Despite Triage, US Federal Cybersecurity Still Lags Behind

An anonymous reader writes: According to the NY Times, U.S. government officials will soon announce all the improvements their IT security teams have made to federal systems in response to the OPM breach. Unfortunately, says the Times, these updates only just scratch the surface, and are more to show that the government is "doing something" than to fix the long-standing problems with how it handles security. "After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks."

It seems each agency has to be hit by a cyberattack, causing it to go into panic-mode independently, before learning to properly safeguard its systems. Officials say far too much money is wasted on figuring out who and what to blame, rather than on ameliorating the problem. "At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency's networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved."

The root of the problem ..

[nickweller]

"Department of Homeland Security (DHS)/Chief Information Officer (CIO) has determined that Microsoft will be the Department-wide standard desktop operating system, e-mail system, and office automation tool." ref
--

'thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.'

Re:The root of the problem ..

[Skapare]

right out of chapter 1 of Computer Security for Dummies.

Re:The root of the problem ..

[ls671]

from same ref:
"The primary objective of the Department-wide Microsoft ELA is to ensure standardization of office automation and communication applications across IT environments at DHS." ;-)

No surprise at the lag

[cold+fjord]

These problems were created over a period of years, exacerbated by poor and uneven budgeting, congressional pork and mandates, and red tape. The only way this could have been averted in some fashion would have been if some company had offered for sale:

Robert Byrd Office
Robert Byrd Antivirus
Robert Byrd Internet
Robert Byrd Web Proxy
Robert Byrd Total Security

Fixing it will likely take years.

Re:No surprise at the lag

[drinkypoo]

These problems were created over a period of years, exacerbated by poor and uneven budgeting, congressional pork and mandates, and red tape.

Not really. These problems are caused specifically by corruption. Each department wants to hide its malfeasance from each other department, so they don't pool resources, so they reinvent the wheel repeatedly. Therefore, each organization has the chance to make the same mistakes over and over again. If our government was not corrupt from root to leaf, then we could have one office of information technology which handled all of these systems for all of these departments, and which is in a position to recognize security issues and address them across the entire organization.

Most people don't appreciate the extent to which corruption makes an organization less efficient. Literally every efficiency problem in our government can be traced to corruption.

Re:No surprise at the lag

These problems were created over a period of years, exacerbated by poor and uneven budgeting, congressional pork and mandates, and red tape.

Not really. These problems are caused specifically by corruption.

When it comes to civil servants, don't mistake lethargy for strategy (politicians are a different goat).

On the other hand ... "If they don't know what you're doing then they don't know what you're doing wrong."

behind?

[Skapare]

the federal government is still far behind its adversaries

this kind of comparison is meaningless when one side only needs to find one hole in and the other side needs to block all possible holes. the feds have a lot of work to do.

Re:behind?

[ls671]

Not necessarily, TFS doesn't talk about how good US agencies hackers are to break into the adversary systems. US could have problems defending its systems and still be good in breaking into others.

So it is the same for US when they wish to break into some system, all they have to do is find one hole. This makes all sides equal.

A team with a poor defensive and a strong offensive can still win the game.

Re:behind?

[StikyPad]

Yeah, well, that's the problem, to be honest. We favor offensive capabilities over defensive. When the NSA discovers critical flaws, they exploit them instead of alerting the manufacturer and patching holes. We can't have it both ways. If we want secure networks, we're going to have to rethink our priorities.

Patent it!

After paying all the application, filing, examination fees to the USPTO, you then get to pay for

Patent Maintenance Fees

1551/2551/3551 1.20(e) Due at 3.5 years 1,600.00
1552/2552/3552 1.20(f) Due at 7.5 years 3,600.00
1553/2553/3553 1.20(g) Due at 11.5 years 7,400.00
1554/2554/3554 1.20(h) Surcharge - 3.5 year - Late payment within 6 months 160.00
1555/2555/3555 1.20(h) Surcharge - 7.5 year - Late payment within 6 months 160.00
1556/2556/3556 1.20(h) Surcharge - 11.5 year - Late payment within 6 months 160.00

1558/2558 1.17(m) Petition for the delayed payment of the fee for maintaining a patent in force 1,700.00

Or maybe not. You better hope you can get licensees to pay up, because you will pay out. If not, you patent is expired

Expired due to failure to pay maintenance fee

You know what would set them straight?

[MikeRT]

Some prison time for every OPM staffer involved in setting up the RFP and awarding contracts that lacked a "US citizens only" clause and that were know to have foreign contractors working on federal systems. Everyone from the first line contract officer and PMs up to past directors should be under criminal indictment for this. That, not legislation, would make things safer.

