Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Government Security

The State Department and 3 Other US Agencies Earn a D For Cybersecurity (arstechnica.com) 43

An anonymous reader quotes a report from Ars Technica: Cybersecurity at eight federal agencies is so poor that four of them earned grades of D, three got Cs, and only one received a B in a report issued Tuesday by a US Senate Committee. "It is clear that the data entrusted to these eight key agencies remains at risk," the 47-page report stated. "As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable."

The report, issued by the Senate Committee on Homeland Security and Governmental Affairs, comes two years after a separate report found systemic failures by the same eight federal agencies in complying with federal cybersecurity standards. The earlier report (PDF) found that during the decade spanning 2008 to 2018, the agencies failed to properly protect personally identifiable information, maintain a list of all hardware and software used on agency networks, and install vendor-supplied security patches in a timely manner. The 2019 report also highlighted that the agencies were operating legacy systems that were costly to maintain and hard to secure. All eight agencies -- including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education -- failed to protect sensitive information they stored or maintained.

Tuesday's report, titled Federal Cybersecurity: America's Data Still at Risk, analyzed security practices by the same agencies for 2020. It found that only one agency had earned a grade of B for its cybersecurity practices last year. "What this report finds is stark," the authors wrote. "Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America's sensitive data." State Department systems, the auditors found, frequently operated without the required authorizations, ran software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner. The department's user management system came under particular criticism because officials couldn't provide documentation of user access agreements for 60 percent of sample employees that had access to the department's classified network.
"This network contains data which if disclosed to an unauthorized person could cause 'grave damage' to national security," the auditors write. "Perhaps more troubling, State failed to shut off thousands of accounts after extended periods of inactivity on both its classified and sensitive but unclassified networks. According to the Inspector General, some accounts remained active as long as 152 days after employees quit, retired, or were fired. Former employees or hackers could use those unexpired credentials to gain access to State's sensitive and classified information, while appearing to be an authorized user. The Inspector General warned that without resolving issues in this category, 'the risk of unauthorized access is significantly increased.'"

Ars Technica adds that the Social Security Administration "suffered many of the same shortcomings, including a lack of authorization for many systems, use of unsupported systems, failure to Compile an Accurate and Comprehensive IT Asset Inventory, and Failure to Provide for the Adequate Protection of PII."
This discussion has been archived. No new comments can be posted.

The State Department and 3 Other US Agencies Earn a D For Cybersecurity

Comments Filter:
  • by t0qer ( 230538 ) on Wednesday August 04, 2021 @10:52PM (#61657833) Homepage Journal

    Reading the article some of the things they're doing would mean an IT director would be ousted at the DoD. I can say that the security there was very good, and it forced me to get my first certificate (Security+) Pretty much all IT staff at a minimum have to have it within 6 months of their date of hire, or they get ejected. All of these agencies have the basics to be good (PIV smartcard systems, tons of money)

    I will say the agency I'm currently with (VA) is much more laxed than the DoD. The Doctors are spoiled brats, and if they don't get their way they'll call the hospital director, who will call your area manager, and basically shit will roll downhill. At the DoD if someone didn't get their mandatory training done, their PIV was turned off. for most windows access. They could come to the NEC and complete said training. VA that is completely tossed out the window. Fuck it, better to just clear the disable code out and re-enable before the doctor or student starts bitching.

    I'd imagine it's much of the same at these other agencies, but just not as scrutinized as the DoD. Some director somewhere basically screaming at IT to "JUST MAKE IT WORK, I DON'T CARE" and it's done. No POAM, nothing.

    Maybe if these other agencies had penalties as stiff as the DoD (Ranging from an area manager being ousted to jail time in Leavenworth) maybe they would take their cyber seriously. Until some examples are made, this is nothing more than farts in the wind and will likely to continue ad infinium.

