DHS Gets Another "F" In Cyber Security 169
An anonymous reader writes "For the third straight year, the Department of Homeland Security -- which is charged with charting the federal government's cyber security agenda -- earned a grade of "F" for computer security from a key congressional oversight committee, according to a story at Washingtonpost.com. Not only did the overall government-wide computer security grade remain flat (at a barely-passing "D+" but several agencies -- mostly those on the "front lines in the war on terror" -- actually managed to fare worse this year."
Obviously... (Score:5, Insightful)
Be careful what you say. (Score:5, Funny)
Re:Be careful what you say. (Score:2, Funny)
Re:Be careful what you say. (Score:3, Informative)
Re:Be careful what you say. (Score:2)
Re:Obviously... (Score:2)
Yeah, its funny. People get paranoid about the government spying on them, when its probably easier for those in the know to spy on the government than vice versa.
Re:Obviously... (Score:3, Funny)
Increased Demands? (Score:3, Insightful)
Considering that the findings are given back to the relevant departments to improve upon, going backwards requires that not only are services added but that their security efforts don't even improve or get worse with the new projects.
Perhaps the demands of IT in these departments have increased significantly to account for these services. Anyone know?
__
Funny Adult Videos @ Laugh DAILY [laughdaily.com]
Funding (Score:5, Informative)
At one office that I worked in, we made regular trips to the agency's excess equipment warehouse to scrounge for parts that we used to build "new" (newer) computers. That was the only way that we could obtain computing hardware. There was no money in the budget for PCs, even though we were a software development group. We provided our own hardware and software support, by necessity.
Re:Increased Demands? (Score:5, Informative)
At least part of the reason that many agencies did worse this year than last can be attributed to:
- A better DHS systems inventory, meaning a larger population of poor systems, as opposed to the big attention-whore systems that are inevitably going to have more money for security. Unfortunately, the systems inventory *still* isn't very good and is primarily based on what managers report as owning, rather than a combination of reporting and discovery via scanning
- More information available to the Inspector General's office (and more information generally means more negative information, unfortunately). We could also more easily find exceptions/anomalies with the additional information
- Better FISMA assessment methodologies/processes on the part of the OIG than previous years. The process has been much more streamlined so that more work could be conducted in a shorter period of time (i.e. more problems can be found).
Those are just a few of the major reasons. There are other reasons that are more site specific, for example budget cuts, focus of efforts, etc.
Re: (Score:2, Funny)
Re:Bureacratic incompetence? (Score:4, Insightful)
The sad part is that this isn't a joke.
Re:Bureacratic incompetence? (Score:2, Funny)
Re:Bureacratic incompetence? (Score:4, Insightful)
As it stands, the US government of today dwarfs the US government of only 50 years ago, both in revenue and power over the people. This wasn't achieved through success; it was achieved through failure. When you're spending other people's money, and collecting that money through a special "right" to sell your product through coercion, things work a little differently than if you had to obtain your revenue voluntarily.
Re:Bureacratic incompetence? (Score:2, Informative)
Has to be bureacratic incomptence (Score:2)
In any organization (including a nation), there is a "rule of 2": someone must be twice removed from you to be a good scapegoat. Otherwise you're still associated with whatever the screwup was.
Do we live in a developed country? (Score:5, Interesting)
Re:Do we live in a developed country? (Score:5, Interesting)
Speaking as an outsider (I am an Australian) I think the USA does many things very well. But because the US is a very big country, there are always plenty of stories to tell about people being incompetent. You could put any 10 European countries together and get a similar picture.
One problem, I think, is that homeland security (at least since 2001) is being built from scratch as an organisation. New outfits tend to get "business as usual" infrastructure much as would be used for an accounting firm or some such. If they went to an established agency like the FBI they might get less modern but more secure solutions.
Re:Do we live in a developed country? (Score:3, Interesting)
Re:Do we live in a developed country? (Score:5, Informative)
Now, if those 30,000 desktops had to be tied into the FBI's secure networks, I can understand exactly how costs can go rediculously high.
Essentially, everyone from the company you're buying these products from to the people physically moving and installing the hardware have to be cleared to handle the equipment.
