U.S. Agencies Earn D+ on Computer Security

MirrororriM writes "Seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks. 'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'"

Re:The Failing Grades

[ArmchairGenius]

But you would think (hope) that the Department of Homeland Security would at least be able to secure their own darn computers.....

One More Reason...

[fupeg]

to get rid of government agencies.

Seriously, it's obvious where this is headed. This report was done by a Congressional committee using reports from each agency's inspector general. That's a lot of ineffective bueracracy to start with, but it's only going to get worse. Next we'll have an agency devoted just to making sure these other agencies have proper security. And of course each of those agencies will need to hire specialized people and consultants to figure out how to fix their security problems, and then to diligently maintain the new security fixes on an ongoing basis.

So what do we have at the end of the day? The government reports on itself and determines that more government is needed. Never saw that coming. At least there was one good thing to come of thus, from TFA:

The poor grades effectively dampen efforts by U.S. policy makers to impose new laws or regulations to compel private companies and organizations to enhance their own security

If only their sense of freedom was enough to "dampen" these efforts...

Wanna know why?

[Anonymous Coward]

Pretty much because they can get away with it. Reports like this can help but... there's sooo much money there, it's ridiculous.

Remember what the 2 biggest parts of next years government budget are? Defense and Homeland Security. And the workers there will continue to get fat and wealthy, while being incredibly lazy and careless... as is typical in most government positions. Then when a product doesn't work, either they get rid of that contractor and get a new one (Who behaves the same way), or they just keep on going.

Oh yes, I forgot to mention: it's not just people employed by the government. Contractors are at fault too. Contractors are the ones who do a lot of the work!

It's a difficult situation to handle, I know I wouldn't want to be managing it right now.

Re:Psst...

[JPriest]

I don't even have to read the article to guess that the suggested remedy is to secure more funds to spend more money on the problem. Anytime any government agency goes public with information it is because they need more money.

Perhaps there should be an IT Dept

[Facekhan]

I keep thinking that if government agencies are really having such a hard time with security and also the typical failure of their large and expensive it projects they should centralize their IT into a department that will manage all the government IT stuff so as to allow the other agencies to get back to their main business. Kind of the way that computers can be made more secure by not letting the users administer them. If one agency managed all the purchasing, support, and development for the other agencies it might make things work better. As it stands only a handful of agencies seem to be able to handle technology. They would also be able to more easily hold accountable the large contractor corporations that seem to just milk the government on IT projects that never work.

Re:The Failing Grades

[Strudelkugel]

Having worked with government types, I can unfortunately guess that money is not the problem - attitude is. There are many civilians employed with US tax dollars who view their responsibilty as "I am going to do the thing I was hired to do 20 years ago and keep doing it." There's another variety of employee - "I'm not really familiar with this new technology, so I will resist it's implementation because I might look bad otherwise."

Before some mod this as flamebait, I am not saying that all government employees are this way; you have to admire the CDC guys who suit up to go check out the latest hideous disease, for example. They deserve every dime they get. Of course there are other departments where people do a good job as well. That said, I suspect the US Government has the greatest number and probably the highest percentage of unmotivated, uninterested employees of any organization I have encountered. This is a huge problem. The only way to fix it is to curb spending, which can have the effect of making the government more cost efficient and proactive.

It is easy to get an A+

[AKosygin]

Unplug the network cable and lock it up in a guarded vault. Only power and no other access, instant A+ security. You don't even need to fiddle with password security.

Re:Psst...

[Jsutton1027w]

It is in grad school. ;)

Re:Responsibility and Enforcement

[demachina]

You apparently have no grasp of how government contractors and civil servants work. Here is a hint .... the pay is the same.

If you are a civil servent filling this admin job its nearly impossible to fire you so you have absolutely no incentive to tear your hair out worrying about securing your systems. You punch in, you go through the motions, you punch out, and when you put in 20 years or so you retire with a handsome pension.

