U.S. Agencies Earn "D" For Computer Security

Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology." Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."

How did

[dan dan the dna man]

the Department of Homeland Security do?

Re:How did

[KDan]

It got an F.

Daniel

Re:How did

[Davak]

Please mod parent up. They did actually receive an F.

See quote from article.

The Department of Homeland Security was one of eight agencies that received a grade of F for its network security efforts.

Davak

Correlation - unsat supplier -> unsat security

[SgtChaireBourne]

It [the dept. of homeland security] got an F.

I suppose there's a correlation [cnn.com] there somehow [govexec.com]. An unsatisfactory supplier leads to unsatisfactory security. Choose products more carefully next time.

It's not like there wasn't a warning [internetwk.com] ... for the last 10 years.

Re:How did

[Kenja]

They're not saying, however they've issued a guava alert.

Update

[tds67]

They're not saying, however they've issued a guava alert.

The problem has been traced to kindergarten hackers and has been fixed. Please disregard the following terror-alert color codes:

Brick Red
Flesh
Lemon Yellow
Prussian Blue
Spring Green

Sincerely,
Homeland Security

Re:Update

[Safety Cap]

What?! No "Burnt Umber"??

Re:How did

[Walterk]

Are you sure it isn't a maroon alert?

Re:How did

[flamingnight]

According to the ZDNet article [com.com],

The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission.

Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.

Re:How did

[16K Ram Pack]

Maybe they should get put in detention?

There's a centre built for it, somewhere in Cuba.

Re:How did

[Yarn]

A bunch of idiots battling the bureaucracy and losing, I assume.

Re: How did

[Anonymous Coward]

I'm a contractor doing part of the TSA network buildout. I'm kind of curious to know how they evaluated the DHS. DHS is largely a rollup of a lot of pre-existing agencies. I don't think any of those agencies have had their IT functions touched by DHS yet. As far as I know the only IT components of DHS that have really been built by the DHS since it's inception is the DHS HQ. DHS inherited TSA from the DOT as a project already in progress. Furthermore DHS/TSA aren't even doing their own IT, it's all out

Re:How did

[kevlar]

I'm sure there is little to no standard on de-classified computer systems in the govt. When it comes to classified systems and networks, the government is pretty damn secure.

The problem as I see it from the ZDNet article is that secretaries and such have unsecured linux/windows/etc machines sitting under a desk running some support application. Nobody really cares enough to secure it (if they even know it exists).

Re:How did

[calyphus]

When it comes to classified systems and networks, the government is pretty damn secure.

That's wishful thinking on your part. The point of the review is to review all systems.

Chairman Putnam added, "One of the most disturbing findings is that 19 of the 24 agencies reviewed had not completed an inventory of their mission critical systems. Obviously, an agency can't ensure its systems are secure if it can't account for all of its mission critical systems.

If they can't even identify and inventory

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How did

[Strange Ranger]

Good!

If they're so completely ineffective at one of the most fundamental tasks they've been assigned, maybe they'll be ineffective at further eroding our civil rights.

They got off to a bad start much earlier, when they created the department, named it, and put Ridge in charge. Apparently he is well atuned to the media though...

Remarks by Secretary Tom Ridge at the National Cyber Security Summit

For Immediate Release
Office of the Press Secretary
December 3, 2003
** Remarks as Prepared ** [dhs.gov]

I was going to pull out some quotes, but the fact that it came out 6 days before their 'F' says quite a bit already.

Re:How did

[Mullen]

Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.

I think you nailed it on the head. I work at a large company that is very bureaucratic and it is absolutely soul crushing. No matter what you want to do or what needs to be done, there is always someone who will undermined you, attack you or make you jump through hoops. You can gain ground, but you will never win.

I completely understand why government agencies never have good computer systems or security. It is just not possible.

Re:How did

[cptgrudge]

I work for a mid-size school district. I found many of these problems in front of me when I started, but then I orchestrated the removal of my boss and took his job. Now I am the head of IT and I am somewhat of an ambassador of technology to the administration. Things are going well now.

It's a political game. You gotta play it to get ahead or get things changed.

(It really wasn't as bad as it sounds. I'm not a bad person, I don't think.)

Bad person, probably not

[h8macs]

You are most likely not evil, you just look like it because you like to get the job done, period.