Re:You know what would set them straight?

That wouldn't change a thing.

Specifying security requirements first. And the agency following them itself.

"US citizens only" does nothing for the security of the systems in use.

Re:You know what would set them straight?

[AHuxley]

The US and UK have had great wins with other nations skilled staff.
Some insights can be seen with the 1945-early 1950's use of German, Italian and other staff to help with cryptography.
Induced, motivated and rewarded they saved the US and UK years of work with ready, working solutions to French, Soviet and other nations post ww2 crypto.
TICOM (Target Intelligence Committee) https://en.wikipedia.org/wiki/...
Operation Stella Polaris https://en.wikipedia.org/wiki/...
The US and UK then advanced this idea of trusting other nations staff to Australia, New Zealand, Canada. Their top crypto experts got to share with the USA and UK and their work was rewarded over decades.
Staff in France and West Germany soon got the same offers and results can now be more understood. The US and UK got total look down in plain text over allied nations thanks to trusted work with well with trusted foreigners.
Decades later French and German political leaders finally understand the reality of their own secure crypto and communications networks.
The US and UK dont allow databases to walk, they create easy to read information to test their own and other nations "trusted" staff.
Anything found, searched, used is bait. But the bait has to be believable and irresistible at low clearance level. Just not useful at any real clearance level.
Everyone involved has to believe it is a real leak of some real value. Political leaders and contractors have to be public in their real reactions. Sock puppets on social media have to offer their "it was real but fixable" spin. Just find the correct contractors, add more funding, over time.. and the bosses new security product.
How hard would it be to load up a massive database of past projects linked to past operations in parts of the world of no future concern?
Add in a lot of fakes and trackable data in an outward facing network and see how everyone interesting reacts.
Other nations, internal staff, social media. Keep pushing the message that the data is really real.

Re:You know what would set them straight?

[StikyPad]

Because that worked so well for the War on Drugs, yeah?

MOAR GAOL!

Jesus.

At this point

[raind]

that's not news. It would be news if the systems were even reasonably secured, if that's possible. How do you secure a system from when the proverbial cat is out the bag?

DISA STIG

[OffTheLip]

They have doctrine in place in the Security Technical Implementation Guide (STIG), a DISA product, but that would require DHS to exercise best practices and lessons learned levied on other branches of the government. You know, learn from others mistakes, and improve.

Re: DISA STIG

STIGs are far from a cornucopia of security. Many are self contradictory and some go directly against best security practices. For example, STUGs require logging all fields, which only helps a hacker cover his tracks by allowing the volume of logs to overwrite the evidence of his activities before defenders can discover his actions.

Re: DISA STIG

[Whorhay]

Even if you were to have a perfect security checklist with clearly defined problems and predetermined solutions, you're still screwed. There hundreds, if not thousands, of individual little projects each with their own budgets, priorities, and egos. Some like DFAS are colossal in scale and seemingly represent intractable problems. The DoD has spent billions trying to replace that hodge podge of systems and has gotten basically nowhere. In every case you'll find that fixing all or even most security problems will fundamentally break an application in some way. Just to get all the programs into real security compliance, not just pencil whipped by having someone accept the risk, would probably require designing and rebuilding everything from the ground up. And that would only address the vulnerabilities that we know about today.

Cat out of the bag

[Etherwalk]

that's not news. It would be news if the systems were even reasonably secured, if that's possible. How do you secure a system from when the proverbial cat is out the bag?

You close the barn door after the cows come home in case they try to go through it again.

A common response to a successful major response is not just to try to repair the damage, but to capitalize on the moment to drive security reforms that people have been hesitant to embrace before, or that simply haven't been priorities for an organization. The capture of the OPM data was a major coup for China, but the detection and publication of the detection will be used effectively to convince thousands of employees and policy-makers in government that they actually have to care about security.

Re: After eight years of Bush...

Right. Except the IRS is and has been run by Democrats for many years. Same with OPM.

This is what happens when agencies prioritize diversity over doing their jobs.

What do you expect?

[humptheElephant]

After years of congress attacking federal workers, federal workers can't have the best moral. If you want good results from your government, you should treat them better. Right now congress makes it a self-fulfilling prophecy that government is bad so lets drown it in the bathtub. What competent person would go to work for the government under the conditions that congress has imposed on them in the last few years? Also every time a new administration is voted in, the new guys put their guys in at the top of the agencies, usually based on how these guys helped win the election rather than their qualifications for the job. What could possibly go wrong?

Re: What do you expect?

