Slashdot Mirror
Report: US Government Worse Than All Major Industries On Cyber Security (reuters.com)
schwit1 quotes a report from Reuters: U.S. federal, state and local government agencies rank in last place in cyber security when compared against 17 major private industries, including transportation, retail and healthcare, according to a new report released Thursday. The analysis, from venture-backed security risk benchmarking startup SecurityScorecard, measured the relative security health of government and industries across 10 categories, including vulnerability to malware infections, exposure rates of passwords and susceptibility to social engineering, such as an employee using corporate account information on a public social network. Educations, telecommunications and pharmaceutical industries also ranked low, the report found. Information services, construction, food and technology were among the top performers. And we are supposed to trust them with healthcare? This report comes after President Obama recently unveiled a commission of private, public and academic experts to bolster the U.S. cyber security sector.
And we are supposed to trust them with healthcare?
Is beyond absurd. Anyone who read the slightest bit of the Affordable Care Act knows that it does not put government in charge of health care. In fact, it did almost exactly the opposite of that and gave the insurance industry - which was already disgustingly powerful - even more power. The only function of healthcare.gov is to connect the (now obligate) consumer with a company who will sell them a policy.
In other words the ACA is a license for the health insurance industry to print money. They quite nearly had it before, but now it has been fully formalized.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
She had an industry expert setup her server in her bathroom.
... And I'm not talking about writing large checks to companies that want to sell you something. They don't have your best interests at heart.
The issue is that anytime Joe Q Public hears of government employees making 6 figures he goes ballistic. He does this without any thinking or research about what a comparative job in the private sector pays.
People work in infosec in govt long enough to be attractive to $BigGovtContrator and then bail, get the real salary from the contractor and cash in. That's the game. There's probably a few honest folks who are trying to make things better, but they'll be undercut by the ones trying to give big sweet contracts to $BigGovtContractor in order to pad their parachute.
If we want govt to be effective we have to stop losing our pressure valve because someone working for the government is making more then we do.
And this is pretty much without respect to which country we're talking about. I'm not American but I work in infosec and I won't take a govt job here either. Tried it for like 6 months, saw the game and ran for private sector (no, not for $BigGovtContractor).
I know, not what you want to hear, and I expect to get modded down, but sometimes the truth hurts :)
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
This is a good time to be in government IT. I'm finishing my second year in my current job as a security remediation technician, getting paid holidays, 20 Paid Time Off (PTO) days, and a decent benefit package (401K/health/dental/vision), and the prime contract is fully funded for another three years. As the recruiter told me, once you start working for the government, you're in for life. Most of my coworkers are ex-military and been here for 10+ years. Alas, the downside is that I could be making 40% more in the private sector without any guaranteed job security.
I always look at "reports" like these with a very skeptical eye because usually they have been produced for some company looking for a contract. As a 20 year DoD employee, I can tell you that neither my SIPRNET nor NIPRNET has been owned by anyone. Except the Chinese, but that's normal, right?
If you want news from today, you have to come back tomorrow.
The heads of healthcare.gov, IRS and OPM KNEW they had ongoing hacks and did nothing. Has anyone gone to jail or been heavily fined or lost their pension? There are no consequences to failing in government.
against cyber security attacks, as opposed to perpetrating them.
I wasn't sure at first.
Report: US Government Worse Than All Major Industries On [literally anything done by private industry]
Seriously.
Their security is so lax that if you CAN'T get at something, it's a mistake.
But they want us to trust them with ANYTHING and EVERYTHING?
Fuck that noise!
Chas - The one, the only.
THANK GOD!!!
They should put their email on a private server.
Table-ized A.I.
FT-Summary: And we are supposed to trust them with healthcare?
The largest data-breach in American history was of Anthem(TM), a private health-insurance company.
The most inefficient bureaucracy in the history of the world. They are engineered to do this wrong, and repeatably.
Just wait. They can do a worse job next time.
The Reuters article has a link to the actual report:
http://info.securityscorecard....
They have a form to fill out and they send a link to your email address for the download. No biggie there, we all have many addresses.
But they also demand your phone number. I'm not giving anyone my real phone number, wtf, and why would they even ask?
They haven't yet sent me a link.
Anyone seen the report? I'm curious to know what was their criteria for ranking. And, considering that unauthorized penetration testing is kind of a no-no, I'm even more curious as to how they obtained their data.
Aren't private entities more likely to keep data breaches quiet if they can, to avoid reputational damage or frightening the stockholders? They don't have to follow the same disclosure rules as the Government if personal data isn't involved and aren't necessarily subject to the same FoI laws.
Cyber this, cyber that. There is no cyber fucking anything outside of bad 80s science fiction movies OK? You are not Johnny Mnemonic, you are joe fucking blow who works as a cleaner at the mall.
Put down the cyber bullshit. We are tired of it.
At least the 3D printer spam seems to have abated.
Damn kids...
I google them, not much on them.
Here is a possible scenario, and I'm not say I think this company did this, but it is possible.
A company wants to increase their fame. They think, what can we do that will get us a lot of free publicity?
1. hold a bake sale
2. do an ad campaign where they buy things for ordinary people (I think Honda is doing that, at least in Calif.)
3. hold a beauty contest.
4. write up a study claiming the US Government is bad at something, anything, combined with the claim that we are experts in this field. Put a banner ad at the top of our website.
If they get them, does anybody seriously believe the keys to those backdoors will not be in the hands of state-sponsored and other hackers very soon after?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Of course they are, especially when you consider that the corrupt government wants all of our private data (such as electronic medical records) stolen so Obama Care can be rescinded and insurance companies can then reap the financial rewards. Can you say all planned? I knew you could!
73,
ab5ni
.
