Report: DHS Failing On Cybersecurity

chicksdaddy writes: It's always interesting to listen to what politicians say on their way out of office — after the pressure to get re-elected and say "on message" has been lifted. Eisenhower's historic farewell address in 1961 warned Americans about the influence of the Military-Industrial Complex. Twenty years later, Jimmy Carter warned of the distorting influence of "single-issue groups and special interest organizations" on the political process. And, this week, outgoing Sen. Tom Coburn (R-OK) used his final days in office to issue a blistering report on the Department of Homeland Security. Coburn argued that DHS was failing on each of its five, critical missions, among them: cyber security.

The report, "A Review of the Department of Homeland Security's Missions and Performance (PDF)," was released on Saturday. In it, the outgoing Senator said that DHS's strategy and programs "are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat."

Despite spending $700 million annually on a range of cybersecurity programs, Coburn said it is hard to know whether the Department's efforts to assist the private sector in identifying, mitigating or remediating cyber incidents provide "significant value" or are worth the expense. DHS programs are still heavily weighted towards software vulnerability mitigation, Coburn says, an activity that "will not protect the nation from the most sophisticated attacks and cybersecurity threats."

No it isn't!

[Anonymous Coward]

It's doing exactly what it was intended to do: bilk appropriations to well connected people and Corporations in the name of National Security. If anyone EVER thought it was something other than that, they're far too naive for the present reality!

Re:

[Required Snark]

Remember, the real name of DHS is DHP: Department of Homland Pork.

Re:No it isn't!

[Noah Haders]

Department of Hamland Pork?

Re:

[Livius]

Coburn is not revealing anything, he's simply a continuing part of the disinformation campaign that misinforms the public as to the true purpose of the Department of Homeland Security.

Hard to believe, but there's still quite a few people out there fooled by it all.

Re:

[Opportunist]

Uh... care to elaborate? It somehow doesn't make a lot of sense that way.

Re:

[Cardoor]

you're forgetting providing 'jobs' for those who would be otherwise disenfranchised, and liable to cause problems.

Consider the source

[ISoldat53]

I would believe this more if it weren't coming from Tom Coburn.

Re:

[Anonymous Coward]

Tom Coburn isn't all bad. I believe that people with medical degrees who have taken the hypocratic oath make pretty good leaders. They often seem genuinely concerned with the welfare of people. Lawyers often get too involved with winning against the adversary. Tom definitely can grandstand and play politics, but he also seems to genuinely believe in what he is doing and care about people.

Re:

[blue trane]

Coburn cares more about figures in a ledger book than about people suffering needlessly just so his budget looks pretty to him.

Re:

[blue trane]

Coburn's fixation on budget deficits is absolutely contrary to humanitarian compassion. Deficits don't matter, as Reagan proved. To cut food stamps and suicide prevention programs in the name of "pay-go" is morally, ethically, and economically wrong.

Re:

[Opportunist]

I can't speak for Detroit, but Greece I know fairly well. If you make a country cut back on everything that could keep the inland purchasing power from faltering completely (which it now did) but force it to honor its weapon purchases (or Germany would've had to find someone else to buy its subs), you should not wonder if the economy gets a wee bit lopsided.

Re:

[kilfarsnar]

Coburn's fixation on budget deficits is absolutely contrary to humanitarian compassion. Deficits don't matter, as Reagan proved. To cut food stamps and suicide prevention programs in the name of "pay-go" is morally, ethically, and economically wrong.

ORLY?

Ask Greece.

Or Detroit.

Unlike Greece or Detroit, the federal government can print its own currency. Thus it is not constrained by its ability to tax or borrow. It literally has all the money it needs all the time. So it is correct that deficits don't matter. We could pay off the entire national debt tomorrow if we chose to. I'm not saying we should; it would have other ramifications. But the idea that we just don't have the money for a given project or program is just not true. The US cannot go bankrupt and has all the mon

Re:

[DarkOx]

Deficits don't matter, as Reagan proved

Reagan proved nothing of the sort. Reagan proved nothing of the sort. He proved short term deficits are okay if anything and we pretty much always knew that.

