Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Government Security United States IT

Despite Triage, US Federal Cybersecurity Still Lags Behind 36

An anonymous reader writes: According to the NY Times, U.S. government officials will soon announce all the improvements their IT security teams have made to federal systems in response to the OPM breach. Unfortunately, says the Times, these updates only just scratch the surface, and are more to show that the government is "doing something" than to fix the long-standing problems with how it handles security. "After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks."

It seems each agency has to be hit by a cyberattack, causing it to go into panic-mode independently, before learning to properly safeguard its systems. Officials say far too much money is wasted on figuring out who and what to blame, rather than on ameliorating the problem. "At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency's networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved."
This discussion has been archived. No new comments can be posted.

Despite Triage, US Federal Cybersecurity Still Lags Behind

Comments Filter:
  • by nickweller ( 4108905 ) on Sunday July 19, 2015 @05:36AM (#50138847)
    "Department of Homeland Security (DHS)/Chief Information Officer (CIO) has determined that Microsoft will be the Department-wide standard desktop operating system, e-mail system, and office automation tool." ref [dhs.gov]

    'thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.'
    • by Skapare ( 16644 )
      right out of chapter 1 of Computer Security for Dummies.
    • by ls671 ( 1122017 )

      from same ref:
      "The primary objective of the Department-wide Microsoft ELA is to ensure standardization of office automation and communication applications across IT environments at DHS." ;-)

  • by cold fjord ( 826450 ) on Sunday July 19, 2015 @05:46AM (#50138863)

    These problems were created over a period of years, exacerbated by poor and uneven budgeting, congressional pork and mandates, and red tape. The only way this could have been averted in some fashion would have been if some company had offered for sale:

    Robert Byrd Office
    Robert Byrd Antivirus
    Robert Byrd Internet
    Robert Byrd Web Proxy
    Robert Byrd Total Security

    Fixing it will likely take years.

    • Re: (Score:2, Informative)

      by drinkypoo ( 153816 )

      These problems were created over a period of years, exacerbated by poor and uneven budgeting, congressional pork and mandates, and red tape.

      Not really. These problems are caused specifically by corruption. Each department wants to hide its malfeasance from each other department, so they don't pool resources, so they reinvent the wheel repeatedly. Therefore, each organization has the chance to make the same mistakes over and over again. If our government was not corrupt from root to leaf, then we could have one office of information technology which handled all of these systems for all of these departments, and which is in a position to recogniz

  • the federal government is still far behind its adversaries

    this kind of comparison is meaningless when one side only needs to find one hole in and the other side needs to block all possible holes. the feds have a lot of work to do.

    • by ls671 ( 1122017 )

      Not necessarily, TFS doesn't talk about how good US agencies hackers are to break into the adversary systems. US could have problems defending its systems and still be good in breaking into others.

      So it is the same for US when they wish to break into some system, all they have to do is find one hole. This makes all sides equal.

      A team with a poor defensive and a strong offensive can still win the game.

      • Yeah, well, that's the problem, to be honest. We favor offensive capabilities over defensive. When the NSA discovers critical flaws, they exploit them instead of alerting the manufacturer and patching holes. We can't have it both ways. If we want secure networks, we're going to have to rethink our priorities.

  • Some prison time for every OPM staffer involved in setting up the RFP and awarding contracts that lacked a "US citizens only" clause and that were know to have foreign contractors working on federal systems. Everyone from the first line contract officer and PMs up to past directors should be under criminal indictment for this. That, not legislation, would make things safer.

    • by AHuxley ( 892839 )
      The US and UK have had great wins with other nations skilled staff.
      Some insights can be seen with the 1945-early 1950's use of German, Italian and other staff to help with cryptography.
      Induced, motivated and rewarded they saved the US and UK years of work with ready, working solutions to French, Soviet and other nations post ww2 crypto.
      TICOM (Target Intelligence Committee) https://en.wikipedia.org/wiki/... [wikipedia.org]
      Operation Stella Polaris https://en.wikipedia.org/wiki/... [wikipedia.org]
      The US and UK then advanced this idea
    • Because that worked so well for the War on Drugs, yeah?

      MOAR GAOL!


  • that's not news. It would be news if the systems were even reasonably secured, if that's possible. How do you secure a system from when the proverbial cat is out the bag?
    • that's not news. It would be news if the systems were even reasonably secured, if that's possible. How do you secure a system from when the proverbial cat is out the bag?

