush Jr, not just for his questionable politics and HORRIBLE financial decisions, but mostly for what he did to the image of the US. He turned the general sentiment towards the US of one of admiration and aspiration, where the US was THE country, where everything goes and everything is possible, into one of ridicule and shame, where the US are the butt of very crude jokes along with the US voters being seen as a bunch of idiots for not only voting him in once but twice. If that administration can claim any kind of achievement, then to wash away decades of built up admiration and reverence within just 8 years.

But still, nothing in the past few decades can hold a candle to Eisenhower.

Lies

People fail to realize that if it wasn't for the Department of Homeland Security, Al Qaeda would be flying airplanes into buildings every single day. Mind you, I wouldn't shed a tear if a million white people died, but just think of all the African-Americans that the DHS is protecting. God bless the DHS.

Quiet! They might be listening....

[freeze128]

The *LAST* thing we need is DHS thinking that they know security better than computer professionals. This article is just an invitation to get DHS to install "protection" software onto our PCs, or otherwise screw up the internet.

What does Coburn know about infosec?

[bouldin]

Why does anybody care what a 66-year-old doctor from Wyoming thinks about information security?

The report criticizes the DHS as ineffective at "cybersecurity" because of.. zero days or something.

It's clear that neither Coburn, nor the author of the report, understands infosec or how it is different from kinetic war. You can't amass troops or use force. It's very difficult to even know who attacked you.

You can do something like building defensive lines, but that's exactly what the report criticizes.

Re:What does Coburn know about infosec?

[bouldin]

I read the infosec part. The report criticizes DHS for concentrating on vulnerability management and using signature-based detection, which it suggests is not worthwhile because of zero-day vulnerabilities. It criticized the DHS for not following best practices itself.

That criticism is fair, but also applies to almost all infosec efforts, both in the public and private sector.

The only suggestion offered by the report was to cite a "cybersecurity expert" who says we should focus on deterrence. The report did not explain what deterrence means in this context. What are they suggesting? We hang malware to death to set an example? We sanction North Korea every time we think maybe they sponsored an attack that we traced back to China? The metaphor to warfare does not hold, and that failure is lost on the author[s] of the report. They don't get it.

Re:What does Coburn know about infosec?

[Fire_Wraith]

DHS isn't very effective at cybersecurity - but not for the reasons he cites (something about stopped clocks being right twice a day comes to mind).

First, when it comes to 'cybersecurity', they have no actual authority. The best they can do is suggest and advise. I'm not saying they should have authority to make anyone fix vulnerabilities or whatever, I'm just pointing out that you can't really expect that they'll be effective at protecting X if the people in charge of X don't have to listen to a word they say. It's like saying, "here, defend these networks, but you have to ask them politely to tell you what their problems are, and when you point out the problems, they don't have to fix it if they don't want to." Again, that's not to say they should be granted intrusive authority, but we also shouldn't expect them to act as if they can.

Second is quality of talent. They're fighting an uphill battle in terms of personnel. They have to compete against both the private sector and other agencies in the government/national security business. Would you rather work for DHS or Google? For DHS or the NSA? Etc... Even if they hire people with lots of potential and train them up, those people will go find something better before long. There was an article a month or two back (I want to say it was in the Washington Post) that talked about exactly that problem - DHS couldn't keep anybody, because the best and brightest quickly jumped ship to go someplace better (either in pay, prestige, other compensation, or something on those lines).

they are doing some things right, like free classe

[raymorris]

You won't normally find me talking about the federal government being very effective at anything, but they have done some things right with cyber security. For example, their series of free online classes covering cyber security is much better than I would have expected.

Of course they did contract that out to a STATE agency, and a rather unique one that whose budget process and operations is more like a private business - if people don't like the product (the classes), the agency doesn't get paid. So maybe I can acknowledge the good results without it being political heresy. :)

Disclaimer - I work nearby the cyber security program that made the classes, so I may not be objective. Then again, I don't praise most people I work with. I was expecting the classes to not be very good, and I was genuinely surprised at how good they are.

What a waste

[LessThanObvious]

"Senator arguing that DHSâ(TM)s $700 million cybersecurity budget could better be spent elsewhere."

A $700 million budget alone is evidence that they are way off target. The mission should be fairly narrow and focused and require only relatively small staff. The private sector does fine in most security area's. They just need to fill the gaps that are outside the scope of the private sector. Pick 8-10 real priorities do those really well and just cut everything else. Considering the FBI/NSA isn't even part of their budget, $700 million is just obscene. What exactly do they need to do that couldn't be done with a staff of two or three hundred good people and a $150-$200 million budget? WTF

Re:What a waste

[TheCarp]

> What exactly do they need to do that couldn't be done with a staff of two or
> three hundred good people and a $150-$200 million budget? WTF

create jobs. That is really all it has been about for a while. Shit go all the way back to prohibition and we got beginings of the drug war partially from efforts made by people who were basically looking to lose their jobs with nothing to do now that alcohol was legal.