    • To be fair the VA is dealing with 'confidential' data that is personal rather than important to the US government, so unless the VA data indicates the vet had been in a country doing things that the US never admitted to doing, it's less important. Or Area 53 staff?!

    • Gotta love how Federal agencies aren't following Federal rules. Sounds to me like you're saying the VA might not even be HIPAA compliant.

      Heads should roll over this, and I hope the right ones do. I work for a real estate company, and it seems I'm under far more pressure to maintain compliance than some of our most sensitive Federal agencies.

      And you know it isn't the area managers who are at fault here. This is because of failures much further up the chain. Like, Assistant Deputy Directors or entre

  • by hey! ( 33014 ) on Wednesday August 04, 2021 @11:20PM (#61657913) Homepage Journal

    "D" is usually the lowest *passing* grade.

  • He'll never pay up, he'll never even admit he's wrong, but I think he will read this and know.

  • Are the salaries in the public sector high enough to attract really competent staff? Are they political appointees - could be given their wage rate - in which case the explanation is there...

    Does Congress have the will to embarrass its party's appointees? Will it summons the secretaries of these departments and give them a good kicking? Is the budget sufficient to address these issues? Starting an impeachment process aimed at the assistant secretary of state responsible (yes, I know they'll have moved on, b

    • Are the salaries in the public sector high enough to attract really competent staff?

      It depends on what a person wants for a lifestyle. Salaries are not has high in the private sector, but are decent and offer generous benefits, vacation time you can actually use, a lack of death marches to get code out, laws against unpaid overtime, and a real retirement with benefits. In addition, the chances of you getting a 2 weeks notice because your job has been outsourced or your company bought are virtually nil. It's a tradeoff that depends on the lifestyle you want. If a position warrants it they

      • by ltrand ( 933535 )
        Well, you do have government shutdowns that could prevent you from getting a paycheck. And being in the DC area, it is hard to convince younger people to take federal pay given housing prices. It's not about wanting to afford a Porsche and a McMansion, but it would be nice to be able to live without needing 2 incomes. And is why I'm a consultant and not a fed employee. A retirement fund is nice, but given they are going after the DoD pension, I expect the civilian pensions to have numbered days.

        A GS-
        • Well, you do have government shutdowns that could prevent you from getting a paycheck. And being in the DC area, it is hard to convince younger people to take federal pay given housing prices. It's not about wanting to afford a Porsche and a McMansion, but it would be nice to be able to live without needing 2 incomes. And is why I'm a consultant and not a fed employee. A retirement fund is nice, but given they are going after the DoD pension, I expect the civilian pensions to have numbered days. A GS-15, the top non-executive pay band, caps at 172k in the DC area. That sounds awesome until you realize that IT engineers can get more than that as a contractor. And the average DC house price is 700k. So yeah, the people that came here in the 90's are doing well, and the younger people are struggling. The government is addicted to contracting in IT. But they manage it terribly. Partly why there is a push to go to the cloud, it shifts the blame.

          Yea ,shutdowns are crazy. TSA should have closed DCA / BWI / IAD so no elected official could leave town easily. Enjoy holidays alone in DC.

          DC is expensive. A lot of feds commute in from surrounding areas, often with the various regional rail systems to the Metro. Still, that can ad an hour or more to your commute each way, but you get a DC salary at Baltimore or lower prices.

          • by ltrand ( 933535 )
            Howard and Montgomery are not that much cheaper. Personally, being a recent transplant, I'd take great umbrage with designing and managing some of the most important IT systems in the country and only being able to afford a 70's starter home an hour away in a bankrupt suburb where the schools are no better than those in the midwest. Meanwhile having to drive a Ford Focus while the consultants that we magically have the budget to pay huge salaries drive Porsches and go to some of the best schools in the wo
    • by endus ( 698588 ) on Thursday August 05, 2021 @10:34AM (#61659219)

      Salaries are one thing, actually firing people for a lack of performance is another. You can pay as much as you want but if you're not getting rid of people who suck at their jobs you are not going to get anywhere. Tough ask in a government agency.