      You close the barn door after the cows come home in case they try to go through it again.

      A common response to a successful major response is not just to try to repair the damage, but to capitalize on the moment to drive security reforms that people have been hesitant to embrace before, or that simply haven't been priorities for an organization. The capture of the OPM data was a major coup for China, but the detection and publication of the detection will be used effectively to convince thousands of employe

  • by OffTheLip ( 636691 ) on Sunday July 19, 2015 @07:21AM (#50138991)
    They have doctrine in place in the Security Technical Implementation Guide (STIG), a DISA product, but that would require DHS to exercise best practices and lessons learned levied on other branches of the government. You know, learn from others mistakes, and improve.
    • by Anonymous Coward

      STIGs are far from a cornucopia of security. Many are self contradictory and some go directly against best security practices. For example, STUGs require logging all fields, which only helps a hacker cover his tracks by allowing the volume of logs to overwrite the evidence of his activities before defenders can discover his actions.

      • Even if you were to have a perfect security checklist with clearly defined problems and predetermined solutions, you're still screwed. There hundreds, if not thousands, of individual little projects each with their own budgets, priorities, and egos. Some like DFAS are colossal in scale and seemingly represent intractable problems. The DoD has spent billions trying to replace that hodge podge of systems and has gotten basically nowhere. In every case you'll find that fixing all or even most security problems

  • What do you expect? (Score:3, Informative)

    by humptheElephant ( 4055441 ) on Sunday July 19, 2015 @07:53AM (#50139063)
    After years of congress attacking federal workers, federal workers can't have the best moral. If you want good results from your government, you should treat them better. Right now congress makes it a self-fulfilling prophecy that government is bad so lets drown it in the bathtub. What competent person would go to work for the government under the conditions that congress has imposed on them in the last few years? Also every time a new administration is voted in, the new guys put their guys in at the top of the agencies, usually based on how these guys helped win the election rather than their qualifications for the job. What could possibly go wrong?
  • If the U.S. government wants a server to be secured it is, as designed, run, used.
    The US lectured its more trusted allies in the 1950-2010's about keeping their own and all shared projects very secure.
    The Soviet Union, Russia, China did not get far when trying to look into real US networks, systems without the direct help of local staff who had turned or where deep cover.
    So the US could, can and in the future can design and run very secure networks of any size or standard when needed.

    Why the sudden pol
  • Drawing a distinction between cybersecurity in the Federal government and cybersecurity in other large organizations is meaningless. The only thing that does is make it easier for any large organization to avoid accountability for their failures.

    The US business community has been completely successful in avoiding any regulations on cybersecurity. The US Chamber of Commerce has defeated all attempts to define laws or national standards for computer business security. Instead we have some Presidential decree

    • by AHuxley ( 892839 )
      Re "So what is necessary to address the problem?"
      A strong compartmentalized, air gapped database that has real human oversight? The US can make and run that for every agency, department and project it needs to over decades.
      They dont leak by design. Nobody networks out with plain text anything. Every access internally is logged. There is no external access.
      It seems the US wanted a database, networked and usable. Who would want such a networked database?
      If you need a contractor with skills and
    • by gmhowell ( 26755 )

      Without knowing the GS/contractor divide at OPM, it's hard to say who is ultimately to blame. If OPM gave carte blanche to the contractor, the latter is generally the one at fault. If the government micro managed the contract and ignored suggestions, the blame is back with them.

  • by ka9dgx ( 72702 ) on Sunday July 19, 2015 @10:26AM (#50139537) Homepage Journal

    The information processing need to handle both classified and top secret data in the same computer system in order to direct air traffic for the Vietnam war resulted in honest-to-goodness multilevel secure systems in the early 1970s. The Rainbow books tell you how it's done.

    The reason we're all mired in shit these days is that nobody believed multilevel security was something normal computers used. Unix was named as a joke to mock Multics, which aspired to have multi-level security (and did in the end, if I recall correctly).

    If your OS doesn't ask for a list of resources to use to execute a program, it isn't secure. MacOS, Linux, Windows don't... the only thing I know of coming down the pike is the Genode project from Germany.

  • There is some information that really shouldn't on "live" storage until there is a specific request, and once it is "made live" it should be purged after a reasonable period of time if it isn't still being accessed.

    For example, the feds could keep most records of former employees and very-sensitive records of current employees "offline" unless there is a specific need to have that record immediately available. If an employee or government agency needs immediate access to a routine, not-very-sensitive recor

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken