U.S. Agencies Earn D+ on Computer Security 190
MirrororriM writes "Seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks.
'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'"
Re:FOIA makes computer security mute (Score:1, Informative)
Security through obscurity isn't a good security tactic.
US Agencies Responsible for "Dupe" Stories (Score:5, Informative)
No, that's not a dupe. Yes, US Agencies have earned low "grades" for security for years. Considering that many of them were started for the purpose of increasing security, this begins to qualify as a complete FAILURE on their part (regardless of whether it's an F or a D+ or whatever).
tax (Score:1, Informative)
Rep. Davis continues, "These turnarounds will assist us to more effectively collect tax, which is, afterall, the reason why we're here. The less we spend on computer security breaches, the more we can spend on programs that justify the collection of tax."
Failed What Exactly? (Score:5, Informative)
Hard to have any kind of opinion about that article unless they tell us more about this magical test.
Re:FOIA makes computer security mute (Score:5, Informative)
Besides, FOIA does not mean that you can get all of the information that you want from the government. FOIA requests can be refused for a variety of reasons (these reasons are specified in the act [usdoj.gov]). Requests for "sensitive" data are often refused. So computer security isn't moot anyway.
Original Report Card (Score:5, Informative)
Committee on Government Reform [house.gov]
Re:Psst... (Score:5, Informative)
You're right, it isn't. The agencies that failed got F. I was going to make a spiel on how /.ers never read the article, when I realised that the article didn't clearly state this.
More info in links below:
Washington Post [washingtonpost.com]
Report Card [house.gov]
Statement and links [house.gov]
As a government contractor.... (Score:5, Informative)
I work at as a government contractor in IT, in a large government agency. We don't handle secrets, so there is not a huge (legal) impetus for security there--that is, we're about as interested in it as any major corporation. Lives aren't at stake, like they might be at the NSA.
That said, the agent officially in charge of security in my division is as dumb as a bag of nails. How they got that position I don't know--but I understand that it's not uncommon to take, essentially, someone in a bureaucratic position, give them a few night classes, and then they can call themselves chief of security.
My officer is long on procedure--many meetings are attended in which they take copious notes on procedure--and then those procedures are handed down to us to implement. However, since the officer themself isn't technical, a great many gaps can occur between implementation and actual security need. Quite a few things are overlooked, which everyone in the trenches recognize as an issue, yet we don't have the authority to fix it ourselves; but on the other hand, there are often draconian implementations of security put in place, which have no real effect other than to frustrate the users who then circumvent it.
Case in point: all users are required to use strong passwords, mixed case, number, punctuation, of over 7 characters; these passwords are rotated every 90 days. That's all pretty typical. But oh--our email is IMAP, and it's not over SSL. And you can get connected outside of our firewall. So all of the users with laptops merrily connect from home, sending this super strong password, in the clear, every night. Totally defeating the purpose. While I've recognized this issue, and made my immediate superiors aware, the person that could implement a change in policy is 6 levels above us; and our designated security officer is not technical enough to explain the issue to the folks who would listen. So it gets dropped, until it winds up on a report like this.
Essentially--it's a checkbox method of management. Our officer has boxes to check, and they get checked off. Which means we're secure. Except real security preparedness requires thinking like a burglar, and thinking "out of the box"--but the folks that do aren't the same that make policy.
That's at least the case at my institution. I hate to think that it might be the same where there are actual lives at stake--but who really knows?
No surprises (Score:2, Informative)
Also, we had a lot of private consultants who were using laptops to dial back to their respective firms. Since said laptops were simultaneously connected to the LAN, they basically did an end-run around our firewall and created a vulnerability....assuming we had a firewall which we didn't. The place was pathetic yet still required the Top Secret clearance, etc., etc., etc.