USAian politicians all receive bribes, ummm I mean campaign contributions, from sovereign foreign nations. I would not expect these 'elected' officials to put very much premium on cybersecurity. After all there are only so many hours in the day, and the lottery needs to be tended.
Putin may be a despot. But at least he looks after the interests of Russia. Unfortunately USAian elected officails also look after the interests of Russia.
China, and Mexico will have more of an adverses affect on the quality of life of USAians than ISIS ever will. Mexico has given their campain contributions to the elected officials. ISIS did not. ISIS gets carpet bombed. Mexican drug lords get sanctuary cities. See the difference.
Compared to "all major industries", or indeed anyone who has skin in the game, government departments have very little at stake in the matter of computer security. I would be interested to see a list of all individual government employees and contractors who have been severely punished for failing to make IT systems secure. (Except that if such a list exists, it is almost certainly "Top Secret"). In really serious cases, the government tends to punish taxpayers by pretending to fine itself.
I am sure that there are many other solipsists out there.
They look more at encrypting things...
See subject.
APK
>> And we are supposed to trust them with healthcare?
I wouldn't look at cybersecurity as a guide, but I would check how the government's doing with the Veteran's Administration (VA hospitals, etc.) as a guide to what future health care might look like.
This is a natural outcome when you're forced to nearly always choose from among the lowest bidders. The other is that there's never been a real budget (and thus push) to upgrade their systems. I'm reading a lot of comments in this post about the ACA...doesn't anyone remember that half of the problem with healthcare.gov's launch issues was because they were trying to tie together multiple,, severely old systems? Is it any surprise that a 3 decade+ old system wasn't written with modern infosec practices in mind?
Good luck finding any government that has updated IT security. It's not just the US by any means. Governments in general always update a bit slower, so this is fully expected that government technology is behind private. We know that, we expect that and we are ok with that. You can't have it both ways though. You can't expect government to be ahead of private industry in a capitalist system like this. Government CAN tackle the big projects occasionally, but it's not supposed to be cutting edge. Government is supposed to be slow and rather difficult to change. That's a good thing much more than a bad thing. Any good social change in the world comes over time, so the idea that your government must often be ready for massive reform suggests not that it's flexible so much as that it's unstable. The government is NOTHING MORE than a reflection of the people in any democratic nation. Anything you hate about government you need to first realize that you hate about yourself first.
We should be commending the US Government, who is leading by example, practicing what they preach, that everything should be less secure. The poorly named "intelligence" community regularly complains that everything must be made insecure. The growing number of secure software systems has a name. It's called "going dark". The government needs to ensure that things do not go dark. Therefore insecure systems should be preferred over secure systems.
/s
You can't have it both ways. It's a binary choice. Systems are secure, or they are insecure. I am referring to the intent here. A system is intended to be secure, or it is intended to be insecure. An intention to be secure does not, itself, guarantee security. But an intention to be insecure does guarantee insecurity.
The government sees insecurity as a desirable norm.
Everyone else, for some reason, sees security as a desirable norm. This contrary view cannot be allowed to stand.
I'll see your senator, and I'll raise you two judges.
If you told me 20 years ago, that a self-identified "Democratic Socialist" (and a bona-fide Communist underneath) will soon have a fair shot at becoming President of the US, I would've dismissed it with the same derision... But today's youth does not care any more — the Socialism/Communism's 100 years of failure (and mass-murder) are not taught in schools.
Currently is the caveat-emptor, is not it? Look on this very board — numerous people speak in favor of "single payer", and they all vote...
TFA is not about "authority" — it is about incompetence. When doctors become government-employees — as they are in Cuba so beloved by the likes of Bernie Sanders and Michael Moore, and other worker paradises — the healthcare will suck just as it does there.
And we are on our way — by many indications, Obamacare was designed to fail, and is failing as "CO-OPs" go bankrupt, and major commercial insurers threaten to withdraw. It did not "bend the curve" of the costs either — the grows of healthcare costs is accelerating.
It will continue to suck. Which will allow the next "progressive" President to claim "the market approach has failed" — and turn to a government-owned (euphemistically called "single payer") system. Obama himself would've done it — with enthusiastic support from morons like certain anonymous cowards replying to you — but "the nation was not ready" so he simply laid down the ground work for the future:
You seem like the kind, who'd be trying t
In Soviet Washington the swamp drains you.
And what financial stake do they have in this?
mark
I have/had above Top Secret DoD clearance (can't even tell you the security level...) My complete DoD security file - full life history, SS#, lifetime addresses, relative's names, etc. was exposed in the OPM (Office of Personnel Management) hack - everything needed for any identity theft. Identity theft has been attempted several times. My USAA debit card was compromised by a Wells Fargo hack despite my only using it at a (Wells Fargo) ATM inside a DoD secured facility, and was charged for ~1K$. (USAA nicely cleaned that up and even left me the 0.5% kickback on that charge!.) Government and financial institutions are your biggest risks. Practicing safe hex on the internet doesn't protect you from these idiots.
This is obviously false. The US Gubmint is vast sprawling collection of agencies. Some parts of it have bad security. Other parts have very, very good security.
What's the incentive for federal, state, or local politicians & employees to make their systems secure?
For someone in the private sector, there are incentives at all levels of the corporate hierarchy.
If your job description is security, a significant or catastrophic breach could lead to unemployment. If you're in management and your responsibilities include getting good security people hired and supplied with the tools they need, that breach could lead to unemployment. Top executives whose compensation is tied to stock price could find themselves shy quite a few bucks for a few quarters, even if they keep their jobs.
It doesn't always work out that way in the private sector. But the incentives do exist, and do exert an influence.
Not so much in the government sector.
There's no time like the present. Well, the past used to be.