That costs a ton of money right there. Background checks and insurance aren't cheap and that jacks up the prices for everything. They aren't just buying computers, they're paying a contractor to do everything and then to provide support.
If you don't think through the situation, it can easily seem like they're just wastefully burning up cash. Very few things are as straightforward as they seem at first glance.
Re:Do we live in a developed country? (Score:2)
--Ender
Re:Do we live in a developed country? (Score:4, Insightful)
Of course, I'd argue that it's easier to build security in from scratch than to merge a bunch of government agencies in a clean and tidy fashion, so I agree that DHS has an especially hard task.
The real question is how subjective these "grades" are. What does "cybersecurity" really mean? Attack from the outside? Compartementalization? (that has to be spelled wrong) Prevention of abuse from within? All of the above? Some these are easy to fix, and some are very hard. For obvious reasons the public can't be given a report listing what and where the weaknesses are, but an unpatched Windows machine is a lot more serious if it is on the perimeter than if it's behind three layers of well-managed firewalls.
Re:Do we live in a developed country? (Score:4, Interesting)
Or the 25 countries..
Hell yeah. Brussels' ineffectiveness at spending money is legendary. The regional development funds are, on the whole, pretty well used to improve infrastructure in poorer countries (for example, the current Irish economic boom has a lot to thank Brussels for), but God help anyone who tries to makes sense of the Common Agricultural Policy. That thing's an incredible black hole for money.
And that's quite apart from the notorious corruption in Brussels itself. MEPs and Brussels bureaucrats have generous expense accounts and perks, which have been... creatively used from time to time.
Part of the problem, I think, is that Brussels isn't a real government. It doesn't raise money by taxation, but by contributions from the 25 governments which do; thus it doesn't feel so directly accountable for what it does with the money. And turnouts for elections to the European parliament are generally far lower than those for the national elections, so MEPs get the (correct) impression that their constituents don't really give a damn what they do...
Re:Do we live in a developed country? (Score:5, Insightful)
a "developing country". That is a basic tenet of the neocon agenda - globalization of the
economy. High tech and skilled labor jobs are shifted to the lowest labor cost country --
whichever can barely "get the job done" and at the lowest price "wins the contract". USA
employers who cannot shift their labor costs overseas are busy importing cheaper labor
under increased numbers of L1-A and H1-B visas. That, or busy jumping on the neocon
bandwagon to legalize the 28 million illegal aliens that are already in this country. Hand-in-
hand with the influx of illegal alien labor is a massive spike in identity theft and fraudulent
identity documents. The GWB administration favors hiring fellow neocons, regardless of
either their real CV or their civil ethics. Helping to forward their neocon agenda by any means
possible outweighs any concept of good governance, or even of the Constitutional balance
of power, let alone the Bill of Rights.
Why, considering the response to 9-11, to the illegal Iraq war, the "Pharmacutical Company
Welfare Act of 2003", or the Gulf Coast-Katrina disaster, would any sentient being ever be
surprised by what the GWB administration is incapable of doing right?
The Department of Homeland Security is a non sequitor at best (oxymoronic?), and little more
than a tool of the emerging National Corporate Socialist state's grab for absolute executive
power, at worst.
Re:Do we live in a developed country? (Score:3, Insightful)
Do you even pay attention to your own propaganda? I'm pretty sure Republicans aren't in favor of open borders.
And what's with the xenophobia? Worried that a foreigner can do your job better than you?
Re:Do we live in a developed country? (Score:2)
Why make it illegal and then let it happen? If you want it happen, why not legalise it? There's some discrepancy there, and it's unsettling.
Re:Do we live in a developed country? (Score:2)
the the American people, the UN Security Council, and the rest of the world at large. The
ONLY Republicans that are NOT in favor of GW Bush's amnesty/legalization of the virtual
invasion of illegall aliens are the one's who, under pressure from their constituents, have
split with the official plank of the neocon(artists). Generally, those are the ones whose
own jobs are at risk in the midterm elections this fall. And
Re:Do we live in a developed country? (Score:2)
I'm pretty sure Republicans aren't in favor of open borders.
Sure they are - somebody's got to mow their lawns.
Re:Do we live in a developed country? (Score:2)
Legalization would nuke that argument.
