Forgot your password?
typodupeerror
Security United States

U.S. Agencies Earn D+ on Computer Security 190

Posted by CowboyNeal
from the but-it-still-passes dept.
MirrororriM writes "Seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks. 'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'"
This discussion has been archived. No new comments can be posted.

U.S. Agencies Earn D+ on Computer Security

Comments Filter:
  • Psst... (Score:5, Funny)

    by Anonymous Coward on Thursday February 17, 2005 @09:28PM (#11707280)
    D isn't failing.
  • by Anonymous Coward on Thursday February 17, 2005 @09:28PM (#11707282)
    "You're below average, but you do it very well!"
  • D+? (Score:5, Funny)

    by Anonymous Coward on Thursday February 17, 2005 @09:28PM (#11707284)
    Better work on that C++
  • by Profane MuthaFucka (574406) <busheatskok@gmail.com> on Thursday February 17, 2005 @09:29PM (#11707286) Homepage Journal
    "A D+ is NOT a failing grade. Sure, there's some room for improvement, and we're working on this. It's hard work. But the fact that these agency passed the test, even by a slim margin, is good news."

    Now watch this drive.
  • by Avyakata (825132) on Thursday February 17, 2005 @09:30PM (#11707290) Homepage Journal
    If I was more involved in politics, and, for some unknown reason, absolutely hated Bush...my commment would read something like:

    Ah...stupidity is a communicable disease...
  • Honestly it isn't surprising that our government is behind on security, especially when it comes to computers. Technology moves really fast and I imageint the US would have to spend billions just to keep up. It isn't entirely practical. All they can really do is hope for the best. Those that are a threat to security will always be one step ahead.
    • by arootbeer (808234) on Thursday February 17, 2005 @09:36PM (#11707327)
      Yes...I would hate to think the Government would have to spend billions on something as unimportant as securing their computer systems. Couldn't they just do it as a supplemental request [defenselink.mil]?
    • by ArmchairGenius (859830) on Thursday February 17, 2005 @09:42PM (#11707364) Homepage
      But you would think (hope) that the Department of Homeland Security would at least be able to secure their own darn computers.....
    • by Strudelkugel (594414) on Thursday February 17, 2005 @09:58PM (#11707463)

      Having worked with government types, I can unfortunately guess that money is not the problem - attitude is. There are many civilians employed with US tax dollars who view their responsibilty as "I am going to do the thing I was hired to do 20 years ago and keep doing it." There's another variety of employee - "I'm not really familiar with this new technology, so I will resist it's implementation because I might look bad otherwise."

      Before some mod this as flamebait, I am not saying that all government employees are this way; you have to admire the CDC guys who suit up to go check out the latest hideous disease, for example. They deserve every dime they get. Of course there are other departments where people do a good job as well. That said, I suspect the US Government has the greatest number and probably the highest percentage of unmotivated, uninterested employees of any organization I have encountered. This is a huge problem. The only way to fix it is to curb spending, which can have the effect of making the government more cost efficient and proactive.

      • Tired of this? Perhaps whistle-blowers have argued that's a lot of ineffective bureaucracy to start with, but it's only going to go check out the problem. The only way to figure out how to fix it isn't complete incompetence.

        Seriously, it's implementation of ineffective bueraucracy to start with, but it's obvious where this went astray; you have to wonder. Would this issue for improved from Congressional Cyber Security on purpose. bear with this new technology, so I will always be one step ahead? Having wo

        • Would you like to completely reword that... I may just be on crack today (I don't think I am), but about half way through the second paragraph I realised that there didn't seem to be any message, just a lot of jumbled words that looked like they should make sense.
      • Uninterested? Only until you accidentally step onto their turf (often when you are trying to make up for a deficiency on their part). Then they become very interested in making your life a living hell.
      • Government organizations are usually (but not always) plagued by politics and power, which produce inefficient and dishonest bureaucracies. Political partisanship makes it political suicide to take responsibility for a mistake. As a result, politicians take no responsibility, and the job of the lower ranks of the bureaucracy is to cover their ass when the blame comes down. The best way to avoid making mistakes is to do nothing, and to shuffle all real useful work to the bottom of the ladder. This is the zer
  • The NSA? (Score:4, Interesting)

    by tajmorton (806296) on Thursday February 17, 2005 @09:32PM (#11707304) Homepage
    What about the NSA [nsa.gov]? I'm sure that they take computer security [nsa.gov] a little more seriously. - Taj
    • Re:The NSA? (Score:5, Interesting)

      by digitalchinky (650880) <dtchky@gmail.com> on Thursday February 17, 2005 @10:18PM (#11707607)
      Not really. Only the public interfaces.

