Despite Triage, US Federal Cybersecurity Still Lags Behind

An anonymous reader writes: According to the NY Times, U.S. government officials will soon announce all the improvements their IT security teams have made to federal systems in response to the OPM breach. Unfortunately, says the Times, these updates only just scratch the surface, and are more to show that the government is "doing something" than to fix the long-standing problems with how it handles security. "After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks."

It seems each agency has to be hit by a cyberattack, causing it to go into panic-mode independently, before learning to properly safeguard its systems. Officials say far too much money is wasted on figuring out who and what to blame, rather than on ameliorating the problem. "At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency's networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved."

The root of the problem ..

[nickweller]

"Department of Homeland Security (DHS)/Chief Information Officer (CIO) has determined that Microsoft will be the Department-wide standard desktop operating system, e-mail system, and office automation tool." ref
--

'thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.'

Re:The root of the problem ..

[ls671]

from same ref:
"The primary objective of the Department-wide Microsoft ELA is to ensure standardization of office automation and communication applications across IT environments at DHS." ;-)

No surprise at the lag

[cold+fjord]

These problems were created over a period of years, exacerbated by poor and uneven budgeting, congressional pork and mandates, and red tape. The only way this could have been averted in some fashion would have been if some company had offered for sale:

Robert Byrd Office
Robert Byrd Antivirus
Robert Byrd Internet
Robert Byrd Web Proxy
Robert Byrd Total Security

Fixing it will likely take years.

DISA STIG

[OffTheLip]

They have doctrine in place in the Security Technical Implementation Guide (STIG), a DISA product, but that would require DHS to exercise best practices and lessons learned levied on other branches of the government. You know, learn from others mistakes, and improve.

Re: DISA STIG

[Whorhay]

Even if you were to have a perfect security checklist with clearly defined problems and predetermined solutions, you're still screwed. There hundreds, if not thousands, of individual little projects each with their own budgets, priorities, and egos. Some like DFAS are colossal in scale and seemingly represent intractable problems. The DoD has spent billions trying to replace that hodge podge of systems and has gotten basically nowhere. In every case you'll find that fixing all or even most security problems will fundamentally break an application in some way. Just to get all the programs into real security compliance, not just pencil whipped by having someone accept the risk, would probably require designing and rebuilding everything from the ground up. And that would only address the vulnerabilities that we know about today.

Cat out of the bag

[Etherwalk]

that's not news. It would be news if the systems were even reasonably secured, if that's possible. How do you secure a system from when the proverbial cat is out the bag?

You close the barn door after the cows come home in case they try to go through it again.

A common response to a successful major response is not just to try to repair the damage, but to capitalize on the moment to drive security reforms that people have been hesitant to embrace before, or that simply haven't been priorities for an organization. The capture of the OPM data was a major coup for China, but the detection and publication of the detection will be used effectively to convince thousands of employees and policy-makers in government that they actually have to care about security.

What do you expect?

[humptheElephant]

After years of congress attacking federal workers, federal workers can't have the best moral. If you want good results from your government, you should treat them better. Right now congress makes it a self-fulfilling prophecy that government is bad so lets drown it in the bathtub. What competent person would go to work for the government under the conditions that congress has imposed on them in the last few years? Also every time a new administration is voted in, the new guys put their guys in at the top of the agencies, usually based on how these guys helped win the election rather than their qualifications for the job. What could possibly go wrong?

The technical problem was solved 40 years ago

[ka9dgx]

The information processing need to handle both classified and top secret data in the same computer system in order to direct air traffic for the Vietnam war resulted in honest-to-goodness multilevel secure systems in the early 1970s. The Rainbow books tell you how it's done.

The reason we're all mired in shit these days is that nobody believed multilevel security was something normal computers used. Unix was named as a joke to mock Multics, which aspired to have multi-level security (and did in the end, if I recall correctly).

If your OS doesn't ask for a list of resources to use to execute a program, it isn't secure. MacOS, Linux, Windows don't... the only thing I know of coming down the pike is the Genode project from Germany.