U.S. Govt STILL Vulnerable

[tonybradley]

They charged that instead of working at breakneck ``Internet time,'' the four key agencies charged with researching new technologies to combat cyber attacks are stuck in the glacial world of ``government time,'' still crafting memorandums of understanding to allow collaboration on projects.

Article

This is a serious problem IMO. Even major companies sometimes have too much red tape and beauracracy to allow for efficient research, testing and implementation of new security techniques and technology.

But, after 20 months the government continues to lag critically behind and the GAO issues failing marks in cyber security for many government agencies while the groups who are supposed to secure those systems form a committe to think about starting to develop a questionaire to survey affected parties about possibly forming a team to decide on who should participate in any committee that might be formed to think about making a decision.

The government needs to enlist outside support from the public sector companies that do this crap for a living and basically give them carte blanche to make it happen.

[AciDriveHB]

Yes but if they contract outside the goverment, then they might be putting people out of jobs (hard to believe with our goverment) or it might a bigger expense to contract out than to stay "inhouse". Plus maybe they just like having that sort of control over internal projects that they could not with outside help.

Also a thought might be that contracting out might be a big security risk. Maybe they don't want someone to come in and setup the goverment servers or something because there would be information on it that would be like a "need to know" type of thing.

Or maybe they are just too stupid to think that, or too caught up in the paperwork to deal with it.

Just my oppinion though to raise some questions. Very good point and something that I think would be a nice debate to hear.

[bugsthecat]

they seem to be pretty good at shooting themselves in the foot don't they , but what do you expect. DARPA cut all their funding for open BSD because of politics

[THEJRC]

such is life, but in a lot of cases funding is strictly overneeded or overused by inflated salaries and poor planning....

then again if you look at your local police departments computer crimes units you may find that they are doing quite well with theyre budgets regardless of the fact that the equipment is far from being par and the actual officers are just that.... officers and not IT people (most units require several years of enlistment as an officer before being moved).

so we've got highly trained and specialized government agents blowing budgets and thinking in the stone age while your standard police department has beat cops working hard to figure it out..... scary if you ask me.... but the truth is I've worked and consulted for both and found that your lesser financed and equipped police units are much better at the job simply due to the fact that they want to do the job....

in either respect, changes NEED to be made! else we get to watch our federal IT shops go the route of our local dotbomb's. The root of the problem doesnt lie in the technical end though, and naturally most technically oriented guru's are very very poor at politics and communnication.... and there lies our problem.

[catch]

From a risk management perspective the government is doing fine.

Everything that needs to be secure is secure... sure you hear random stories about this getting hacked or that getting hacked, but really at the end of the day, no missles have been launched and no technology worth anything to anyone has been stolen.

What does the government care if its websites are hacked? If you go to a online bookstore and the site is hacked, you'll think twice about handing over your credit card and this costs them money and odds are it is cheaper for them to secure the page than to eat the loss of business. On the other hand if you go to whitehouse.gov and it is hacked, yeah you might think it is silly, but what are you going to do? Not pay taxes? This represents a very minimal loss to them. Maybe what? An hour to fix the site? It is cheaper for them to just eat the hack.

Yes the government has been hit hard by worms, but they are actively working on that and making good progress.

As far as inflated salaries go... um the US government work on the concept that the president makes $300,000 a year and everyone else makes less according to rank... how much money do you think a lowly project manager makes? $50,000? When they could be making $80-100,000 in the private sector?

Not to make too many enemies on this thread, but there was more involved with the obsd thing than Theo making an ass of himself (though in this case his inital comments about the US were pretty accurate, even a broken clock is right twice a day I guess) anyhow, the government doesn't work fast enough, as this whole thread says, to have responded to his comments that quickly. Also keep in mind that DARPA entered a contract with the university and that couldn't have been ended unless they were not meeting their end of the contract.

Back to the original point, ALEs aside... the US gov has been fearful of "cyber warfare" for a while now, perhaps systems are being left weak to allow a less skilled concerted attack, which of course would result in more funding. (I figure I gotta play both side heh)

catch

[GandalfTheGray]

I don't know about the whole US government, but the agencies I work with have conducted risk analyses and know their exposures. In many cases, they have left servers outside the firewalls, etc., to support access by foreign schools, to share open source information, etc. In general, these systems are 1) easy to hack and 2) not connected to anything that matters.

In most cases, even sensitive unclassified information (employee data, predecisional drafts, etc.) are being protected by firewalls, IDS, AV, strong passwords, careful grouping of access by need-to-know, and operating systems configured to be secure. I know, I know, some aren't also.

Could more be done -- absolutely. Are government agencies slow -- absolutely. Are governments agencies inefficient -- absolutely. BUT, they are not as clueless as the origonal article (and other public press) makes them sound.

[sectac]

i beleive they have a lot going on, they are gaining more and more power, and with bigger systems, they will try to pass laws to restrict almost anything,, NO MORE SENDING ICMP PACKETS!!!, then it will explode on them because services dont work, its a horrible system and it needs to be completly redone.

[nebulus200]

One thing you should consider, when reading anything of this sort, is that GAO often has a bone to pick with agencies at the direction of a congress-person (they are congress' auditing arm). If they don't find anything, they might suffer in funding...dunno, while I don't doubt those agencies have problems, I always try to take articles like this with a grain of salt too...especially when you hear 'government' talk about how it is moving too slowly...usually it is followed with a call for more money, which is, IMHO, what it is all about.

Maybe I am off base, but that is how the article reads to me...

/nebulus