      Internally if you are cleared to see a certain group of things, the security is not so complex.

      If you need access to VRK/TK type stuff, you get anal probing prior to accessing the restricted area - airgap with a big chunk of concrete thrown in the mix.

      Why have 'huge' internal security when 'the man' already spends six months getting chatty with your friends, teachers, family, relatives, long lost loves from childhood, just to see if you can really be trusted with a clearance?

      A TS clearance basically means you are 'trustworthy' - or you go to jail. Security vetting gets repeated every couple of years - sucks when you're in the Military and they want to know who your bestest work friends are that you've known for at least ten years.
      • If you need access to VRK/TK type stuff, you get anal probing prior to accessing the restricted area - airgap with a big chunk of concrete thrown in the mix.

        Man, that must hurt.

      • There are other ways to lose Top Secret clearance than just giving away secrets... If you go into debt, pop positive on any drug tests, or become an islamic extremist you can lose your TS clearance...
    • Well, considering that the NSA is rolled up under the DoD you can see why the DoD in general D instead of the F it deserved (implicating that the NSA raised the bar more than a little).
  • by Anonymous Coward on Thursday February 17, 2005 @09:33PM (#11707310)
    We all know grade inflation runs rampant in the U.S.
  • by Anonymous Coward on Thursday February 17, 2005 @09:35PM (#11707320)
    .. that they showed up for class and tried their best. It's all we can really ask for.
  • by Anonymous Coward on Thursday February 17, 2005 @09:35PM (#11707322)
    Grades of D and below can no longer be referred to as "failing" and are now to be referred to as "success challenged."
  • by lukewarmfusion (726141) on Thursday February 17, 2005 @09:37PM (#11707337) Homepage Journal
    Dec 10, 2003: U.S. Agencies Earn "D" For Computer Security [slashdot.org]

    No, that's not a dupe. Yes, US Agencies have earned low "grades" for security for years. Considering that many of them were started for the purpose of increasing security, this begins to qualify as a complete FAILURE on their part (regardless of whether it's an F or a D+ or whatever).
  • by to_kallon (778547) on Thursday February 17, 2005 @09:40PM (#11707347)
    'We're also seeing some exceptional turnarounds.'
    now, ianam (i am not a mathematician) but is there any other direction for them to go....?
  • Ok, I'm going to go out on a very far far limb and say that this is may not be getting a higher priority on purpose. Bear with me.

    What are the side-effects of this? Perhaps whistle-blowers have easier access to "restricted" information because the systems aren't kept up to date? Or maybe there is an opportunity for some under-the-table independent verification of internal information because the doors are left unlocked unwittingly or on purpose?

    With all the emphasis put on this issue for all this time a

  • One More Reason... (Score:5, Insightful)

    by fupeg (653970) on Thursday February 17, 2005 @09:43PM (#11707379)
    to get rid of government agencies.

    Seriously, it's obvious where this is headed. This report was done by a Congressional committee using reports from each agency's inspector general. That's a lot of ineffective bueracracy to start with, but it's only going to get worse. Next we'll have an agency devoted just to making sure these other agencies have proper security. And of course each of those agencies will need to hire specialized people and consultants to figure out how to fix their security problems, and then to diligently maintain the new security fixes on an ongoing basis.

    So what do we have at the end of the day? The government reports on itself and determines that more government is needed. Never saw that coming. At least there was one good thing to come of thus, from TFA:
    The poor grades effectively dampen efforts by U.S. policy makers to impose new laws or regulations to compel private companies and organizations to enhance their own security
    If only their sense of freedom was enough to "dampen" these efforts...
    • by Anonymous Coward
      So Cletus, after you get rid of the government agencies, who is going to mind the radioactive waste (Dept of Energy) and legal & illegal aliens (Dept of Homeland Security)?
    • by Anonymous Coward
      to get rid of government agencies.

      Give me a fucking break.

      None of you assholes have yet even questioned the grading criterion. I bet most of the places you work at (assuming you are working) would hardly score a C.

      Most .gov computer agencies data centers are run by contractors. Yes, those people that charge $700 for a hammer because fucked-up gov specs require a new machine to be built to manufacture the thing.

      I've been a contractor since the `computer department' was called `DP'. I think we're i

    • to get rid of government agencies.