Their role is to create jobs and use as much budget as possible because the more they spread around the cake, the more support they will get from the people they spend that money on.

You have to realize, that for every few people who took Eisenhower's speech as a warning, there were others writing it down as a proven strategy that is working and should be used elsewhere. The more jobs you create, the more cake you hand out, the more secure your job is.

It doesn't even hardly matter if what you do works, its almost better if it doesn't because that will just be because you need to do more of it.

As the saying goes...

[langelgjm]

Even a stopped clock is right twice a day.

Re:As the saying goes...

[Opportunist]

And a stopped brain has a bright idea twice a day?

Everytime the word "Homeland" is used

[7-Vodka]

Everytime the word "Homeland" is used, we should post reminders of how eerily familiar these Sophistries are to Hitler's own:

Motherland, homeland, fatherland terrorism, terror cells. None of this shit is new. The communists did it too.

Re:Everytime the word "Homeland" is used

[sconeu]

Remember, KGB stood for "Ministry for State Security".
Sounds a hell of a lot like DHS, doesn't it?

DUH!

[frovingslosh]

In it, the outgoing Senator said that DHS's strategy and programs "are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat."

DUH! DHS and the NSA are the greatest threats to American cybersecurity.

Am I being paranoid?

[WaffleMonster]

Every time I hear bureaucrats rumbling about "cyber security" only thing that comes to mind are schemes to legalize spying "for our own good" ... Still seeing politicians getting airtime rambling about legislation to indemnify corporations for "sharing" information with the government not letting the Sony opportunity go to waste.

The military industrial complex has countless billions of dollars at its disposal and the only constructive thing I've seen out if it is US-CERT mailing list which for the most part delivers very little we didn't hear somewhere else first.

Most everything from what I have heard and seen from DHSs own website is structured for defense after the fact or screwing around with ridiculous hacker wargames as if cyberspace was somehow meaningfully analogous to meatspace.

They have all of the open source code, they have Microsoft source code, they can probably get source code from others if they asked nicely enough... They could use some of their money to find and plug holes before everyone gets owned or fund R&D efforts to improve the state of security technology... instead it is all reactionary masturbation.

yeah

[markhahn]

obscure, poorly-defined, well-funded, with no vested constituency. what could possibly go wrong.

Re:Its all about talent

[Opportunist]

I tried. I failed. Bureaucracy and "hacking" does not mix. It just does not work out. And for the same reason it is fairly nontrivial to establish good IT security in a corporate environment, for they are also weighed down by bureaucracy.

It's asymmetric warfare at its finest. On the plus side you have lots of funds, highest technology available, even to some degree the ability to change laws in your favor and law enforcement on your side, sometimes to the point where you may direct them. On the downside you have a reaction speed of a snail, a ton of dead weight to lug about no matter what you want to do and people in command who have zero idea what's going on but demand to have a say. That's you, the corporation, or the government.

On the other hand you have the attacker. Usually far less well funded, using whatever tech he can get his hands on, with laws and law enforcement working against him. On the plus side he can react instantly without any overhead and without any interference from idiots.

Frankly, my money would be on the second guy. Funding means little if most of the tools you need to attack are free (or you don't care that you don't pay for them). It matters little if law enforcement is working against you if they don't care too much about (or cannot care about it altogether due to a lack of knowledge/equipment) "cyber threats". So what's left for them is all the goodies with little to hold them back.

Wait, what... $700M?

[sigmabody]

Hold on... I work in the private sector in info sec. DHS is nominally spending $700M annually on trying to provide value for the private sector? Huh? DHS doesn't provide value for anyone, as far as I know, much less the private sector. What kind of hallucinatory BS is this?

Re:Wait, what... $700M?

[l0n3s0m3phr34k]

"What kind of hallucinatory BS is this?" don't know, but I'll bet that's where the $700M went. LSD isn't $4 a hit these days, even shrooms are at $15-$25 per gram. Hallucination-inducing pharmaceuticals aren't cheap.

No surprise

[gweihir]

The thing is, the task of the Department for State Security (their true designation) is not tasked with protecting any citizens or cooperations. Their task is to protect the state and its bureaucracy, by funneling billions of dollars to people with the "right" beliefs. And, as the budget numbers show, they are not failing at that at all.

Re:IT security is not the DHS's mandate

[gmhowell]

Wrong.

DoD: military
DHS: civilian

Re:Dear Taxpayer?

[kilfarsnar]

That's even less of the population.