And, more to the point, there's not any evidence we have enough low-level jobs to go around. Ergo, everyone who comes to this country to take a job is, indeed, taking away it away from an American.
Completely untrue, a
Re:Do we live in a developed country? (Score:2)
years. Many employers would like nothing better that to pay only the minimum wage,
if they could only get away with it. In the mean time (in case you haven't been paying
attention), the ACTUAL cost of living has far exceeded what the Federal government
statisticians have "cooked-the-books" OFFICIAL cost-of-living numbers are -- it drives
Federal, State, and Local government pay raises, as well as Social Security, Medicare, and
Re:Do we live in a developed country? (Score:2)
I'm at work so I've hardly got time, but it's pretty well known that the unemployment rate by any measure is currently very low. This despite having a ton of foreigners in this country. However you cut it, if we sent them all home, we wouldn't have enough people to do the jobs. At 5% unemployment (a very high estimate), that's about 15 million people out of w
Re:Do we live in a developed country? (Score:3, Insightful)
thousands of Florida voters accused of being ineligible to vote, then failing to recount
ALL Florida votes in a timely fashion, and then relying upon the SCOTUS (filled with
Reaganite nominees) to determine the Presidency.
After the illegal DeLay gerrimandering of Texas, the GOP made gains in the HR. Combined
with the no-paper-trail-audit electronic voting machine debacle of 2004, in which vote
tallies were wildly different from
Re:Do we live in a developed country? (Score:2, Insightful)
I many times wonder whether I live in a developed country.
Okay, I'll bite.
You act like Americans (or Republicans) have a corner on the incompetence market. Not hardly. Examine any other country and you will find the same crap, it's just not reported so widely in the news as it is here. Try working in an international nonprofit (as I do) working to improve healthcare delivery systems in other countries, and you will start to be very thankful you're an American. Blessed, or lucky, or fortunate; take your
Re:Do we live in a developed country? (Score:2)
It's not like the US is the only country in which one observes incompetance and inefficiency. I think the point is that there is good reason to think that the US government is a lot more incompetant and inefficient than it was say ten years ago. The secondary point is that this fits the Bush agenda in several ways. One is that, if you're a hard-core advocate of privatization and corporate welfare, it makes sense to run down government services so as to load the dice in favor of the view that private enterp
Re: (Score:3, Insightful)
Re:Do we live in a developed country? (Score:3, Funny)
Re: (Score:2)
Re:Do we live in a developed country? (Score:2, Insightful)
I'm from the UK and having lived in the US for a number of years I think the US can achieve anything it sets its collective mind to. But the electorate has a neat trick of getting what it wants. Goes like this: Congress passes a law to do XYZ. The electorate says great but then refuses to pay taxes to support it. It's not really incompetence.
Re:Do we live in a developed country? (Score:2)
I've lived in the US my whole life, and I've been paying taxes for the past 20 years!
I can refuse to pay taxes to support stuff I don't agree with (Without going to jail, or having my assets seized...)!? Tell me more!
Re:Do we live in a developed country? (Score:2)
Muhammed drawings (Score:5, Funny)
Re:Muhammed drawings (Score:2)
Ofcourse (Score:3, Funny)
resembles department culture as a whole? (Score:5, Interesting)
It figures. Institutions like the DHS are completely focused on administrative, paper-tiger, security. Which in the end doesn't end up in a real security for anyone, but instead a freedom-diminishing administrative load on everyone.
The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively.
Good to see there are competent people out there, it should not be impossible. It's just sad that the more 'safety-critical' the organization is, the more sloppy they get on critical points in their organization.
Re:resembles department culture as a whole? (Score:4, Insightful)
Look at businesses in the late 90s: you had young tyros running companies that understood both the opportunities and (more significantly in this context) the risks of the internet. They flourished. Then you had the bricks and mortaor companies that took FOREVER to get off the ground, with their hidebound executive and department managers who were all of a generation for whome VCRs were 'new' and the internet something between cable tv and the telephone but not really understood. There were some foresightful managers who 'got it' but most of their peers didn't
I'm guessing, given the generally behind-the-curve nature of non-defense government agencies, that they are still just evolving out of this mindset. The departments with the occasional leader who 'gets it' are very clear on their understanding of what they need to do. The others? Well, until there's an administrative change, they're going to limp along, connecting to the web as ordered but not really understanding why they're doing it.
