Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Government Security United States Communications Network Networking Privacy Social Networks Transportation News Technology

Report: US Government Worse Than All Major Industries On Cyber Security (reuters.com) 124

schwit1 quotes a report from Reuters: U.S. federal, state and local government agencies rank in last place in cyber security when compared against 17 major private industries, including transportation, retail and healthcare, according to a new report released Thursday. The analysis, from venture-backed security risk benchmarking startup SecurityScorecard, measured the relative security health of government and industries across 10 categories, including vulnerability to malware infections, exposure rates of passwords and susceptibility to social engineering, such as an employee using corporate account information on a public social network. Educations, telecommunications and pharmaceutical industries also ranked low, the report found. Information services, construction, food and technology were among the top performers. And we are supposed to trust them with healthcare? This report comes after President Obama recently unveiled a commission of private, public and academic experts to bolster the U.S. cyber security sector.
This discussion has been archived. No new comments can be posted.

Report: US Government Worse Than All Major Industries On Cyber Security

Comments Filter:
  • The line

    And we are supposed to trust them with healthcare?

    Is beyond absurd. Anyone who read the slightest bit of the Affordable Care Act knows that it does not put government in charge of health care. In fact, it did almost exactly the opposite of that and gave the insurance industry - which was already disgustingly powerful - even more power. The only function of healthcare.gov is to connect the (now obligate) consumer with a company who will sell them a policy.

    In other words the ACA is a license for the health insurance industry to print money. They quite nearly had it before, but now it has been fully formalized.

    • Seriously.

      Their security is so lax that if you CAN'T get at something, it's a mistake.

      But they want us to trust them with ANYTHING and EVERYTHING?

      Fuck that noise!

    • http://blog.chron.com/txpotoma... [chron.com] that picture says it all
    • by DarkOx ( 621550 )

      All that may be true but it does not alter the fact the government has had a great deal of new personal information placed in its hands thru operation of the exchanges and thru information sharing between insurers and the IRS.

      While I think there are stronger criticisms to be made, the argument about information risk it poses is a perfectly valid one.

    • by dcw3 ( 649211 )

      So, what does the CCIIO do if they're not in charge?

      https://www.cms.gov/cciio/ [cms.gov]

  • by Anonymous Coward

    She had an industry expert setup her server in her bathroom.

    • by Tablizer ( 95088 )

      She had an industry expert setup her server in her bathroom

      So it might literally crap out?

      • There was a reason she installed the super flush kind of toilet, and it wasn't just to clean those tenacious skid marks either.

  • ... And I'm not talking about writing large checks to companies that want to sell you something. They don't have your best interests at heart.

    The issue is that anytime Joe Q Public hears of government employees making 6 figures he goes ballistic. He does this without any thinking or research about what a comparative job in the private sector pays.

    People work in infosec in govt long enough to be attractive to $BigGovtContrator and then bail, get the real salary from the contractor and cash in. That's the game. There's probably a few honest folks who are trying to make things better, but they'll be undercut by the ones trying to give big sweet contracts to $BigGovtContractor in order to pad their parachute.

    If we want govt to be effective we have to stop losing our pressure valve because someone working for the government is making more then we do.

    And this is pretty much without respect to which country we're talking about. I'm not American but I work in infosec and I won't take a govt job here either. Tried it for like 6 months, saw the game and ran for private sector (no, not for $BigGovtContractor).

    I know, not what you want to hear, and I expect to get modded down, but sometimes the truth hurts :)

    Min

    • The issue is that anytime Joe Q Public hears of government employees making 6 figures he goes ballistic

      Government employees can make 6 figures. The problem is the law that says that no one in the federal government (other than POTUS/VPOTUS/Justices) can be paid more than a Congressman. And they capped their salaries at the low 6 \figures.

      • Citation please. And I ask as a govt employee who has a salary higher than any Congressman other than the Speaker of the House.

        They have staff allowances, expense accounts and benefits that aren't available to others, but salary alone...

        Top career officials at an agency like FDIC have a max salary of $260k. Congressman are paid $174k according to Wikipedia.

        • Citation please

          5 U.S.C. 5303(f) [cornell.edu]Limits base compensation to Level 5 ($148,700). Additional compensatory payments (locale based adjustments, etc.) may raise total pay to Level 1, what cabinet members make ($203,700) which falls between the Majority Leader's pay and the Speaker's pay

          FDIC is a strange organization. They receive no money from Congress, and are therefore exempt from the rules on max payments.