Reagan's spending was in the context of a very different world. There was literally no economy or currency that could provide the secure wealth store the US and dollar offered at the time. Today there is plenty of mostly safe sovereign debt to buy out there. There was no possibility of the first world trading oil in anything but the dollar; while

Re:

[ISoldat53]

No and yes

Were good at spying on ourselves

[Anonymous Coward]

Just ask the NSA on how good we are at spying on ourselves. But we seem to be looking at ourselves as the biggest threats when in fact our enemies have been accruing more and more technology and intelligence to attack what would hurt the US the most, commerce. People have said for decades that the US is too cozy with China and that makes us vulnerable. The US used to make almost everything it consumed in commerce and now we have lost that edge and even in technology and its security we seem destine to ignor

DUH!

[frovingslosh]

In it, the outgoing Senator said that DHS's strategy and programs "are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat."

DUH! DHS and the NSA are the greatest threats to American cybersecurity.

Gee, wonder why

[Snotnose]

Take a bunch of overly bureaucratic organizations that have needed weeding out for decades, create a huge new bureaucracy to oversee them all, and WTF can you expect?

/ Bush was the worst president in my 50+ year lifetime
// Homeland security never made any sense to me
/// I vote Republican prolly 70% of the time

Re:

[oDDmON oUT]

You sir have restored my faith in humanity.

Re:

[Anonymous Coward]

What's the ranking criteria?

By most criteria, Bush Jr is the worst president of my lifetime. If you're a billionaire, maybe he ranks better because of who he appointed to the supreme court. But, on almost all counts, he was disastrously bad, and everything he touched turned to shit.

I guess I'd have to begrudgingly rank Clinton best, although I don't like him or Hillary at all. But, the economy did pretty well under his watch, and he didn't run up a lot of debt.

I really don't get the Obama hate. I'd rank

Re:

[Opportunist]

Looking back, the US had a few good, a few bad, a few shining and a few shady characters as presidents. I liked Bush Sr., well, ok, I did not like him, but his politics was fairly sensible. I loathed Bush Jr, not just for his questionable politics and HORRIBLE financial decisions, but mostly for what he did to the image of the US. He turned the general sentiment towards the US of one of admiration and aspiration, where the US was THE country, where everything goes and everything is possible, into one of rid

Re:

[AHuxley]

It was such a good idea. Replace all the well paid union workers sitting around at small and remote sites with new computer systems and cheap networks.
Less staff cost, less union workers and a few experts could care for a larger system of networked equipment over wide areas.
So a lot of once secure air gapped sites where connected with low cost networks and everything seemed ok. Fewer on site workers, the same oversight and maintenance.
Now for the next huge boondoggle. Remote site security upgrades.

Lies

[Anonymous Coward]

People fail to realize that if it wasn't for the Department of Homeland Security, Al Qaeda would be flying airplanes into buildings every single day. Mind you, I wouldn't shed a tear if a million white people died, but just think of all the African-Americans that the DHS is protecting. God bless the DHS.

Quiet! They might be listening....

[freeze128]

The *LAST* thing we need is DHS thinking that they know security better than computer professionals. This article is just an invitation to get DHS to install "protection" software onto our PCs, or otherwise screw up the internet.

What does Coburn know about infosec?

[bouldin]

Why does anybody care what a 66-year-old doctor from Wyoming thinks about information security?

The report criticizes the DHS as ineffective at "cybersecurity" because of.. zero days or something.

It's clear that neither Coburn, nor the author of the report, understands infosec or how it is different from kinetic war. You can't amass troops or use force. It's very difficult to even know who attacked you.

You can do something like building defensive lines, but that's exactly what the report criticizes.

Re:

[bouldin]

I read the infosec part. The report criticizes DHS for concentrating on vulnerability management and using signature-based detection, which it suggests is not worthwhile because of zero-day vulnerabilities. It criticized the DHS for not following best practices itself.

That criticism is fair, but also applies to almost all infosec efforts, both in the public and private sector.

The only suggestion offered by the report was to cite a "cybersecurity expert" who says we should focus on deterrence. The report

As the saying goes...

[langelgjm]

Even a stopped clock is right twice a day.