Re:resembles department culture as a whole? (Score:2)
Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, Transportation, and Veterans Affairs.
Re:resembles department culture as a whole? (Score:2)
How do you get that? They make something state of the art, like an airplane. Then they use it for years. There are 40 year old U-2s still in service. They do believe in high-tech, but they believe in slow processes and tradition even more. An organization so based in tradition (necessary to convince people to kill and die without thinking about it until shipped back home - or
oh look! (Score:5, Informative)
Beware - using Linux can be bad (Score:2, Funny)
Re: (Score:2, Funny)
Re:oh look! (Score:2)
Re:oh look! (Score:2)
Re:oh look! (Score:2)
I think grandparent post was just saying "Yay Linux!", not "Yay evironmentalism!".
They want to be attacked (Score:5, Interesting)
Perhaps they are (Score:2, Insightful)
Childish nonsense (Score:4, Insightful)
B minus? D minus? Who cares. It's not like these institutions are going to go home and blub because they got bad school grades. Another propaganda stunt to make you believe your incompetent and unaccountable institutions are actually answerable to anybody imho.
Re:Childish nonsense (Score:2)
Colors?
Some arbitrary scale?
At least "grades" are almost universally understood in the US. A department which received an "F" is obviously not a success story when it comes to computer security...
Re:Childish nonsense (Score:2)
And besides, the government *is* accountable to someone: its citizens, and we need to be reminded of that as of late.
Perhaps they are using (Score:5, Funny)
Re:Perhaps they are using (Score:2)
Re: Prayer based security- in related news (Score:2)
A New Revelation! Spread the Good News! (Score:2)
...this is because there is NO threat. (Score:5, Insightful)
Re:...this is because there is NO threat. (Score:2)
It is this artificially created threat that is BUSH's masterplan
Sorry to disappoint you, but it is Osama's masterplan. His organization wasn't as attractive anymore to youngsters as it was when then were fighting the Russians in Afghanistan. He needed some western armies around, to have an enemy to fight, to attract new blood.
So, one of his goals with the planes flying into these buildings, was to engage the west in a war in Afghanistan (which they did, and a lot more successfull then Osama would have g
lawnmower racing (Score:2, Interesting)
Re:lawnmower racing (Score:2)
On the other hand, do these races allow the public to enjoy their freedoms?
Hmmm... A possible reason! (Score:2)
Re:Hmmm... A possible reason! (Score:2)
Get some facts (Score:2, Interesting)
Re:Get some facts (Score:2, Insightful)
Well, that is part of the problem isn't it. DHS has now had a couple of years to come up with a coherent security plan. While I could understand if they were having problem implementing it over all the different sub-organizations, I think they most cert
Re:Get some facts (Score:3, Interesting)
You obviously don't understand what this OMB report is all about... It's a report card on FISMA compliance, not on the level
Re:Get some facts (Score:2)
And token-ring? Ugh. You ever been on a large token-ring network? I get your point, but I hope you mean a nice star-based closed-LAN environment.
Re:Get some facts (Score:2)
If only... (Score:2, Funny)
Cat and Mouse? (Score:5, Insightful)
What if the government put out a bid for someone to undertake cyber attacks against them as well as provide funding for the repair/protection of these systems?
Offer, say, $1M to an organization to start cyber attacks on a specified date. These agencies would know full well that such an attack was coming. Do *YOU* want to be the one to try and explain why *YOUR* system was able to be broken into? Just as there was a huge effort to counterract the Y2K "bug", and we survived it relatively unscathed, I'm thinking a scheduled attack would do wonders in getting things secured, ASAP.
We could have nearly impenetrable systems by year's end.
Re:Cat and Mouse? (Score:2)
You must have missed the
Operation 'Cyber Storm' Starts Tomorrow
http://it.slashdot.org/article.pl?sid=06/02/05/142 4232 [slashdot.org]
Government Cyber Storm Ends
http://it.slashdot.org/article.pl?sid=06/02/12/164 0226 [slashdot.org]
You win some, you lose some. (Score:2)
All of this, after they discover China's been operating a massive hacking campaign over here in the United States. You have to wonder if they're not just trying to screw up.
