The Boom (Or Bubble) In Federal Cybersecurity 72
Hugh Pickens writes "The Washington Post reports that the increasing number and intensity of cyberattacks has attracted the attention of the Obama administration and Congress, which have begun steering dollars to the problem. Much of that new spending, estimated at $6 to $7 billion annually just in unclassified work, is focused on the Washington region, as the federal government consolidates many of its cybersecurity-focused agencies in the area. 'I think it is a real growth opportunity in coming years,' says David Z. Bodenheimer, a partner at law firm Crowell & Moring in Washington, who leads the firm's homeland security practice and specializes in government contracts. 'The market is still rather fragmented and in flux, but is developing with a speed that it is attracting both the major defense and homeland security contractors who are establishing independent business units to pursue these opportunities, and it is also a real opportunity for the smaller players who have niche products.' One reason the field is attracting so many companies is that the barriers to entry are low — at least, relative to other defense industries. But as start-ups and others rush to stake claims, some wonder if a bubble of sorts is beginning to inflate and recall that many venture firms in the early 2000s chased similar prospects. 'A lot of the early people made significant money,' says Roger Novak, founder of Novak Biddle Venture Partners. 'But there were [also] a lot of "me too" companies.'"
Re:Bubbles are not as nasty in labor-intensive sec (Score:3, Insightful)
No, this money wont go anywhere near the people who need it. First, the jobs this money creates is only going to be available to people who are able to be "cleared". If you are unfamiliar with the security clearance process, you should check it out. Many people apply, few (with the exception to political appointees) are accepted. The job market for cleared people is nearly always good (but has gotten pretty tight under the anti-military/intelligence Democratic congress/white house), so this will only make life better for them.
Second, the money is going to the Washington DC area... where "skilled" jobs are always in abundance. The big loss in jobs has been in the "low/unskilled" and the trade markets, which this "bubble" will do nothing to improve outside of the support industries.
Re:Bubbles are not as nasty in labor-intensive sec (Score:1, Insightful)
lawyerspeak for dummies (Score:5, Insightful)
Translation follows:
"Nobody has the faintest fuck of a clue what they're doing, but they desperately want to be seen to be doing something and so they're throwing money at anything. Get in right now and make out like a bandit while you can!"
Re:lawyerspeak for dummies (Score:4, Insightful)
The pity to all this is that Government has needed to better fund this area for the last 10+ years. Infosec activities have been historically undermanned. This increased funding would seem like welcomed news. But, of course, it's not that simple.
Infosec in the Fed has become a Frankenstein's Monster over the past years. Cluelessness has spawned regulation. NIST requirements have some solid technical basis. But mixed in to compliance is layer upon layer of bureaucracy that requires considerable funding in it's own right. Compliance requires additional management and auditing which requires additional manpower - none of which actually does the technical work or has to have any understanding of the technical issues. In fact, NIST compliance doesn't particularly require any understanding beyond the workings of the regulations themselves. And even achieving compliance with various NIST requirements can still leave one completely open to known security issues (which isn't entirely bad in itself but can set up a false sense of security).
It is possible that some of this funding will trickle down to the layer that should have been funded all along. But it is much more likely that the lions' share of these funds will go to fueling compliance. And investing on questionable new technologies / products while ignoring fundamental architectural and cultural issues that are the real source of many Government infosec issues.
Re:Something seems fundamentally off.... (Score:4, Insightful)
Your missing the bigger problem. Communications in the commercial world has dramatically advanced due to e-commerce and electronic digital communication. Government is very, very far behind the commercial world, but is looking to catch up. This cannot be done with an isolated and secure network. The need for e-government is becoming ever more evident. With the slow increase in population coupled with the dramatic increases in regulation and bureaucracy, the US government will simply grind to a halt if it does not provide more access to government services via the internet.
This is where the big need for security comes from. How do you provide more access to more services and information while restricting that information to the appropriate parties. Also, once these services become integrated and relied upon, they will become targets for hostile foreign elements. This is a "good" problem to have, but it is one that needs to be addressed now, before massive electronic outreach programs become part of our daily lives (even more than they are now).