      • by chihowa ( 366380 )

        The highest paying gov't job on the first page of USAJOBS [usajobs.gov] results was $300k, which I wouldn't call "low six figures". I work with several people who make more than Congressmen and my own salary is approaching that.

    • I won't argue that salaries don't have an impact, but I think there are bigger money problems. Namely that security is literally always the last consideration before a system is brought online. As a result security ends up becoming more about justifying leaving vulnerabilities open than fixing them. Fixing known security holes often involves changing the way a system actually functions and plenty of risk for lengthy down times and outages when things don't go smoothly. Better funding can mitigate a lot of t

  • This is a good time to be in government IT. I'm finishing my second year in my current job as a security remediation technician, getting paid holidays, 20 Paid Time Off (PTO) days, and a decent benefit package (401K/health/dental/vision), and the prime contract is fully funded for another three years. As the recruiter told me, once you start working for the government, you're in for life. Most of my coworkers are ex-military and been here for 10+ years. Alas, the downside is that I could be making 40% more
    • by birukun ( 145245 )

      In my case, I am a contractor ready to bail because my government sponsor, who is in a big role in a branch of military cybersecurity, is not motivated nor interested in anything that might take effort. Gotta protect his funding line and rice bowl.......

      The lack of leadership combined with the bureaucracy has made me lose any faith that things will improve. I work with some people every now and then that are awesome, dedicated and motivated, but like me, they get tired of 'the fight' and take a job outsid

  • AstroTurf (Score:5, Interesting)

    by Frosty Piss ( 770223 ) * on Thursday April 14, 2016 @09:03PM (#51912727)

    I always look at "reports" like these with a very skeptical eye because usually they have been produced for some company looking for a contract. As a 20 year DoD employee, I can tell you that neither my SIPRNET nor NIPRNET has been owned by anyone. Except the Chinese, but that's normal, right?

    • by alexhs ( 877055 )

      Except the Chinese, but that's normal, right?

      If the Russians and Israelis don't also own these systems, it surely isn't normal?

      However, it might be normal that you didn't notice the Russians :)
      However, the Israeli Reality Distortion Field might have convinced you that their access to these systems was legit as if they were part of the five eyes :)

    • There are numerous government agencies each with their own enclave with no two run the same. Some are better than others.....
  • The heads of healthcare.gov, IRS and OPM KNEW they had ongoing hacks and did nothing. Has anyone gone to jail or been heavily fined or lost their pension? There are no consequences to failing in government.
    • There are no consequences to failing in government.

      That may be true for political appointees and their cronies, but not for the typical government worker. The agency I worked for hired several IT workers who thought this was a "gubermint" job, did nothing when they reported to work, and were shocked to discover themselves unemployed in short order. Most of my coworkers are ex-military folks with zero tolerance for slackers.

      • by gweihir ( 88907 )

        Worker-bees are not the real problem. But there is only so much that worker-bees can do to keep the whole functioning and they are failing.

    • by gweihir ( 88907 )

      A failing administration usually turns into a pork-barrel for all involved as one of the later steps. That has already happened in the US. Next steps: full-blown police state, fascism, economic collapse, dark age, slow rebuilding. Maybe throw in a nuclear war to make things even worse.

  • against cyber security attacks, as opposed to perpetrating them.

    I wasn't sure at first.

  • Report: US Government Worse Than All Major Industries On [literally anything done by private industry]

  • They should put their email on a private server.

  • by Sir Holo ( 531007 ) on Thursday April 14, 2016 @11:11PM (#51913145)

    FT-Summary: And we are supposed to trust them with healthcare?

    The largest data-breach in American history was of Anthem(TM), a private health-insurance company.

    • So then perhaps one might conclude it better to not have insurance at all and pay for everything in cash? If we can't trust the government, or the insurance companies, then perhaps it's best to leave these middlemen out.

      I'm not saying hospitals have never had a data breach but at least I'd minimize the number of places that my data can be stolen from. It also makes the attacks much harder. Instead of attacking a big insurance company, or a government agency, the people that want health records would have

    • The largest data-breach in American history

      I'm not disputing this, but how are you measuring the "size" of the breach? Productivity lost? Highest profile? The total number of individuals affected? Or is a breach bigger if slightly fewer people are affected but in a more substantial way? I can think of many ways that the Sony breach was bigger, or the Snowden leaks, or the recently disclosed Panama Papers (though not "American").