Reminds me of the Spanish Inquisition sketch (Score:5, Insightful)
I think, as a rule, governments can effectively only do one hard thing at a time. By "Hard" I mean something that in a organizational sense is like computational "hardness": you can't really do a perfect job of it, and you can exhaust all your resources trying to. You can walk and chew gum at the same time because both things are routine and use well trained motor programs. But if I gave you a marionnette, you could probably get it to walk or chew gum, but not both at the same time until by practice you managed to combine the two into a single action.
Governments can run a national park system and regulate food additives at the same time, because these are routine things like walking, well, walking and chewing gum. But organizating DHS at the time we did was, in my opinion, a bit of disasterous overconfidence.
DHS was established in January 2003, at the same time the administration was planning an invasion of Iraq in March. Homeland security is a "hard" problem. War and nation building -- in fact region building, are also "hard" problems. The only way you can do this is to find some way to combine the two into a single priority. The administration has done this rhetorically -- e.g. the well known "mushroom cloud" threat -- but on a practical day to day basis these efforts are completely separate. DHS so far as I know doesn't have anything to say about is happening in Iraq, and neither does the Iraq effort consider things like infrastructure security. The only point of contact between the two I can see is that they'd both like to have more of the Coast Guard's bandwidth.
The government needs a data architect agency. (Score:2, Insightful)
Re:The government needs a data architect agency. (Score:2)
My story... (Score:5, Informative)
So, my friend contacts the webmaster of the navy site and explains what he saw, how it was tracked down ( he left my name out -- thank god -- since my name is very islamic and happens to be shared with an at-large eastern european islamic terrorist. Bad enough that it's a disaster whenever I *try* to fly. Thanks, dad. ) and what did my friend get in return? Thanks? A "We'll look into that, good job, citizen". No, he was accused of hacking the site, and they informed the secret service of him and his "actions".
Fortunately, the SS ( lol ) realized he'd done the right thing and was innocent.
But, seriously folks, how fucked up is this?
Re:My story... (Score:2)
Re:My story... (Score:2)
The SS didn't do anything, they recognized the hysterics of an idiot ( the woman who reported him ) and ignored it. Now, I don't know how it got to *them*, I would have expected a different agency, but what do I know. Shit trickles, both up and down.
Anyway, believe it or not, I don't care. I've know this guy for > ten years, and he's as stand-up a guy as I've *ever* known. The rare kind of person who you simply can trust, without reservations.
Re:My story... (Score:2)
One reason civlians that report defacements might be told to fuck off is because there's already another entitiy that monitors them.
Here's how it works... (Score:5, Insightful)
The Secretary for the agency gets grilled by Congress-critters on why their agency is failing, again. The Secretary doesn't really care about IT security, but (s)he does care about not getting grilled by Congress-critters.
The secretary authorizes some obscene amount of dollars to go towards "improving IT security" and signs off on some plans that purport to do this. Often these are bundled together with initiatives for IT centralization, better management practices, the yearly re-org plan, etc. If you're lucky, some fair portion of the obscene dollar amount actually goes towards something that might really help IT security.
Various political appointees (Deputy Secretaries, Assistant Deputy Secretaries, Associate Deputy Assistant Secretaries, etc.) get shuffled around in the post-Congressional-snitfit era and engage in vicious political battles that make Imperial ascension politics in the Roman Empire look like a shuffleboard tournament. This of course immensely helps the prospects of improving IT security.
Meanwhile, various Beltway contractors propose all sorts of interesting things the agency can do with the money. The ones who are already working with the agency make recommendations to steer the dollars towards projects they can successfully bid on and ways they can increase their headcount, and the outsiders try to weasel their way in. Vendors make extravagent promises about their gear and generously distribute dinners, trips, tickets and job offers in desperate attempts to land a multi-million dollar sale.
Somebody (no one ever admits to this later) actually buys off on some subset of these promises and signs a PO to Make This Happen.
The money eventually filters down to the GS-15s and 14s (career employees) and contractors who Actually Do Something instead of going to meetings all day and answering email. They often emulate the successful political appointees above them by holding lots of meetings and sending lots of email. However, they get to Actually Do Something as well. Lucky them.