Whether your a conservative, or a liberal, government cyber security needs to be addressed. If we go more big central government, then there will be more eggs in one basket. If we go the federalist route, then more information will need to passed between states (in a safe and accountable fashion). Either way the old "paper" way isnt sufficient and will not work forever (unless we have a massive population decrease).
government security vs government management (Score:4, Insightful)
Good luck to the security professionals who think they can make a difference in the Federal government. I subcontracted at the GAO many years ago and saw some of the same issues. Mentioned them to higher-ups, and higher-higher-ups. No repsponse, no improved security, not even a formal recognition of the problem. The primary contractors themselves were just as much to blame. Their main goal seemed to be maintaining the contract at any expense, including bad security, including shooting the messenger.
Bottom line is that .gov security issues are not really security issues as such, they are organizational issues. As long as you don't address the fundamental problem of entrenched, mid-level, non-technical management all the money in the world won't fix it.
What most of this "IT security work" really is... (Score:5, Insightful)
Most of work involves commodity certification & accreditation (C&A) that involves the following:
Phase 1
a "system owner" (Govt IT manager) has staff prepare documentation of the security controls implemented on a "system" (Logical grouping of computers). The security controls are in NIST 800-53, this is FISMA in action.
C&A process http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf [nist.gov]
NIST Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf [nist.gov]
NIST Audit process http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-A%20Rev.%201 [nist.gov]
Phase 2
A certification agent comes in, assesses the system using tools and configuration analysis. This is heavily slanted towards audit, instead of true security analysis.
Phase 3
A senior executive (Authorizing official) makes a decision about the risk acceptability of the system to operate, and may make the system owner do corrective action. The system then moves into continuous monitoring (phase 4).
That is how certification and accreditation operates in theory. Now I am going to tell you how the system is gamed.
During Phase 1, it implies you actually have competent IT security professionals on hand, performing work for the system owner. This is a false assumption. Most system owners don't know security, nor do their staff.
Phase 2 - First of all, have the certification agent companies don't understand security. They can talk the talk (CISSP) but have no solid IT / IT security expertise (not security testers). Many certification agents will not even test systems. They play a game of bringing in cheap staff or running vulnerability scanners then passing them off as "penetration tests". The amount of utter garbage in the field is amazing. Even more so are the reports they write up are audit garbage. If you asked most certification agents about a security methodology, they haven't heard of the OSSTMM or similar. They use NIST 800-53A (heavily audit driven) then they write up meaningless reports, equating technical weaknesses as just as relevant as a gap in a policy.
Phase 3 - The vast majority of government executives are clueless when it comes to IT. They know a little bit, like the name of an operating system (Linux - buzzword - yay!) but not much else. So, they are easily led astray. Most will allow a system to operate regardless of how bad it is, based on a horrible security review performed by incompetent certification agents, on a package made by the almost as clueless system owner and his staff.
After a system gets an authorization to operate, many staffs stop doing all security for 3 years, til the next C&A comes around.
It is not uncommon for a federal cabinet level agency to have 300+ systems, with 300+ system owners, with 300+ completely separate, unique and underfunded security implementations that have more holes than swiss cheese.
If you notice, what is missing from above is actually rigorous security analysis. Code is rarely audited. Configurations are rarely checked 100%. Policy is viewed as important as technical controls. Most testing is a wash. Penetration tests are vulnerability scans by nitwits.
And you wonder why the Chinese are plundering the US govt on a daily basis?
Re:lawyerspeak for dummies (Score:2, Insightful)
Absolutely!!!
"After 9/11, we had to show how committed we were by spending hugely greater amounts of money than ever before, as rapidly as possible." - Rep. Christopher Cox, R-Calif., chairman of the Homeland Security Committee on why the TSA squandered $4.5 billion on malfunctioning equipment; he also inadvertently admitted that the agency is merely window-dressing for the Feds
Me Too (Score:1, Insightful)
One snake-oil bubble, coming right up! (Score:5, Insightful)
This cyber-security stuff is largely nonsense, IMO.
