Unisys Investigated For Covering Up Cyber-Attacks

Stony Stevenson writes "Unisys, a major government IT contractor, is reportedly being investigated for failing to detect cyber-attacks, and then covering up its failings. Two US congressmen have called for an investigation into cyber-attacks aimed at the Department of Homeland Security, along with a contractor (that would be Unisys) charged with securing those networks. 'The House Committee on Homeland Security's investigations led them to believe the department is under attack by foreign powers, and could be at risk because of "incompetent and possibly illegal activity" by a US contractor. The congressmen didn't name the contractor in the letter. However, the Washington Post on Monday reported that the FBI is investigating Unisys, a major information technology firm with a $1.7 billion Department of Homeland Security contract, for allegedly failing to detect cyber break-ins traced to a Chinese-language Web site and then trying to cover up its deficiencies.'" Unisys denies it all.

Incompetence on both ends

[Ekhymosis]

This is incompetence on both ends, really. Security is not something that only the contractor has to worry about, its something the users also have to worry about. The government should freaking train their employees and get them to pass classes of security, especially in the DHS. If you don't pass, your pay gets docked or whatever. The NIST has some damn good guidelines for securing XP boxen, so I don't understand why they don't implement those policies (they are free, right???) and train their personnel to use them.

Yes, Unisys may have screwed up, but then again, its all about the better mousetrap and all...

Re:Page 2?

[Stony Stevenson]

Hey don't shoot the messenger. The linking to the Washington Post was a mod job. I had originally linked to a different site which referenced the Washington Post in its article, but which overall was more a summary of the whole affair.

Typical govt C&A hokum

[mbstone]

Among my various other gigs, I've often worked as a contractor doing certification and accreditation (C&A) paperwork for half a dozen fed. govt. agencies. "C&A" is the required paperwork that is supposed to certify that an agency's systems have been secured in accordance with applicable NIST, DoD, etc. standards. Understand that many, if not most, agencies devote far more time, money, and effort to making the paperwork look good than they do to actually securing the systems. Some agencies, and some of their contractors, think the NIST SP 800-37 C&A process, DIACAP, FISMA reporting, etc. is just a worthless paper shuffle. Some are even still using SP 800-26 risk assessment questionnaires in lieu of a full C&A. I can't tell you how many job interviews I've gone on where the contractor company's hiring manager would actually brag about how they are going to falsify the C&A and snow the agency's inspector general, OMB, or whomever. My standard response to that has been, "Can I visit you in prison?" (Usually this spells the end of that particular interview process.) Since, up to now, nobody has actually gone to federal prison for submitting bogus C&A documentation, some people thought they could get away with this kind of bogosity forever. A strange and unlikely confluence of events caused the Unisys situation: they (allegedly) cheated on the C&A process, AND the intruders pwned the DHS network, including the main admin password. The successful intrusions caused an audit which exposed the C&A fraud (which otherwise would have slid on by). Too bad, so sad.

Unysis

[syedelyas]

"Security Unleashed - At Unisys, we're looking at security in an entirely new way. Security is no longer a defensive measure. It's an enabling catalyst for achievement. Unisys Secure Business Operations help to unleash your full potential." taken from Unisys web it says they can make everything possibility with their motto "we help you adapt quickly to meet ever-changing market demands and be resilient, agile and open" is a trash after all and hoping for a big fish to come after.. but the quote that they had used doesn't fit them a lot with this news. again, i think there not too good for this job.

Re:Typical unisys

[El Torico]

As with most government contracts you have to have a clearance to actually work on it, something not easily obtained by a lot of U.S. Citizens...

This is a big part of the problem. The vast majority of Government Contractors are only marginally qualified and got their jobs by having the clearance, not by being technically proficient. This is known as "warm bodies" syndrome since many contracts pay per position filled. Getting a clearance can take years, depending on the level, and usually takes months, so this is a high barrier to entry and keeps a lot of smart people out.

There are many very capable and well-qualified people in Government Contracting, but they are a minority. Of course, Management, being what it is, doesn't want to give bad news to a customer, so sometimes they "muddy the waters".

Re:Typical unisys

[thejynxed]

Actually, Unisys hires through temp agencies and the temps only have to pass an FBI background check.

I know this, because I worked for IBM in a government data center at the time. We handled the big iron (oddly enough, including some machines from Sun and some ancient AS/400s) and the Unisys flunkies did operations and tape library stuff (cartridge and reel to reel). DOT, IRS, etc stuff. Believe it or not, they had PCs in there running Win95 and NT4 with no egress filtering to the internet... There were quite a few Ukrainians, Chinese, Russian and Estonian employees working there for Unisys. Over in the other room Lockheed Martin had their stuff running. No one but U.S. citizens allowed in there, and no outside internet access. I pitied the network admins (not really).

Not surprising

[Anonymous Coward]

I worked for Unisys some time ago as helpdesk support for their DHS account, and this is no surprise to me at all. They are absolutely inept and have no concern for security. Among the things that just amazed me:

1. When a user asked for a password change, we were not supposed to challenge them in any way. This included people as high up as the Secretary(or more accurately-the secretary's assistant), but we didn't even have a list of who his assistants were.
2. Each desk had two systems, one Unisys and one DHS. The building had no physical security and the systems were not locked down. Also, nobody ever locked their desktops.
3. The head of cybersecurity resigned at one point, stating that nobody took network security seriously. Two weeks later, his account was still active.
4. I worked there for about 8 months before I decided to get out. In that time, I never received any sort of security clearance.

Those are just the big ones. That was my first and last job for a government contractor.