Some random collection of program managers, unwitting new subcontractor hires, and government support employees are thrown together to Make This Work. If they're lucky, enough of the people on the task have worked together before to know how to navigate through the bureaucratic, corporate and technical obstacles to have something to show for their efforts after 6 months. If not, well, the government paid for Yet Another Jobs Program.
3 times out of 10, the proposed solution fails so miserably that they can't even convince the other contractors and govvies to put it into production.
6 times out of 10, it works just well enough to shoehorn the "solution" into production, as long as the duct tape holds and they can hire enough bodies for the Mongolian Horde approach to IT ("quick, get more people for the overnight shift, the ticket count's escalating again!"). But that's okay, 'cause the same contractors and govvies will get to fix it again next year when the problem still isn't solved.
1 time out of 10, they actually Make It Work. Wow. People stumble around in shock, awe and amazement at what they have created. Users are happy, management is off their backs. But don't worry. Something will change in another 6 months to bring completely new requirements into the picture, and you get to roll the dice again.
Psha. (Score:3, Insightful)
The government needs to eliminate this bullshit job security and make people work for a living. If people don't work and meet performance standards, they should get fired.
But no, that's much too logical. Instead, we allow people to put in a good couple years when they're young (and want to work) and then support them through the rest of their life while they slack off and can't be fired. Most people need some sort of fear for
Re:Here's how it works... (Score:2)
Reminds me of one of the /. Quotes that shows up at the bottom of the page
Is Bush Working for the Terrorists? (Score:4, Insightful)
We have never been weaker or more unsafe. Our union is divided everywhere, persecuted by our government, churning our experienced national security personnel (including our military) into a useless, expensive albatross around our neck. If someone actually attacked us, we'd be worse off than before we got all these "warnings", many of which are already killing thousands of Americans.
These clowns have got to go.
Re:Is Bush Working for the Terrorists? (Score:2)
Re:Is Bush Working for the Terrorists? (Score:2)
Nazi Germany was effective. Stalin's USSR was effective. So was Mao's PRC.
Democracies aren't, by nature, terribly effective. That's rather the whole point of them.
History is filled with terrible examples of citizens clamoring for a "more
Is anyone really surprised by this finding? (Score:2, Interesting)
Only a few agencies improved and those agencies aren't even as significantly correlated to security as the likes of DHS, etc.
It feels a lot like hypocrisy to me, when the gov't continuously appears to be able to fail and get away with it but we normal, everyday citizens cannot "officially" get away with much at all.
I wish there w
I work for DHS, help grade them, and... (Score:3, Insightful)
So, if this "report card" were properly reported, more systems would be in the population (and sample, since I feel sample size is too low). And if better, more in-depth security assessments were done, DHS would probably do even worse. I just wanted to give you the warm fuzzies...
Anyhow, people the under the CISO (Bob West) are working to get a better inventory and to improve FISMA reporting, but the processes are painfully slow due to growing pains, political battles and the typical laziness that consumes government workers.
We should get some more guys from the casino and porn industries in here to whip system security into shape...seriously...
DHS has exclusive partnership w/ Microsoft for SW, (Score:2, Informative)
Honeypot? (Score:2)
Then one wonders, what if they really are? I mean, it's the DHS. A tempting target for any terrorist hackers. What if they're really more secure than they've made themselves out to be? Could it be that the DHS network is just a giant honeypot?
You have to admit, it would be an interesting idea, and not exactly stupid. But then again, this goverment isn't on the ball as far as "no
Re:I think this is by design, folks. (Score:2, Insightful)
Re:I think this is by design, folks. (Score:2)
Are you guys in the Coast Guard by any chance? They have a repuation for actually knowing what they're doing.
Re:yeah. first-hand experience (Score:2)
Re:Where's the money? (Score:2)
Re:Government incompetent... news at 11. (Score:2)
Re:Government incompetent... news at 11. (Score:2)
What's really frightinging is that this audit was done by a congressional committee, who, by our post is inherently incompetent. The incompetent oversight committee actually found security holes, how glaring did the incompetence of DHS have to be???
Actually, the "wasteful" part of government is the executive branch, the ones that "carries out" the laws. The reason? No competition. Congress is also incompetant, but in other ways (i.e. approving an extension of the National Debt to $9 trillion). See, Congr