Despite Triage, US Federal Cybersecurity Still Lags Behind

An anonymous reader writes: According to the NY Times, U.S. government officials will soon announce all the improvements their IT security teams have made to federal systems in response to the OPM breach. Unfortunately, says the Times, these updates only just scratch the surface, and are more to show that the government is "doing something" than to fix the long-standing problems with how it handles security. "After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks."

It seems each agency has to be hit by a cyberattack, causing it to go into panic-mode independently, before learning to properly safeguard its systems. Officials say far too much money is wasted on figuring out who and what to blame, rather than on ameliorating the problem. "At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency's networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved."

The root of the problem ..

[nickweller]

"Department of Homeland Security (DHS)/Chief Information Officer (CIO) has determined that Microsoft will be the Department-wide standard desktop operating system, e-mail system, and office automation tool." ref [dhs.gov]
--

'thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.'

Re:

[Skapare]

right out of chapter 1 of Computer Security for Dummies.

Re:

[ls671]

from same ref:
"The primary objective of the Department-wide Microsoft ELA is to ensure standardization of office automation and communication applications across IT environments at DHS." ;-)

Re:

[fma]

Right - Less diversity is the key to information security. Let's make all the targets uniform and have all the people of the same mindset. Go troll somewhere else.

Re:

[sumdumass]

If diversity is rated as a qualification higher than training, abilities and skills, it not only can be, but likely would be the problem.

Diversity is great when it happens naturally due to qualifications for the job itself. It likely becomes one of the strongest positions to administer from. It is a liability when it is done irrespective of qualifications and to some political motivation. It also breeds contempt and disrespect for those under qualified which tend to be associated with thier overriding qua

No surprise at the lag

[cold fjord]

These problems were created over a period of years, exacerbated by poor and uneven budgeting, congressional pork and mandates, and red tape. The only way this could have been averted in some fashion would have been if some company had offered for sale:

Robert Byrd Office
Robert Byrd Antivirus
Robert Byrd Internet
Robert Byrd Web Proxy
Robert Byrd Total Security

Fixing it will likely take years.

Re:

[drinkypoo]

These problems were created over a period of years, exacerbated by poor and uneven budgeting, congressional pork and mandates, and red tape.

Not really. These problems are caused specifically by corruption. Each department wants to hide its malfeasance from each other department, so they don't pool resources, so they reinvent the wheel repeatedly. Therefore, each organization has the chance to make the same mistakes over and over again. If our government was not corrupt from root to leaf, then we could have one office of information technology which handled all of these systems for all of these departments, and which is in a position to recogniz

behind?

[Skapare]

the federal government is still far behind its adversaries

this kind of comparison is meaningless when one side only needs to find one hole in and the other side needs to block all possible holes. the feds have a lot of work to do.

Re:

[ls671]

Not necessarily, TFS doesn't talk about how good US agencies hackers are to break into the adversary systems. US could have problems defending its systems and still be good in breaking into others.

So it is the same for US when they wish to break into some system, all they have to do is find one hole. This makes all sides equal.

A team with a poor defensive and a strong offensive can still win the game.

Re:

[StikyPad]

Yeah, well, that's the problem, to be honest. We favor offensive capabilities over defensive. When the NSA discovers critical flaws, they exploit them instead of alerting the manufacturer and patching holes. We can't have it both ways. If we want secure networks, we're going to have to rethink our priorities.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AHuxley]

The US and UK have had great wins with other nations skilled staff.
Some insights can be seen with the 1945-early 1950's use of German, Italian and other staff to help with cryptography.
Induced, motivated and rewarded they saved the US and UK years of work with ready, working solutions to French, Soviet and other nations post ww2 crypto.
TICOM (Target Intelligence Committee) https://en.wikipedia.org/wiki/... [wikipedia.org]
Operation Stella Polaris https://en.wikipedia.org/wiki/... [wikipedia.org]
The US and UK then advanced this idea

Re:

[StikyPad]

Because that worked so well for the War on Drugs, yeah?

MOAR GAOL!

Jesus.

At this point

[raind]

that's not news. It would be news if the systems were even reasonably secured, if that's possible. How do you secure a system from when the proverbial cat is out the bag?

Cat out of the bag

[Etherwalk]

that's not news. It would be news if the systems were even reasonably secured, if that's possible. How do you secure a system from when the proverbial cat is out the bag?