There is truth in that post that previous post. The president and congress played a high stakes game of chicken with the budget several years ago. They shutdown the government and sent a clear message that federal employees are pawns and don't matter. Congress cuts budgets and then they hammer agencies when things go wrong.

Welcome to the big honeypot

[AHuxley]

If the U.S. government wants a server to be secured it is, as designed, run, used.
The US lectured its more trusted allies in the 1950-2010's about keeping their own and all shared projects very secure.
The Soviet Union, Russia, China did not get far when trying to look into real US networks, systems without the direct help of local staff who had turned or where deep cover.
So the US could, can and in the future can design and run very secure networks of any size or standard when needed.

Why the sudden political and media interest in network security? US cleared staff have to understand that a 'list' trap is set, baited and will be tested.
Anyone on the vast low level 'digital' security list might get a chat down from two or more people who fit the caricature of foreigners with a story, files, backgrounds and an offer....
In changing economic times, with an understanding of security, staff might be tempted as the approach could be real and of great to gain personal wealth.
US staff now know every low level security validation is going to be re tested, reviewed, re interviewed, approached, chatted down as a list by expert contractors and gov officials.
The only reaction now is to report any approach. The US has secured a generation against approaches by other nations.

All the data in the wild is bait. Projects, places, events, dates. Everything at that level is set up to be trackable internally and externally.
To work as bait it has to be readable in English, usable over time by staff on internal networks in English and usable over the US to job fairs, contractors, operations needing staff, staff been given clearances as they change from gov to mil to private sector and back.
The other reaction is to test internal US networks and all staff levels as they react to the very 'real' 'news' of reviews.
Is someone in middle or upper management getting fixated looking up their own past, names, other names? Why?
Another test is to see how social media tracking and planted cover stories over years can handle the interest.
Cleared staff are been tested. How do they react to the media attention. What are they searching for on work and public networks.
Or not looking for when all their colleagues are.

The problem is systemic

[Required+Snark]

Drawing a distinction between cybersecurity in the Federal government and cybersecurity in other large organizations is meaningless. The only thing that does is make it easier for any large organization to avoid accountability for their failures.

The US business community has been completely successful in avoiding any regulations on cybersecurity. The US Chamber of Commerce has defeated all attempts to define laws or national standards for computer business security. Instead we have some Presidential decrees that have minimal real world impact.

Since there are no standards, it is impossible to assign any responsibility when data breaches occur. The response consists of cover ups, minimizing the impact of the event, denial of responsibility (the word "unprecedented" is common), rhetoric on helping the victims and not letting it happen in the future. After the public outcry dies down nothing is ever heard about it again. It might as well not have happened. No one is ever fired. No follow ups are made available to anyone outside the organization.

Additionally, those effected by the data leaks are given no support and have no recourse. Being offered free credit monitoring for a year, or even two, is like offering someone with potential HIV exposure a band-aid. The level off effort involved is grossly inadequate. The potential repercussions can happen years later. If the corporation responsible doesn't know how much effect the breach had, how can they decide to come up policies that balance cost and benefits? The reason they do no follow up is because it provides them with iron clad cover from having to pick up the real cost of their failure. It also makes it a certainty it will happen again.

What I just described is exactly happened with the Sony leak. But it could just as easily be the leak that occurred at UCLA in the last couple of weeks, or any leak that made the national headlines in the last 20 years. In fact UCLA was hacked in 2012, so nothing has really changed.

The non-government situation is identical to government cases. The failure modes and responses are identical. This is unsurprising because the organizational issues, technical requirements and talent involved are the same. It is nonsensical to expect that one side of an arbitrary line will have one kind of behavior and the other side will be different. It's just not going to happen.

The other elephant is the room is that a huge percent of the work is not done by the government, but is done by private contractors. That is what happened with the OPM breach. This was reported when the story first came to light, but is now erased from the narrative. That is a part of the cover up. In fact there were two contractor breaches, one at KeyPoint Government Solutions and the other at USIS.

So what is necessary to address the problem? Legislation and regulation that specifically defines standards for data security for both the government and private sector. This has to include severe criminal and financial penalties if data breaches occur. Individuals should be held personally accountable, specifically those at the highest level of the organization. The penalties for failure affecting national security should at the level of treason; life sentences and even the death penalty.

What will actually happen?Nothing. All you need to do is look at Wall Street to see what will happen. The same companies, and even the same people (Jamie Dimon) who were personally responsible for the 2008 crash are doing better then ever, and continue with out and out criminal behavior. So far no one has been charged, much less put on trial. If you assume that your will not be allowed to withhold your personal information from the "business-government complex", it will be leaked, and you will be left completely vulnerable then you understand what is going on.