Re:

[Opportunist]

And a stopped brain has a bright idea twice a day?

Re:

[Fire_Wraith]

DHS isn't very effective at cybersecurity - but not for the reasons he cites (something about stopped clocks being right twice a day comes to mind).

First, when it comes to 'cybersecurity', they have no actual authority. The best they can do is suggest and advise. I'm not saying they should have authority to make anyone fix vulnerabilities or whatever, I'm just pointing out that you can't really expect that they'll be effective at protecting X if the people in charge of X don't have to listen to a word they

they are doing some things right, like free classe

[raymorris]

You won't normally find me talking about the federal government being very effective at anything, but they have done some things right with cyber security. For example, their series of free online classes covering cyber security is much better than I would have expected.

Of course they did contract that out to a STATE agency, and a rather unique one that whose budget process and operations is more like a private business - if people don't like the product (the classes), the agency doesn't get paid. So mayb

Re:

[kilfarsnar]

That's even less of the population.

Re:

[gmhowell]

Wrong.

DoD: military
DHS: civilian

What a waste

[LessThanObvious]

"Senator arguing that DHSâ(TM)s $700 million cybersecurity budget could better be spent elsewhere."

A $700 million budget alone is evidence that they are way off target. The mission should be fairly narrow and focused and require only relatively small staff. The private sector does fine in most security area's. They just need to fill the gaps that are outside the scope of the private sector. Pick 8-10 real priorities do those really well and just cut everything else. Considering the FBI/NSA isn't even p

Re:

[TheCarp]

> What exactly do they need to do that couldn't be done with a staff of two or
> three hundred good people and a $150-$200 million budget? WTF

create jobs. That is really all it has been about for a while. Shit go all the way back to prohibition and we got beginings of the drug war partially from efforts made by people who were basically looking to lose their jobs with nothing to do now that alcohol was legal.

Their role is to create jobs and use as much budget as possible because the more they spread ar

Re:

[Opportunist]

I tried. I failed. Bureaucracy and "hacking" does not mix. It just does not work out. And for the same reason it is fairly nontrivial to establish good IT security in a corporate environment, for they are also weighed down by bureaucracy.

It's asymmetric warfare at its finest. On the plus side you have lots of funds, highest technology available, even to some degree the ability to change laws in your favor and law enforcement on your side, sometimes to the point where you may direct them. On the downside you

Everytime the word "Homeland" is used

[7-Vodka]

Everytime the word "Homeland" is used, we should post reminders of how eerily familiar these Sophistries are to Hitler's own:

Motherland, homeland, fatherland terrorism, terror cells. [youtube.com] None of this shit is new. The communists did it too.

Re:

[sconeu]

Remember, KGB stood for "Ministry for State Security".
Sounds a hell of a lot like DHS, doesn't it?

Am I being paranoid?

[WaffleMonster]

Every time I hear bureaucrats rumbling about "cyber security" only thing that comes to mind are schemes to legalize spying "for our own good" ... Still seeing politicians getting airtime rambling about legislation to indemnify corporations for "sharing" information with the government not letting the Sony opportunity go to waste.

The military industrial complex has countless billions of dollars at its disposal and the only constructive thing I've seen out if it is US-CERT mailing list which for the most part

yeah

[markhahn]

obscure, poorly-defined, well-funded, with no vested constituency. what could possibly go wrong.

Wait, what... $700M?

[sigmabody]

Hold on... I work in the private sector in info sec. DHS is nominally spending $700M annually on trying to provide value for the private sector? Huh? DHS doesn't provide value for anyone, as far as I know, much less the private sector. What kind of hallucinatory BS is this?

Re:

[l0n3s0m3phr34k]

"What kind of hallucinatory BS is this?" don't know, but I'll bet that's where the $700M went. LSD isn't $4 a hit these days, even shrooms are at $15-$25 per gram. Hallucination-inducing pharmaceuticals aren't cheap.

No surprise

[gweihir]

The thing is, the task of the Department for State Security (their true designation) is not tasked with protecting any citizens or cooperations. Their task is to protect the state and its bureaucracy, by funneling billions of dollars to people with the "right" beliefs. And, as the budget numbers show, they are not failing at that at all.