Slashdot Mirror
Despite Triage, US Federal Cybersecurity Still Lags Behind
An anonymous reader writes: According to the NY Times, U.S. government officials will soon announce all the improvements their IT security teams have made to federal systems in response to the OPM breach. Unfortunately, says the Times, these updates only just scratch the surface, and are more to show that the government is "doing something" than to fix the long-standing problems with how it handles security. "After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks."
It seems each agency has to be hit by a cyberattack, causing it to go into panic-mode independently, before learning to properly safeguard its systems. Officials say far too much money is wasted on figuring out who and what to blame, rather than on ameliorating the problem. "At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency's networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved."
It seems each agency has to be hit by a cyberattack, causing it to go into panic-mode independently, before learning to properly safeguard its systems. Officials say far too much money is wasted on figuring out who and what to blame, rather than on ameliorating the problem. "At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency's networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved."
"Department of Homeland Security (DHS)/Chief Information Officer (CIO) has determined that Microsoft will be the Department-wide standard desktop operating system, e-mail system, and office automation tool." ref
--
'thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.'
These problems were created over a period of years, exacerbated by poor and uneven budgeting, congressional pork and mandates, and red tape. The only way this could have been averted in some fashion would have been if some company had offered for sale:
Robert Byrd Office
Robert Byrd Antivirus
Robert Byrd Internet
Robert Byrd Web Proxy
Robert Byrd Total Security
Fixing it will likely take years.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
the federal government is still far behind its adversaries
this kind of comparison is meaningless when one side only needs to find one hole in and the other side needs to block all possible holes. the feds have a lot of work to do.
now we need to go OSS in diesel cars
that's not news. It would be news if the systems were even reasonably secured, if that's possible. How do you secure a system from when the proverbial cat is out the bag?
Get up!
They have doctrine in place in the Security Technical Implementation Guide (STIG), a DISA product, but that would require DHS to exercise best practices and lessons learned levied on other branches of the government. You know, learn from others mistakes, and improve.
that's not news. It would be news if the systems were even reasonably secured, if that's possible. How do you secure a system from when the proverbial cat is out the bag?
You close the barn door after the cows come home in case they try to go through it again.
A common response to a successful major response is not just to try to repair the damage, but to capitalize on the moment to drive security reforms that people have been hesitant to embrace before, or that simply haven't been priorities for an organization. The capture of the OPM data was a major coup for China, but the detection and publication of the detection will be used effectively to convince thousands of employees and policy-makers in government that they actually have to care about security.
After years of congress attacking federal workers, federal workers can't have the best moral. If you want good results from your government, you should treat them better. Right now congress makes it a self-fulfilling prophecy that government is bad so lets drown it in the bathtub. What competent person would go to work for the government under the conditions that congress has imposed on them in the last few years? Also every time a new administration is voted in, the new guys put their guys in at the top of the agencies, usually based on how these guys helped win the election rather than their qualifications for the job. What could possibly go wrong?
The US business community has been completely successful in avoiding any regulations on cybersecurity. The US Chamber of Commerce has defeated all attempts to define laws or national standards for computer business security. Instead we have some Presidential decrees that have minimal real world impact.
Since there are no standards, it is impossible to assign any responsibility when data breaches occur. The response consists of cover ups, minimizing the impact of the event, denial of responsibility (the word "unprecedented" is common), rhetoric on helping the victims and not letting it happen in the future. After the public outcry dies down nothing is ever heard about it again. It might as well not have happened. No one is ever fired. No follow ups are made available to anyone outside the organization.
Additionally, those effected by the data leaks are given no support and have no recourse. Being offered free credit monitoring for a year, or even two, is like offering someone with potential HIV exposure a band-aid. The level off effort involved is grossly inadequate. The potential repercussions can happen years later. If the corporation responsible doesn't know how much effect the breach had, how can they decide to come up policies that balance cost and benefits? The reason they do no follow up is because it provides them with iron clad cover from having to pick up the real cost of their failure. It also makes it a certainty it will happen again.
What I just described is exactly happened with the Sony leak. But it could just as easily be the leak that occurred at UCLA in the last couple of weeks, or any leak that made the national headlines in the last 20 years. In fact UCLA was hacked in 2012, so nothing has really changed.
The non-government situation is identical to government cases. The failure modes and responses are identical. This is unsurprising because the organizational issues, technical requirements and talent involved are the same. It is nonsensical to expect that one side of an arbitrary line will have one kind of behavior and the other side will be different. It's just not going to happen.
The other elephant is the room is that a huge percent of the work is not done by the government, but is done by private contractors. That is what happened with the OPM breach. This was reported when the story first came to light, but is now erased from the narrative. That is a part of the cover up. In fact there were two contractor breaches, one at KeyPoint Government Solutions and the other at USIS.