You close the barn door after the cows come home in case they try to go through it again.

A common response to a successful major response is not just to try to repair the damage, but to capitalize on the moment to drive security reforms that people have been hesitant to embrace before, or that simply haven't been priorities for an organization. The capture of the OPM data was a major coup for China, but the detection and publication of the detection will be used effectively to convince thousands of employe

DISA STIG

[OffTheLip]

They have doctrine in place in the Security Technical Implementation Guide (STIG), a DISA product, but that would require DHS to exercise best practices and lessons learned levied on other branches of the government. You know, learn from others mistakes, and improve.

Re: DISA STIG

[Anonymous Coward]

STIGs are far from a cornucopia of security. Many are self contradictory and some go directly against best security practices. For example, STUGs require logging all fields, which only helps a hacker cover his tracks by allowing the volume of logs to overwrite the evidence of his activities before defenders can discover his actions.

Re:

[Whorhay]

Even if you were to have a perfect security checklist with clearly defined problems and predetermined solutions, you're still screwed. There hundreds, if not thousands, of individual little projects each with their own budgets, priorities, and egos. Some like DFAS are colossal in scale and seemingly represent intractable problems. The DoD has spent billions trying to replace that hodge podge of systems and has gotten basically nowhere. In every case you'll find that fixing all or even most security problems

What do you expect?

[humptheElephant]

After years of congress attacking federal workers, federal workers can't have the best moral. If you want good results from your government, you should treat them better. Right now congress makes it a self-fulfilling prophecy that government is bad so lets drown it in the bathtub. What competent person would go to work for the government under the conditions that congress has imposed on them in the last few years? Also every time a new administration is voted in, the new guys put their guys in at the top of the agencies, usually based on how these guys helped win the election rather than their qualifications for the job. What could possibly go wrong?

Welcome to the big honeypot

[AHuxley]

If the U.S. government wants a server to be secured it is, as designed, run, used.
The US lectured its more trusted allies in the 1950-2010's about keeping their own and all shared projects very secure.
The Soviet Union, Russia, China did not get far when trying to look into real US networks, systems without the direct help of local staff who had turned or where deep cover.
So the US could, can and in the future can design and run very secure networks of any size or standard when needed.

Why the sudden pol

The problem is systemic

[Required Snark]

Drawing a distinction between cybersecurity in the Federal government and cybersecurity in other large organizations is meaningless. The only thing that does is make it easier for any large organization to avoid accountability for their failures.

The US business community has been completely successful in avoiding any regulations on cybersecurity. The US Chamber of Commerce has defeated all attempts to define laws or national standards for computer business security. Instead we have some Presidential decree

Re:

[AHuxley]

Re "So what is necessary to address the problem?"
A strong compartmentalized, air gapped database that has real human oversight? The US can make and run that for every agency, department and project it needs to over decades.
They dont leak by design. Nobody networks out with plain text anything. Every access internally is logged. There is no external access.
It seems the US wanted a database, networked and usable. Who would want such a networked database?
If you need a contractor with skills and

Re:

[gmhowell]

Without knowing the GS/contractor divide at OPM, it's hard to say who is ultimately to blame. If OPM gave carte blanche to the contractor, the latter is generally the one at fault. If the government micro managed the contract and ignored suggestions, the blame is back with them.

Re:

[gmhowell]

Vendors cannot be held responsible for stupid (or non-existent) engineering and policy.

The technical problem was solved 40 years ago

[ka9dgx]

The information processing need to handle both classified and top secret data in the same computer system in order to direct air traffic for the Vietnam war resulted in honest-to-goodness multilevel secure systems in the early 1970s. The Rainbow books tell you how it's done.

The reason we're all mired in shit these days is that nobody believed multilevel security was something normal computers used. Unix was named as a joke to mock Multics, which aspired to have multi-level security (and did in the end, if I recall correctly).

If your OS doesn't ask for a list of resources to use to execute a program, it isn't secure. MacOS, Linux, Windows don't... the only thing I know of coming down the pike is the Genode project from Germany.

Put some informaiton into offline storage

[davidwr]

There is some information that really shouldn't on "live" storage until there is a specific request, and once it is "made live" it should be purged after a reasonable period of time if it isn't still being accessed.

For example, the feds could keep most records of former employees and very-sensitive records of current employees "offline" unless there is a specific need to have that record immediately available. If an employee or government agency needs immediate access to a routine, not-very-sensitive recor