I have worked in several different companies in the IT field from small to very large. One trend that I have noticed is that a knowledgable "technical" manager is a rarity. Some may argue that this is not true, I apologize to those managers that are 'actually' hands on at least a little with their admins. I have been lucky and have had a couple of these rare species, to learn from

From what I have seen, most ma

No, best bosses are not technical!

[bluGill]

The best boss I ever had was not technical. He had only technical people working for him, and understood enough of the technology that his nods weren't trying to stay away. What he did though wasn't understand the technology, he translated the technical talk into managerese, and vise versa. He made sure we got the resources we needed, work to do, fair raises, and most of the time wasn't in our way.

Technical managers are better than average, but they suffer from wanting to be engineers. So they try to f

Re:How did

[whovian]

No matter what you want to do or what needs to be done, there is always someone who will undermined you, attack you or make you jump through hoops. You can gain ground, but you will never win.

Consistent with this idea is the possibility that the top dogs want it to appear that the people in charge of security are largely inept. That could provide the "evidence" for demanding more fundage from the Administration. Just look at the so-called war on drugs....

Please remember: Just because I might sound para

Re:How did

[56ker]

Here's a link to the actual hearings page [house.gov] and the Computer Security Report Card 2003 [house.gov] (pdf file).

I'm a govt network admin...

[Anonymous Coward]

Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.

Not a federal govt IT guy, but I work for a state govt organization. The bureaucracy is a BIG PROBLEM. My fellow IT workers and myself are definitely not complete idiots. If we had our way, we'd ditch all the unsecure technology (i.e. MS stuff) in a heartbeat. The problem centers around our upper management *ordering* us to

Re:I'm a govt network admin...

[Anonymous Coward]

I work for a government agency (also not federal but state.) And I'll back up what you are claiming. I'm probably one of the highest ranking technical people in the dept and definately the highest ranking in regards to network security. It's not uncommon for non-tech superiors to order very insecure things to be done, especially if their proprietary app "requires" it to work.

I wanted to replace TELNET access with SSH to our most important server (manages all budgets, accounting, payroll, and also contains a LOT of data that would be considered a privacy breach if released.) I was informed that this could not be done because a hand full of people use an app from the vendor which requires telnet access to work. This server is on a LAN which is accessed by several hundred members of the public daily.

So I ran ettercap and showing how trivial it was to capture my boss's password and capture the whole telnet session including root password. I was again told that "Yeah, that is a risk, however, you still can't disable TELNET. It is required."

Of course, the right thing for my boss to have done would have been to pressure the vendor to move to SSH on their app. But that would have cost money after all. I couldn't even filter telnet from the public access systems because it was some of them which actually needed to run the application. In the end all I could do was send a memo detailing the risk to my boss so I could cover my own ass if something happened.

Re:I'm a govt network admin...

[hackstraw]

Yeah, that is a risk, however, you still can't disable TELNET. It is required."

I was in a similar situation, and I modified the telnet daemon so that a password wasn't required and put the telnet app on a different port and tcp wrappered that port. Granted this wasn't financial info, but I could not have a plaintext password going to a mission critical system.

Re:How did

[demachina]

I haven't read the details of how this report is generated but the Washington Post said the agencies self report the data. As a result the whole thing should be taken with a grain of salt. Getting an "F" could be a cynical ploy by an agency to make itself look bad and get billions more dollars to spend on new computers. These are bureacracies and they tend to work this way especially when it comes to maximizing their budgets and the deficit.

The report would be much be much more creditable if an independent inspector general or analyst audited the agencies and probed their defences. Perhaps someone who knows can describe how the report is produced and how likely it is to be a meaningful assessment of real security,

I Fought the Idiots and the Idiots Won

[edward.virtually@pob]

Speaking as someone who spent many years fighting various Good Fights against government idiots, I will say that government agencies will continue to get failing grades on security because they place the whims of incompetent managers above the advice of their technically competent employees. Not all government IT people are idiots, but most of them have no interest in challenging their pointed-haired bosses because those who do suffer pay discrimination and -- if they're really stubborn -- termination. So government sites will remain a monoculture of poorly patched and insecurely configured MS products just waiting for a new virus to slip in and lay waste to everything in site. In other words, most government sites are like most corporate sites, and for similar reasons.