      • The largest data-breach in American history

        I'm not disputing this, but how are you measuring the "size" of the breach? Productivity lost? Highest profile? The total number of individuals affected? Or is a breach bigger if slightly fewer people are affected but in a more substantial way? I can think of many ways that the Sony breach was bigger, or the Snowden leaks, or the recently disclosed Panama Papers (though not "American").

        Number of people affected, each of which could have had the entirety of their medical records copied.

        Last I heard, it was traced back to Chinese hackers, who wanted to find out how the US had such a great – *cough* – healthcare system.

  • The Reuters article has a link to the actual report:
    http://info.securityscorecard.... [securityscorecard.com]

    They have a form to fill out and they send a link to your email address for the download. No biggie there, we all have many addresses.
    But they also demand your phone number. I'm not giving anyone my real phone number, wtf, and why would they even ask?

    They haven't yet sent me a link.
    Anyone seen the report? I'm curious to know what was their criteria for ranking. And, considering that unauthorized penetration testing is kind

    • by clovis ( 4684 )

      The Reuters article has a link to the actual report:
      http://info.securityscorecard.... [securityscorecard.com]

      They have a form to fill out and they send a link to your email address for the download. No biggie there, we all have many addresses.
      But they also demand your phone number. I'm not giving anyone my real phone number, wtf, and why would they even ask?

      They haven't yet sent me a link.
      Anyone seen the report? I'm curious to know what was their criteria for ranking. And, considering that unauthorized penetration testing is kind of a no-no, I'm even more curious as to how they obtained their data.

      I poked around on their web site and stumbled across a scroll-up window link that downloaded the file directly, although the link did not say that.
      http://blog.securityscorecard.... [securityscorecard.com]

      Some of their criteria makes sense:
      "SecurityScorecard identifies potential vulnerabilities in network security by identifying open ports and examining whether or not an organization uses best practices such as staying up-to-date with current protocols, or securing network endpoints to ensure external access to internal systems are

  • Aren't private entities more likely to keep data breaches quiet if they can, to avoid reputational damage or frightening the stockholders? They don't have to follow the same disclosure rules as the Government if personal data isn't involved and aren't necessarily subject to the same FoI laws.

  • If they get them, does anybody seriously believe the keys to those backdoors will not be in the hands of state-sponsored and other hackers very soon after?

  • Compared to "all major industries", or indeed anyone who has skin in the game, government departments have very little at stake in the matter of computer security. I would be interested to see a list of all individual government employees and contractors who have been severely punished for failing to make IT systems secure. (Except that if such a list exists, it is almost certainly "Top Secret"). In really serious cases, the government tends to punish taxpayers by pretending to fine itself.

  • They look more at encrypting things...
  • >> And we are supposed to trust them with healthcare?

    I wouldn't look at cybersecurity as a guide, but I would check how the government's doing with the Veteran's Administration (VA hospitals, etc.) as a guide to what future health care might look like.
  • This is a natural outcome when you're forced to nearly always choose from among the lowest bidders. The other is that there's never been a real budget (and thus push) to upgrade their systems. I'm reading a lot of comments in this post about the ACA...doesn't anyone remember that half of the problem with healthcare.gov's launch issues was because they were trying to tie together multiple,, severely old systems? Is it any surprise that a 3 decade+ old system wasn't written with modern infosec practices in mi
  • We should be commending the US Government, who is leading by example, practicing what they preach, that everything should be less secure. The poorly named "intelligence" community regularly complains that everything must be made insecure. The growing number of secure software systems has a name. It's called "going dark". The government needs to ensure that things do not go dark. Therefore insecure systems should be preferred over secure systems.

    You can't have it both ways. It's a binary choice. Sy
  • And what financial stake do they have in this?

                  mark

  • This is obviously false. The US Gubmint is vast sprawling collection of agencies. Some parts of it have bad security. Other parts have very, very good security.

  • What's the incentive for federal, state, or local politicians & employees to make their systems secure?

    For someone in the private sector, there are incentives at all levels of the corporate hierarchy.

    If your job description is security, a significant or catastrophic breach could lead to unemployment. If you're in management and your responsibilities include getting good security people hired and supplied with the tools they need, that breach could lead to unemployment. Top executives whose compensat

Unix: Some say the learning curve is steep, but you only have to climb it once. -- Karl Lehenbauer

Working...