      That's a knee-jerk reaction to stereotype faceless bureaucracies. To keep my soapbox short, I chalk up most of my negative experiences working within the gov't to the political side of human nature, and those inefficiencies are always going to be there. Until we fiure out how to breed perfect administrators.

      each of those agencies will need to hire specialized people and consultants

      A solution to this is being tried: NMCI (Navy Marine Corps Intranets) is one po

  • Wanna know why? (Score:3, Insightful)

    by Anonymous Coward on Thursday February 17, 2005 @09:44PM (#11707384)
    Pretty much because they can get away with it. Reports like this can help but... there's sooo much money there, it's ridiculous.

    Remember what the 2 biggest parts of next years government budget are? Defense and Homeland Security. And the workers there will continue to get fat and wealthy, while being incredibly lazy and careless... as is typical in most government positions. Then when a product doesn't work, either they get rid of that contractor and get a new one (Who behaves the same way), or they just keep on going.

    Oh yes, I forgot to mention: it's not just people employed by the government. Contractors are at fault too. Contractors are the ones who do a lot of the work!

    It's a difficult situation to handle, I know I wouldn't want to be managing it right now.

    • Specification for contract:

      We need a secure computer system running Windows 98 with unfettered internet access for all employees. All employees must have complete access to install all programs, but no access to install viruses. Computers must have those nifty thumb-print scanners and have a secure sounding start-up sound. The background of each computer must be the Homeland Security logo on a background of cornflower blue for normal employees, spruce for executive level employees, and variable color for

  • tax (Score:1, Informative)

    by Anonymous Coward
    'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'

    Rep. Davis continues, "These turnarounds will assist us to more effectively collect tax, which is, afterall, the reason why we're here. The less we spend on computer security breaches, the more we can spend on programs that justify the collection of tax."
  • Failed What Exactly? (Score:5, Informative)

    by Petsection (165426) on Thursday February 17, 2005 @09:48PM (#11707404)
    Maybe I could get a little more concerned about this is they let us know what the test was? When you are talking about government agencies, the words a computer and network security test could mean quite a few things. 10/200 computer are still running Win3.1 - you get a D+. You are missing meta tags on your intranet - D+.

    Hard to have any kind of opinion about that article unless they tell us more about this magical test.
    • Yes, I demand more information on the tests. Specifically, what security vulnerabilities were found on what public-facing systems, and have they been patched yet?

      Inquiring minds want to know.
  • by ian rogers (760349) on Thursday February 17, 2005 @09:48PM (#11707409)
    Next time we attack a country and then the public finds out there was no evidence behind the attacks, they won't have to get Britain to cover for them.

    They can just get a guy with a nerdy voice to go up to the podium and say "OMG WTF OUR DATA WAS HAX0RED."

    At least that excuse is believable.
  • by Facekhan (445017) on Thursday February 17, 2005 @09:55PM (#11707446)
    I keep thinking that if government agencies are really having such a hard time with security and also the typical failure of their large and expensive it projects they should centralize their IT into a department that will manage all the government IT stuff so as to allow the other agencies to get back to their main business. Kind of the way that computers can be made more secure by not letting the users administer them. If one agency managed all the purchasing, support, and development for the other agencies it might make things work better. As it stands only a handful of agencies seem to be able to handle technology. They would also be able to more easily hold accountable the large contractor corporations that seem to just milk the government on IT projects that never work.
    • It appears you have just defined the Department of Redundancy Department. A bad idea IMHO, as it will likely not solve any problems but actually create more problems.
      • You could be right. I am usually the last person to suggest the government needs yet another agency but it seems that one of two things happens in government IT these days. The employee IT people don't keep up with new tech and the contractors take advantage of the way the govt handles money.
        • I think IS and IT departments need to be independent to each agency... but at the same time, the NSA, in my opinion, needs to set standards of secure inter- and intra-agency communication. Encryption, standards, documentation, some level of absolute requirements.

          Each agency has a lot of unique, huge needs. You can't have an IT department for the entire Fortune 10 corporations. You just can't. Their needs are different, their size is rediculous, and you just wouldn't be gaining anything.

          Better communicatio
    • They tried to create such a centralised system; one that would standardise and oversee other departments. It is called the "Department of Homeland Defense". Unfortunately, that department itself did very badly on this test.
    • Actually, the idea of external auditors is a good idea. The leadership of the organization being audited will not be able to use intimidation etc to make the auditors let a couple of unacceptable practises go unmentioned.

      Rather, the output from the audit must be taken seriously. It seems rather curious that an agency can receive failing grades over and over without anyone forcing the agency to take effective measures.