Patriot Act

[QEDog]

The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission

The sad thing is that instead of fixing these things, they go on and take away liberties from the citizens to prevent ' terrorism '. Patriot Act anyone? So, for their ineptitude, we lose our rights.

Re:How did

[NastyGnat]

I'll vote on the idiots side of it.

A) Homeland Security E-mail is NOT encrypted and it is regularly sent to hotmail and other "webmail" based accounts. What IDIOT would allow that? (note: They are taking step to get rid of the webmail accounts)

B) The bunch of folks I've been working with in regards to other homeland security stuff don't know the difference between a passive and active FTP session.

I'm not saying they are all idiots... but toss a few idiots in with the PHBs and don't expect anything grace

Re:How did

[TedCheshireAcad]

Like any organization, they've outlined a strategic plan [dhs.gov] to assess the situation and assigned a mission-critical task force to consolidate committees and subcommittees on bleeding-edge decision making processes. They've empowered the new paradigm, they're looking down the road, and keeping their feet out of the mud.

Yeah, they're right on top of it.

Re:How did

[jgabby]

Here [house.gov] says that the DHS scored a 34 ... the lowest of all the agencies surveyed. Way to go, guys!

govt IT

[Anonymous Coward]

I work for one of the agencies that failed (and thus am posting AC because I don't think they'd like this).

I'm in a general research facility (nothing classified, etc.) with about 70 people, most of whom have one or more computers. We have 30% of one person's time as IT staff because our agency will not give us funding to hire anyone else. This person has little or no training in computer security. I worked as a unix sysadmin for a few years, and know more about the nuts & bolts of IT security than our IT person. Given the way the govt determines pay grade, we couldn't hire a compenent IT person even if we had the money, because we couldn't offer enough money.

Anyway, what this boils down to is that everyone is responsible for the security on their own computer. With no training, and no time allocated for doing so, since everyone has a full slate of tasks of their own (yes, despite being federal employees we do work pretty hard). My location doesn't have an enforced security policy, even on things so definitely hazardous as enforcing the use of antivirus, not using un-passworded windows shares, etc.

Even worse, the agency in question requires admin staff to use custom-written and obsolete administrative programs that won't run on an OS newer than Windows 98. The people dealing with payroll and personnel data have the least securable computers. Nice, no?

Our regional IT staff don't seem to have much formal security training, and have made some decisions I consider questionable. The agency IT staff have also done some odd things, like recently forcing us all to switch our email to GroupWise.

From my perspective, yes, we deserved our failing grade. It's primarily due to lack of support for creating and maintaining a coherent security policy. There's no substantive training, and very little awareness among the higher-ups of the needs of facilities like mine, where everyone has different technology requirements to perform their duties. The administrative legacy software issues don't help either.

just sign me... not admitting to anything. :)

Again, not a surprise

[cspenn]

As long as the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks, the government will continue to be insecure. Compound that with the fact that the government remains married to Redmond for the majority of its end user systems, and it's no surprise that they received a "D".

Frankly, I wouldn't be surprised if the USG turns around and tries to pass additional "information security protection" legislation in response to this study, just like software vendors now do for reviewers. You can't say anything about USG systems under the rubric of anti-terrorism.

Sigh.

Re:Again, not a surprise

[GoofyBoy]

>the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks

What makes you think that its the fault of contractors? Nothing in the articles say this. In fact one of them blames internal, highlevel staff.

From the ZDNet article;
"We must get those at the very top, the decision makers, the ones accountable to the shareholders, the customers or the electorate, to recognize that lack of network security in an organization is a material weakness and one that deserves necessary resources and immediate action." "

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Again, not a surprise

[Davak]

I am assuming that you are not trolling.

I have seen the contractor system work very well in the past... however, it took multiple redundant contractors to complete one system.

For example, we recently setup a system in a clinic that deals with medical records. One contractor brought in the boxes, networked them, and left. Then we brought in our security contractors that locked down the boxes as tight as possible. After that, we had our internal security guru try to pick apart their security... and they came back and corrected the problems they left.

The security guys are not the general installation guys.

Save your energy... and get seperate contractors.

Davak

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Again, not a surprise

[cspenn]

I used to work for a government contractor a couple of years ago. Security - even when we got security guidelines, my fellow coders picked and chose which of them they actually felt like coding.