So what is necessary to address the problem? Legislation and regulation that specifically defines standards for data security for both the government and private sector. This has to include severe criminal and financial penalties if data breaches occur. Individuals should be held personally accountable, specifically those at the highest level of the organization. The penalties for failure affecting national security should at the level of treason; life sentences and even the death penalty.
What will actually happen?Nothing. All you need to do is look at Wall Street to see what will happen. The same companies, and even the same people (Jamie Dimon) who were personally responsible for the 2008 crash are doing better then ever, and continue with out and out criminal behavior. So far no one has been charged, much less put on trial. If you assume that your will not be allowed to withhold your personal information from the "business-government complex", it will be leaked, and you will be left completely vulnerable then you understand what is going on.
Why is Snark Required?
Right - Less diversity is the key to information security. Let's make all the targets uniform and have all the people of the same mindset. Go troll somewhere else.
F=ma
The US and UK have had great wins with other nations skilled staff.
Some insights can be seen with the 1945-early 1950's use of German, Italian and other staff to help with cryptography.
Induced, motivated and rewarded they saved the US and UK years of work with ready, working solutions to French, Soviet and other nations post ww2 crypto.
TICOM (Target Intelligence Committee) https://en.wikipedia.org/wiki/...
Operation Stella Polaris https://en.wikipedia.org/wiki/...
The US and UK then advanced this idea of trusting other nations staff to Australia, New Zealand, Canada. Their top crypto experts got to share with the USA and UK and their work was rewarded over decades.
Staff in France and West Germany soon got the same offers and results can now be more understood. The US and UK got total look down in plain text over allied nations thanks to trusted work with well with trusted foreigners.
Decades later French and German political leaders finally understand the reality of their own secure crypto and communications networks.
The US and UK dont allow databases to walk, they create easy to read information to test their own and other nations "trusted" staff.
Anything found, searched, used is bait. But the bait has to be believable and irresistible at low clearance level. Just not useful at any real clearance level.
Everyone involved has to believe it is a real leak of some real value. Political leaders and contractors have to be public in their real reactions. Sock puppets on social media have to offer their "it was real but fixable" spin. Just find the correct contractors, add more funding, over time.. and the bosses new security product.
How hard would it be to load up a massive database of past projects linked to past operations in parts of the world of no future concern?
Add in a lot of fakes and trackable data in an outward facing network and see how everyone interesting reacts.
Other nations, internal staff, social media. Keep pushing the message that the data is really real.
Domestic spying is now "Benign Information Gathering"
If diversity is rated as a qualification higher than training, abilities and skills, it not only can be, but likely would be the problem.
Diversity is great when it happens naturally due to qualifications for the job itself. It likely becomes one of the strongest positions to administer from. It is a liability when it is done irrespective of qualifications and to some political motivation. It also breeds contempt and disrespect for those under qualified which tend to be associated with thier overriding qualification be it sex, sexual orientation, race or religion or whatever. When John cannot competently do his job and it appears he was hired because he is really a handicapped black girl pretending to be a man so he fills a couple diversity quotas, it eventually gets associated with people like that. It's completely counterproductive to the point being made.
Now i do not know if this is happening anywhere but the concern is legitimate. I have worked with and under unqualified people before. Usually it is because of some family relationships with the owner and not because of quotas. I grew to resent all "family run" businesses i even consider working for.
The information processing need to handle both classified and top secret data in the same computer system in order to direct air traffic for the Vietnam war resulted in honest-to-goodness multilevel secure systems in the early 1970s. The Rainbow books tell you how it's done.
The reason we're all mired in shit these days is that nobody believed multilevel security was something normal computers used. Unix was named as a joke to mock Multics, which aspired to have multi-level security (and did in the end, if I recall correctly).
If your OS doesn't ask for a list of resources to use to execute a program, it isn't secure. MacOS, Linux, Windows don't... the only thing I know of coming down the pike is the Genode project from Germany.
Vendors cannot be held responsible for stupid (or non-existent) engineering and policy.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
There is some information that really shouldn't on "live" storage until there is a specific request, and once it is "made live" it should be purged after a reasonable period of time if it isn't still being accessed.
For example, the feds could keep most records of former employees and very-sensitive records of current employees "offline" unless there is a specific need to have that record immediately available. If an employee or government agency needs immediate access to a routine, not-very-sensitive record such as hire- and termination-dates, tough - they will have to wait 5 minutes for the human being who keeps the "offline" data to retrieve it and put it "online." For more sensitive data, the wait may be longer.
"Offline" doesn't necessarily mean "on a disk, in a locked drawer." It could mean "on an isolated, secure system which only a small group of people have access to."
Bottom line:
If an adversary gets in and tries to do a wholesale data dump, either he's going to only get the stuff that happens to be online, or he's going to create a huge volume of data-retrieval requests which will get unwanted attention.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Because that worked so well for the War on Drugs, yeah?
MOAR GAOL!
Jesus.
https://www.eff.org/https-everywhere