      Yes - some improved, but why didn't the rest of 'em? But hey - if I was an Al Qaeda opera
      • Along those lines a central IT agency in government would let the admins do what they have to do and they would not be penalized for making their superiors choose better passwords.
  • I wish the government wouldn't be singled-out as this is a universal problem, no matter who owns the computer. The underlying problem, IMO, is that too many people want adminstrator rights to systems who know nothing about how to be an administrator. There's no one to enforce security policies and there are no realistic training requirements or credentials for users who operate these systems. This has become an increasing problem in the workplace as the number of systems and their pseudo-admins grow.

    As
    • Why should we put computer security above getting the job done? I hear a lot more hot air about "Digital Pearl Harbors" and computer security D-minuses than I do real world problems. Sure the occasional virus costs a supposed X million dollars in repairs, but nobody bothers to calculate how that compares to the cost of preventing such things. Sure it would be fun to sit around and make sure our computers are safe all day, but at some point you have to do something with them.

      The question isn't whether b

    • by demachina (71715) on Thursday February 17, 2005 @11:06PM (#11707920)
      You apparently have no grasp of how government contractors and civil servants work. Here is a hint .... the pay is the same.

      If you are a civil servent filling this admin job its nearly impossible to fire you so you have absolutely no incentive to tear your hair out worrying about securing your systems. You punch in, you go through the motions, you punch out, and when you put in 20 years or so you retire with a handsome pension.

      If you are a contractor you are working for a company whose only goals are to:

      A. Win the contract with award winning prose about what a great job you will do

      B. Once you win the contract you hire a small army of warm bodies whose one purpose in life is to put in billable hours which the company in turns bills to the government with a nice profit margin tacked on, and to buy and resell hardware and software to the government with a nice profit margin tacked on. There is NEVER any penalty in government contracting for failure. The worst thing that can happen is the project is canceled and your contract ends and you go bid for new ones. or when the term of the contract expires they might award it to another contractor and you go bid for new ones. Many of the warm bodies working for the contractor on the way out just go work for the new contractor and nothing actually changes except the name on the paychecks.

      There is only occasionally incentive payments for success and those are just gravy, nice to have, but not if it means you have to expend a lot of money and effort to actually do a good job.

      In many spectacular failures involving government contractors the project will suffer massive cost overruns and schedule slips and the agency will just keep pouring ever more money at the contractor, and in to their profit margin, in the hopes they will eventually pull it through. In effect the contractor is rewarded for failure with more years of revenue.
  • Original Report Card (Score:5, Informative)

    by bornholtz (94540) on Thursday February 17, 2005 @09:57PM (#11707460)
    Here is a link to the full scorecard and the reporting methodology

    Committee on Government Reform [house.gov]
    • by HisMother (413313) on Thursday February 17, 2005 @11:19PM (#11708002)
      Looking at the list of metrics, I can understand why many of the larger agencies are "failing". Many of the metrics concern "agency-wide policies", "agency-wide plans", and "agency-wide inventories." The larger government agencies are very heterogeneous, by design. The DOE's laboratories, for example, are deliberately run by different contractors who each have a lot of discretion in how things are operated. And DHS, of course, is a hodgepodge, a loose federation of a large number of until-recently independent organizations -- of course they don't have a single unified IT oversight system. You think it makes sense to have a single, central, updated, accurate list of every single computer owned by the DHS, categorized by OS? What's the cost/benefit analysis there? Furthermore, another important metric on their scorecard is the extent to which the agency specifically acted on recommendations from a previous year. If an agency simply doesn't give a shit what Tom Davis' little committee has to say, then they get marked off for not caring. This report is completely worthless, IMO. I could say a lot more, but I think I'll leave it at that.
  • I wonder how many are using microsofts secure products - those ones that are more secure than the alternatives that is?
    • There are no secure products from M$. Never have been, never will be. The only time a Windows box can be secure is when it's only connected to a wall outlet and a printer. You know, exactly what 3.0 was designed for. The moment you hook it to anything else, there is no security. This is the way it will stay untill a complete, ground up re-write is done with NO modules brought in from the past versions.
  • But I can't because there apparently is no list for me to read. Anyone know where I can find info on how all agencies/companies that were involved in the "test" fared?
  • Hey this is 2005, putting the prefix "Cyber" in front of everything is so 1998. I like "Network Infrastructure Security" or something like that... Kinda makes me want to start a company called Compu-Hyper-Global-MegaNet (a-l-a Homer Simpson).
  • by Gruneun (261463) on Thursday February 17, 2005 @11:14PM (#11707971)
    Security isn't failing in most government agencies due to lack of attention or lack of aptitude. In fact, from what I see in the IT-heavy, defense agency I work for (as a contractor, thank God), the incredible bureaucracy of the process is what keeps them behind the times. There are several competent people, each capable of keeping an up-to-date, secure network running at full speed, but they are so strangled with the briefing, pre-approval, documentation, status reports, testing process, etc., etc., etc., that it takes them a week to get a simple patch approved and installed. All that leads to a apathetic, "I did everything that was specifically required of me" attitude.