Now, should they have been canned? Absolutely. Were they? No. Is that the government's fault? Only partially, in the sense that the government didn't have any way of verifying whether the work we were doing met the standards they specified. Management at the government and at the contractor simply agreed that things looked good, and that was that.

Hence my comment.

Re:Again, not a surprise

[poot_rootbeer]

Wait... so you KNEW that coders working on government contracts were failing to provide adequate implementations of required security measures?

While I'm not one to use the word "treason", if you failed to alert anyone to this behavior, that could certainly be construed as a failure to fulfill your civic duties.

Re:Again, not a surprise

[pointbeing]

I'm a sysadmin for an agency under DoD - those contractors work for me, sort of.

The government's responsibility in IT is project management - at least in the agency I work for. You wouldn't expect your CIO or any other manager to be 100% up to speed on latest IA trends - that's what we have contractors for. Government IT professionals make decisions based on input from the people who actually do the work.

I've worked both sides of the fence. I spent four years in this agency as a contractor heading up

Re:Again, not a surprise

[SlamMan]

However, youve also got to remeber that as a contractor, there's certain things you're not allowed to do that an governmetn work would, including saysmething like "this needs to be done". That apprently financially obligates your contracting company to get it done (as screwy as that sounds).

Re:Again, not a surprise

[pointbeing]

Every government IT contract includes a "statement of work" that outlines what the government expects the contractor to do and the contractor doesn't have to do anything that's not in that statement of work. Maintaining IT security is part of the day-to-day operation of a government network and generally no modification to the contract is necessary.

But - when something falls outside the realm of normal IT operations the contractor can ask for more money - as an example we bought about a hundred firewalls to deploy to satellite offices. The contract we have with IT support staff allows X number of billable hours per job description. Installing and maintaining those firewalls was not factored into the contract so the contract was modified and IA staff increased by four people.

"This needs to be done" doesn't necessarily obligate the contractor. It does if it's part of the normal duties outlined in the contract, but if it exceeds time and materials outlined in the contract the contractor has the right to ask for more money.

Re:Again, not a surprise

[k12linux]

I work for one of these contractors. Frankly, we do exactly what they ask us to do.

If these departments want to be secure, they need to give guidelines up front

Frankly I'm not surprised. The whole "lowest bidder" framework is crap in most cases. Here is the process for building our last new school (from a tech standpoint anyhow) if anybody is intersted:

1. Meet with contractor and give very detailed instructions about required wireing closets, cabling, cable drops, etc.
2. Eventually get a copy of the bid specs and floor plans.
3. Go over very thick specs book with your stuff scattered all over it and look over floorplans.
4. Meet with contractor again and point out that a) there are NO wireing closets, b) drops are not marked on plans, c) none of the fiber you asked for is included, and d) the cable types are not what you specified.
5. Recieve adendum to specs which appear to fix everything.
6. Specs go out for bid
7. Vendor who you have worked with before realizes things still aren't right and doesn't want to lose out on the bid but doesn't want to get a bad image with you either sets up a meeting to point out all of the remaining problems with the specs. (This only happens if you are lucky.)
8. Send revision request to the contractor/architech again and another adendum to the specs is released.
9. Finally get everything out to bid.
10. Choose who gets the bid (again, this was fortunate because often it just goes to the low bidder.)
11. Sub-contractor contacts you to point out that architech put some copper runs over 400 feet long despite the fact that a wiring closet was right accross the hall.(This often doesn't happen with low bidder.. they just do the job as the specs/plans say... any mistakes.. too bad the job is up to spec.)
12. Eventually building is done and you still find stuff that isn't right.

With the "lowest bidder" mentality, your specs better be PERFECT and include EVERY little detail on the setup and configuration. You can't assume ANYTHING. You had better include all the details or at least reference standards which do. The vendors who care to do a good job won't get the contract because they'll come in with a higher bid.

The ones who don't care usually win because they bid exactly what is in the specs... no more, no less. If there is a mistake, they'll build it with the mistake in place. If there is a security hole, guess what.. it goes into the system. And if you aren't writing the specs yourself, watch out. You might get an architech like we had who in one meeting finally admitted, "Well, I really don't know much about this computer cabling stuff."