  • Bug bounties. They won't go for it because they're run by retards with very little skin in the game.
    • by DarkOx ( 621550 )

      The DOD actually did a significant bug bounty program a while back. I am going to disagree though with this being a good idea. The government is a little different animal than some e-tail site.

      A public bug bounty would provide a lot of noise cover for very dangerous threat actors to hide their active recon activities in. I Think the better path here would be for government to hoover up all it can on methods, practices, and IOCs from the commercial world, tune up its IDS sensors and knock on the doors of ne

  • by jd ( 1658 ) <`imipak' `at' `yahoo.com'> on Thursday August 05, 2021 @07:12AM (#61658567) Homepage Journal

    This is insanely easy but it requires managers to do more and it limits what managers can do. Which is why they won't do it.

    Step 1: Don't place mission-critical systems on the public Internet. This includes all SCADA hardware.

    Step 2: Implement firewall rules to exclude anything you don't absolutely need. Ideally, require outside users to go through proxies in the DMZ and don't allow any direct visibility into or out of the network. If you can, use AIDA, Snort or some other NIDS to alter firewall rules if an attack is detected.

    Step 3: Secure systems as outlined by the Orange Book (so utilize SELinux and RBACS on Linux, for example) and related. Disable Bluetooth and all USB ports. All LAN traffic should be encrypted. Never, ever use rhosts and use public keys rather than passwords over networks where possible.

    Step 4: Follow recommendations by security advisory software such as SARA (a systems checker) or Nessus (a remote vulnerability scanner).

    Step 5: Avoid privilege escalation by limiting the privileges software has access to. Use Linux Capabilities to disable any features not in use anywhere and CGroups to disable features unless specifically needed by that group.

    Step 6: In-house software should follow CERT guidelines for secure C, C++ and Java code, should be written as per NASA's Power of Ten guidelines and should be properly tested. If it's C or C++, Valgrind and DMalloc/Electric Fence are your friends. If it's critical, write the tests first as per test-driven development.

    So you're basically running a bunch of scripts and applying some style guides. Hardly rocket science.

  • I remember when the State Dept had some self-entitled Karen hosting her email on her own private server... with some top secret shit in it. A while after the world found out about it, her IT guy was mysteriously shot dead.

    Stuff like that is the reason why they should have an "F" grade until they fix their shit. I have been in places that are "eyes only" and air-gapped. And IMHO that is what high-level stuff should be.

    • Ironically, that Karen was right, because her server did not get hacked, but the State Dept did get hacked.

  • This represents a serious threat to National Security. There are legal requirements these agencies are failing to meet. Not one penny should be spent on "diversity" training until the security training requirements are met. They should not even consider spending one penny on contractors to tell staff how racist they are until they have hired as many IT people as needed to bring the agencies up to compliance.

    This problem exists because high-ranking bureaucrats prioritized their personal political prefe

  • What's the problem? Everyone knows that a D is good enough for government work.

  • ..to follow government rules, dress codes and take drug tests

  • Hrm.. let me see, I've got my surprised look around here somewhere.. Oh, here it is...*gasp!*

    I believe this may have to do with the chaos and turmoil that was churned up in the last sets of turnover from administrations. You can't run these things like a business, because those get compromised by semi-state sponsored hacking groups. These things have to be run by dedicated professionals, who are immunized against political upheaval. When they aren't, your armor cracks and the enemy gets inside.

    Don't mis

  • They are not going to fix it. The money spent on these studies would be better put to use implementing security. The State Department and others have already been hacked multiple times and they have still done nothing. Are their IT departments all hires from Russia and China? Assume all our national secrets are already compromised and publish them all. Most secrets are stupid anyway, there is very little that actually would make a difference if released publicly. I suspect the basic cause of this is t

Let's organize this thing and take all the fun out of it.

Working...