Re:The problem is systemic

[AHuxley]

Re "So what is necessary to address the problem?"
A strong compartmentalized, air gapped database that has real human oversight? The US can make and run that for every agency, department and project it needs to over decades.
They dont leak by design. Nobody networks out with plain text anything. Every access internally is logged. There is no external access.
It seems the US wanted a database, networked and usable. Who would want such a networked database?
If you need a contractor with skills and its not logged. Thats a positive for projects that needed a lot of staff in different parts of the world at some time in the past.
Internally staff feel they can look up anything. A great way to see is looking up what and why while they feel like its an open network at their desk.
Great for testing and seeing who is looking for what when alone. Hard to do if they have a person next to them and an encrypted time limited window thats logged by default.
Re What will actually happen?
A wait to see who goes looking over huge lists of interesting sounding fictional projects.
For an Operation Bodyguard https://en.wikipedia.org/wiki/... to work the mix has to be interesting.

Re:The problem is systemic

[gmhowell]

Without knowing the GS/contractor divide at OPM, it's hard to say who is ultimately to blame. If OPM gave carte blanche to the contractor, the latter is generally the one at fault. If the government micro managed the contract and ignored suggestions, the blame is back with them.

Make vendors and providers liable for defects

The problem is software vendors and IT service providers are not liable for failures or security breaches. Vulnerabilities are viewed as something that can be easily fixed, but many times they are not known until after the fact. This quality is not built into the system and vendors get away from paying out damages. As a matter of law, they should be held responsible for security defects

Re:Make vendors and providers liable for defects

[gmhowell]

Vendors cannot be held responsible for stupid (or non-existent) engineering and policy.

Offensive has unfair advantage

Those on offense have much greater advantage than those playing defense when it comes to network security. It does boggle my mind why OPM would have this sensitive information so close to the Internet. Cross security domain solutions have been build to isolate networks and allow flow of information.

Re: After eight years of Bush...

[fma]

Right - Less diversity is the key to information security. Let's make all the targets uniform and have all the people of the same mindset. Go troll somewhere else.

Re: After eight years of Bush...

[sumdumass]

If diversity is rated as a qualification higher than training, abilities and skills, it not only can be, but likely would be the problem.

Diversity is great when it happens naturally due to qualifications for the job itself. It likely becomes one of the strongest positions to administer from. It is a liability when it is done irrespective of qualifications and to some political motivation. It also breeds contempt and disrespect for those under qualified which tend to be associated with thier overriding qualification be it sex, sexual orientation, race or religion or whatever. When John cannot competently do his job and it appears he was hired because he is really a handicapped black girl pretending to be a man so he fills a couple diversity quotas, it eventually gets associated with people like that. It's completely counterproductive to the point being made.

Now i do not know if this is happening anywhere but the concern is legitimate. I have worked with and under unqualified people before. Usually it is because of some family relationships with the owner and not because of quotas. I grew to resent all "family run" businesses i even consider working for.

The technical problem was solved 40 years ago

[ka9dgx]

The information processing need to handle both classified and top secret data in the same computer system in order to direct air traffic for the Vietnam war resulted in honest-to-goodness multilevel secure systems in the early 1970s. The Rainbow books tell you how it's done.

The reason we're all mired in shit these days is that nobody believed multilevel security was something normal computers used. Unix was named as a joke to mock Multics, which aspired to have multi-level security (and did in the end, if I recall correctly).

If your OS doesn't ask for a list of resources to use to execute a program, it isn't secure. MacOS, Linux, Windows don't... the only thing I know of coming down the pike is the Genode project from Germany.

Re:The technical problem was solved 40 years ago

This - Orange Book said it all. No modern OS comes close. -T

I guess when you insert backdoors everywhere...

... things start to become difficult to secure.

NO MORE BACKDOORS.

Put some informaiton into offline storage

[davidwr]

There is some information that really shouldn't on "live" storage until there is a specific request, and once it is "made live" it should be purged after a reasonable period of time if it isn't still being accessed.

For example, the feds could keep most records of former employees and very-sensitive records of current employees "offline" unless there is a specific need to have that record immediately available. If an employee or government agency needs immediate access to a routine, not-very-sensitive record such as hire- and termination-dates, tough - they will have to wait 5 minutes for the human being who keeps the "offline" data to retrieve it and put it "online." For more sensitive data, the wait may be longer.

"Offline" doesn't necessarily mean "on a disk, in a locked drawer." It could mean "on an isolated, secure system which only a small group of people have access to."

Bottom line:

If an adversary gets in and tries to do a wholesale data dump, either he's going to only get the stuff that happens to be online, or he's going to create a huge volume of data-retrieval requests which will get unwanted attention.