The fact is, the Internet was designed from the ground up to support flexible and open standards, and it makes certain assumptions about the credibility and honesty of those put in charge of its routing. (I was just reading an article complaining about the lack of "action" taken after the Bush administration did a security review of the Internet back in the 2003 time-frame and determined it was, indeed, quite possible to take down the entire Internet in a matter of hours or less, thanks to weaknesses in how traffic is routed. The fact is though, all the major ISPs expressed NO interest in changing the current system -- because they realize that would still require a "central authority" someplace to determine the "correct" routes traffic should follow to get from point A to B. The current system is rather like trying to drive on a road trip from, say, Dallas to San Francisco, except you have no road map in advance. You simply start out on your journey and follow the road signs as you go, until you arrive. Except in the case of the Internet, even those "road signs" aren't controlled by any central authority. If someone accidentally or purposely changes one, traffic gets shunted in the wrong direction (possibly to a destination router that just black-holes all of it, since it wasn't expecting it).
As we can see though, it generally works quite well, because the people doing most of the heavy-duty routing are ISPs with a vested interest in making sure it keeps performing well. If and when something goes wrong, they tend to pick up the telephone and start making phone calls, getting people to intervene and make manual routing changes to eliminate the problem.
As you look past this supposed "security weakness" and get more detailed about security of individual destination points on the Internet, you see a similar situation. People bitch and moan about security issues (PCI compliance, for example), and spend thousands of dollars trying to address it. Yet in the end, you still HAVE to place trust in your employees. If they're willing to let outsiders in to get information you're trying to protect? All bets are off, no matter how much you spend on the latest "next generation firewall solution" or what-not. (Remember the huge credit card breach AOL had a while back? Turned out to be an inside job.)
Right now, as an I.T. manager, I'm seeing a large number of start-up and obscure "computer security" businesses trying to get my attention. I was just invited to listen to a presentation given by Palo Alto Networks, for example, followed by a free pre-screening of Iron Man 2. (Yep, I went.... not a bad way to get our attention, actually!) But the presentation honestly didn't tell me anything new. It was full of a bunch of well-heeled customers of theirs talking about liking the device, and their founder making a few rather arrogant comments - suggesting they were going to be huge in the future, because unlike most companies doing firewalls, they were focused on "innovation". He commented that "Checkpoint hasn't innovated in at least a decade." and "Cisco has NEVER innovated at all. They just bought a bunch of start-ups."
I can't speak for the quality (or lack thereof) of their product, but I CAN say that it was exactly what I was expecting them to try to sell.... another "next gen firewall/traffic flow controller" device that tries to "wow" middle and upper management types by acting like they've unlocked a huge revelation, by realizing that port and IP based firewall rules aren't the complete answer for companies today.
Funny, but I think Rapid7 was just calling, trying to get me to attend a seminar about THEIR product that was essentially the same idea, and to hear them talk, THEY thought of it all first, too.
A lot of people see a chance to grab some money thanks to fear of the unknown out there, and they may have products that really DO address specific scenarios really well. But I'm convinced most companies would b
Re:Better they spend it on this than on fighter je (Score:4, Insightful)
So how would the enemy attack? Probably by exploiting weaknesses in systems and networks. So those systems and networks must be secured and securing them wont be free.
You missed my point. Infosec in the Government has needed funding for a long time now. Funding it is a good thing. However, I would prefer to see funding go towards programs and activities that are effective rather than powering additional levels of bureaucracy.
Having said that - don't get too wrapped up in your "new" war. When it comes down to it, physical control is still important. Those fighter jets will still have a use. AFter all, we've fought this war before - we just called it "espionage".
Re:What is e-government? does it include e-cops? (Score:3, Insightful)
I'm not arguing the politics of it (I agree with you from that point). I'm simply telling you how much the brontosaurus needs to eat... I'm not telling you why, how, or where you are going to get the food from.
The "services" is giving people a means to more readily comply with regulation, fill out required form, and easily pay it more money.