    There's a pretty high turnover rate for sys admins, which certainly doesn't make the overall maintenance any easier.
  • by Anonymous Coward on Friday February 18, 2005 @12:30AM (#11708390)

    I work at as a government contractor in IT, in a large government agency. We don't handle secrets, so there is not a huge (legal) impetus for security there--that is, we're about as interested in it as any major corporation. Lives aren't at stake, like they might be at the NSA.

    That said, the agent officially in charge of security in my division is as dumb as a bag of nails. How they got that position I don't know--but I understand that it's not uncommon to take, essentially, someone in a bureaucratic position, give them a few night classes, and then they can call themselves chief of security.

    My officer is long on procedure--many meetings are attended in which they take copious notes on procedure--and then those procedures are handed down to us to implement. However, since the officer themself isn't technical, a great many gaps can occur between implementation and actual security need. Quite a few things are overlooked, which everyone in the trenches recognize as an issue, yet we don't have the authority to fix it ourselves; but on the other hand, there are often draconian implementations of security put in place, which have no real effect other than to frustrate the users who then circumvent it.

    Case in point: all users are required to use strong passwords, mixed case, number, punctuation, of over 7 characters; these passwords are rotated every 90 days. That's all pretty typical. But oh--our email is IMAP, and it's not over SSL. And you can get connected outside of our firewall. So all of the users with laptops merrily connect from home, sending this super strong password, in the clear, every night. Totally defeating the purpose. While I've recognized this issue, and made my immediate superiors aware, the person that could implement a change in policy is 6 levels above us; and our designated security officer is not technical enough to explain the issue to the folks who would listen. So it gets dropped, until it winds up on a report like this.

    Essentially--it's a checkbox method of management. Our officer has boxes to check, and they get checked off. Which means we're secure. Except real security preparedness requires thinking like a burglar, and thinking "out of the box"--but the folks that do aren't the same that make policy.

    That's at least the case at my institution. I hate to think that it might be the same where there are actual lives at stake--but who really knows?
  • This ties in in with the comments of Richard Clarke Ripping into Microsoft's purported security [slashdot.org]. I think that the Department of Homeland Security just recently signed a sole-source contract with Microsoft. In short: They're doomed.

    Friends of Mr. Bush might be happy to point out that Clarke is a former member of the Bush cabinet who left under unhappy conditions. For me, this would complete my proof.

  • by Lally Singh (3427) on Friday February 18, 2005 @04:57AM (#11709709) Journal
    You know they graded on a curve.
  • No surprises (Score:2, Informative)

    by Anonymous Coward
    I used to be employed at a large government agency in Washington, DC. There was no security in the building until you got onto the floor I was working. One day, I forgot my badge so I couldn't get in the door. Standing next to the elevators, I waited for someone to let me in even though it was pretty early in the morning and most people didn't arrive until after 9am. Finally, someone else showed up and showed me that you don't really need a badge. He passed his credit card along the door jamb and the door l
  • I'm no government apologist, but how long do you think it would take you to integrate pieces of 100's of agencies (DHS) with thousands of custom and COTS applications on every platform imaginable into a brand new superagency? They can't even get office space together, how can they be expected to have their infosec together? When mission continuity is your only priority, and your budget is earmarked for more important things, you lose a lot of your options.
  • dead weight (Score:3, Insightful)

    by jtg2k4 (860406) on Friday February 18, 2005 @11:09AM (#11712572)
    The real problem with government agencies is that it's almost impossible to get fired. You have to do something criminal to get the boot. Incompetance is not grounds for termination, it's standard business practice. Everyone looks the other way because they're doing the same thing. Think about it... If it was nearly impossible for you be fired, how long before you started to slack off and become part of the problem. People in the real world know that if they don't work, they'll be fired... And if you don't enjoy your job, that's all the motivation you need. Just as water seeks it's own level, if you work for the government long enough, you will become useless too. The only way to fix the government is to bring in an independent professional auditer and make everyone in government interview for their own jobs. This will weed out the dead weight and open up positions for new people who have not yet been assimilated by the system.

With all the fancy scientists in the world, why can't they just once build a nuclear balm?

Working...