Unisys Investigated For Covering Up Cyber-Attacks

Stony Stevenson writes "Unisys, a major government IT contractor, is reportedly being investigated for failing to detect cyber-attacks, and then covering up its failings. Two US congressmen have called for an investigation into cyber-attacks aimed at the Department of Homeland Security, along with a contractor (that would be Unisys) charged with securing those networks. 'The House Committee on Homeland Security's investigations led them to believe the department is under attack by foreign powers, and could be at risk because of "incompetent and possibly illegal activity" by a US contractor. The congressmen didn't name the contractor in the letter. However, the Washington Post on Monday reported that the FBI is investigating Unisys, a major information technology firm with a $1.7 billion Department of Homeland Security contract, for allegedly failing to detect cyber break-ins traced to a Chinese-language Web site and then trying to cover up its deficiencies.'" Unisys denies it all.

Well...

[Bananatree3]

Security of critical gov't systems SHOULDN'T be left to some missionary IT support. It should be done in house. period.

Re:Typical unisys

[chuckymonkey]

I highly doubt that. As with most government contracts you have to have a clearance to actually work on it, something not easily obtained by a lot of U.S. Citizens much less someone from a country that we really don't trust all that much. So I'm fairly certain that most of the people involved with the program are U.S. Citizens born and bred or at least naturalized from another trusted nation i.e. Great Britain, Canada, Australia.

Re:Typical unisys

[Opportunist]

And that means what, exactly? That they adhere to some law which was passed with the intention to generate security and is circumvented with the intention to generate revenue.

For reference, see SOX.

Re:Incompetence on both ends

[Opportunist]

Security first and foremost is not a product you buy. Security is a process or procedure you develop and stick to, review constantly and readjust to match the requirements of an ever changing "market" of threats. And as long as neither companies nor governments realize that (let's not even get to the users, they can only stick to the policy created, even if they knew better), no security will be seen.

Security is actually the quest for the better mousetrap. The problem is, as soon as you have it, you get to face the better mouse and the race is on again.

Re:Damn

[Opportunist]

This is about government and contractors. Free market is next door. Actually, it's down the corridor, then right, then ... ask again, I forgot where it was, we hardly use it today anymore.

Re:Stealing Unclassified Data?

[argent]

What? Look... things like credit card numbers and passwords to online accounts aren't "classified data", but they certainly *can* be stolen. Plans for as yet unreleased products can still be stolen, even if they're plans for devices with no military application at all.

On the other hand, classified data can include material that people CAN find out from their own observation if they happen to be in the right place at the right time. Like whether a particular vessel is in a particular location... individual observations that aren't correlated aren't something that has been "stolen"... they just happen... but in bulk they become valuable and justify protection.

So whether something is a military or state secret is orthogonal to whether it's valuable or can be "stolen".

Re:Incompetence on both ends - Gov't BS

[Anonymous Coward]

Anyone that has worked inside government IT whether directly or as a contractor will know that this is government politics at play. There are exceptions, but most highly skilled and trained system administrators are going where the money is, and it's not working as a gov't employee. I know. A gov't IT department may have policies and procedures up the wazoo, but at the same time no budget or authority to ensure compliance. Exception is the rule in gov't. Here's an example:

"Sir, there appears to be attacks against our systems from China"

"Are you telling me that China is attacking us? Can you provide proof beyond a doubt that it is China attacking our systems? How did you detect this attack?"

"Sir, it shows up in the firewall and IDS logs"

"What are firewalls or IDS? Did you get that report done...blahblahblah that I asked for? Why are you looking at the logs when I need real work done. What is the status of project A, B, C? Go help fix a computer somewhere."

"Sir, should I not be looking at the logs?"

"What, are you stupid, did I TELL you to look at the logs? Go fix a computer or something"

So, you train a govt IT person in computer security and they get a CISSP and maybe a SANS cert or two. But, they have to continue working with people who won't allow them to use the knowledge. They're leaving.

Generally speaking, my experience is that many departments in gov't don't follow their own process or rules and they breed an air of idiotic compliance. Then fire the blame gun when a problem erupts.

I was told by a long term employee when I asked how to survive in gov't so long..."for every situation, always have a putz lined up." Smart sysadmins in gov't learn that they will be the putz and leave.