If you are a contractor you are working for a company whose only goals are to:

A. Win the contract with award winning prose about what a great job you will do

B. Once you win the contract you hire a small army of warm bodies whose one purpose in life is to put in billable hours which the company in turns bills to the government with a nice profit margin tacked on, and to buy and resell hardware and software to the government with a nice profit margin tacked on. There is NEVER any penalty in government contracting for failure. The worst thing that can happen is the project is canceled and your contract ends and you go bid for new ones. or when the term of the contract expires they might award it to another contractor and you go bid for new ones. Many of the warm bodies working for the contractor on the way out just go work for the new contractor and nothing actually changes except the name on the paychecks.

There is only occasionally incentive payments for success and those are just gravy, nice to have, but not if it means you have to expend a lot of money and effort to actually do a good job.

In many spectacular failures involving government contractors the project will suffer massive cost overruns and schedule slips and the agency will just keep pouring ever more money at the contractor, and in to their profit margin, in the hopes they will eventually pull it through. In effect the contractor is rewarded for failure with more years of revenue.

Despite the common misconception...

[Gruneun]

Security isn't failing in most government agencies due to lack of attention or lack of aptitude. In fact, from what I see in the IT-heavy, defense agency I work for (as a contractor, thank God), the incredible bureaucracy of the process is what keeps them behind the times. There are several competent people, each capable of keeping an up-to-date, secure network running at full speed, but they are so strangled with the briefing, pre-approval, documentation, status reports, testing process, etc., etc., etc., that it takes them a week to get a simple patch approved and installed. All that leads to a apathetic, "I did everything that was specifically required of me" attitude.

There's a pretty high turnover rate for sys admins, which certainly doesn't make the overall maintenance any easier.

Re:Original Report Card

[HisMother]

Looking at the list of metrics, I can understand why many of the larger agencies are "failing". Many of the metrics concern "agency-wide policies", "agency-wide plans", and "agency-wide inventories." The larger government agencies are very heterogeneous, by design. The DOE's laboratories, for example, are deliberately run by different contractors who each have a lot of discretion in how things are operated. And DHS, of course, is a hodgepodge, a loose federation of a large number of until-recently independent organizations -- of course they don't have a single unified IT oversight system. You think it makes sense to have a single, central, updated, accurate list of every single computer owned by the DHS, categorized by OS? What's the cost/benefit analysis there? Furthermore, another important metric on their scorecard is the extent to which the agency specifically acted on recommendations from a previous year. If an agency simply doesn't give a shit what Tom Davis' little committee has to say, then they get marked off for not caring. This report is completely worthless, IMO. I could say a lot more, but I think I'll leave it at that.

Irony

[PineHall]

From the report card, the Department of Homeland Security got an 'F' this year and last.

Re:The Failing Grades

[danielobvt]

Uninterested? Only until you accidentally step onto their turf (often when you are trying to make up for a deficiency on their part). Then they become very interested in making your life a living hell.

Re:Perhaps there should be an IT Dept

[burns210]

I think IS and IT departments need to be independent to each agency... but at the same time, the NSA, in my opinion, needs to set standards of secure inter- and intra-agency communication. Encryption, standards, documentation, some level of absolute requirements.

Each agency has a lot of unique, huge needs. You can't have an IT department for the entire Fortune 10 corporations. You just can't. Their needs are different, their size is rediculous, and you just wouldn't be gaining anything.

Better communication, more sharing of non-sensitive information and collaberation, and giving the smart Sys Admin the right to fix the problem and not jump through hoops.

dead weight

[jtg2k4]

The real problem with government agencies is that it's almost impossible to get fired. You have to do something criminal to get the boot. Incompetance is not grounds for termination, it's standard business practice. Everyone looks the other way because they're doing the same thing. Think about it... If it was nearly impossible for you be fired, how long before you started to slack off and become part of the problem. People in the real world know that if they don't work, they'll be fired... And if you don't enjoy your job, that's all the motivation you need. Just as water seeks it's own level, if you work for the government long enough, you will become useless too. The only way to fix the government is to bring in an independent professional auditer and make everyone in government interview for their own jobs. This will weed out the dead weight and open up positions for new people who have not yet been assimilated by the system.