Re:Again, not a surprise

[ubrgeek]

That's the biggest load of crap I've ever heard unless what you mean contracting "companies" rather than the contractors themselves and even then I'd have to disagree. A _vast_ majority of the contractors working on cyber security issues have a huge, personal interest in keeping things secure. And, furthermore, the "profit motive" is very clear: Contracts are won and lost on the report card. If a company is hired to protect a gov't network and that network is shown to have been compromised (or vulnerable) t

Re:Again, not a surprise

[nemaispuke]

Yes there are a lot of contractors and Government employees who don't have a clue. The bigger problem is what guidance is given to people who have to secure those systems (particularly Unix). All Information Assurance personnel want to hear is whether the machines are C2 or not (never mind TCSEC was declared dead March 11, 1999). And this only covers auditing, so they are concerned about trust, not security.

The last project I worked on we had to use the Defense Informations Systems Agency STIG as if it was the bible of Unix security. Here is the mentality of DISA, the Solaris section covered 2.5.1, the AIX section covered 4.3 (but not 5L) and for the most part only was concerned about auditing. Check it out for yourself at:

http://csrc.nist.gov/pcig/cig.html

If you have administrators who are limited by inept guidance, what do you expect!

Re:Again, not a surprise

[frodo from middle ea]

Very well put.

From my observations, I have conculded the following two reasons ,being responcible for security breaches in computer systems.

One:- Not knowing your priorities. Even if you hire the best security personels in the industry, If you don't know what is THE MOST important aspect of your business you want to guard, you are destined to be owned. People talk about security without implying what exactly are they securing, this leads to lots of holes in your security .

This leads to common mistakes li

Re:Again, not a surprise

[pointbeing]

If you have administrators who are limited by inept guidance, what do you expect!

Being a federal employee and a sysadmin I expect the contractor to inform his government.

I just used the DoD Wireless STIG to draft an 802.11 policy for the agency I work for. It actually wasn't a bad piece of work :)

DISA is still trying to make 802.11 impossible in DoD - but we're working out the kinks now.

Re:Again, not a surprise

[div_2n]

The only thing that WOULD be good in my opinion is setting up liability legislation. If any contractor or software company KNOWINGLY designs and deploys a system whether hardware or software without making security a key design consideration in the interest of making the lowest bid, then they should be liable.

There comes a point of accountability when contractors should stand up and say, "I won't do this project if you won't fund the proper security design issues."

You wouldn't knowingly make cuts that would effect whether a system actually operates or not. Security shouldn't be any different.

I have turned down jobs before when I knew that what they asked was completely at odds with the client's best interest. I told them that and they understood.

Equally should agencies and companies be held liable if they knowingly deploy a system that is fundamentally insecure in the interest of just "getting it done." A bank would be held liable if they left their front doors wide open and their vault unlocked overnight. Leaving security unconsidered in computer and software systems should be treated equally if not more harshly.

Re:Again, not a surprise

[div_2n]

You missed the point. If a company comes to me and says, "We want to do credit card transactions for our web site. We only run Windows. Due to our network setup, the server would have to run in our DMZ unprotected by a firewall."

Not that this scenario is likely, but it _could_ happen. I would honestly laugh and then tell them they needed to find someone else willing to do something that was a monumentally bad idea.

Re:Again, not a surprise

[ekephart]

Until security is as measurable as the price of a contract, it will always take a back seat.

Unfortunately measuring security is difficult. One may conduct an extensive (and expensive) study like this report card. Alternatively, most measure security by what *doesn't happen* (viz. successful attacks), which is insufficient.

Re:Again, not a surprise

[bleh-of-the-huns]

I happen to be one of those contractors (although the agency I am in is not listed thankfully, but I have not been able to find the full text of who got what report).

This is not an issue with contractors or subcontractors. This is an issue of money, plane and simple, you try to hire enough personel.. buy the right equipment, when there is no money to do so.

We work with what we have, and do our best, until those people in the position to fund security departments better, security will always be adhoc

news alert: not shocking

[jaredmauch]

I think that until there is significant user-education on this topic, some of the issues raised (weak passwords for example) won't ever be fixed. I think that the movement to a smart-card (oh wait, directv will sue you if you try this but ..) based approach of authentication is the best way. You need the card and a PIN or other text-based password in order to authenticate yourselves. This is how a lot of people work, with these private tokens (eg: SecureID). They are a PITA, but help keep unwanted people out.

Actually its indifference.

[Shivetya]

Government employees are not truly accountable. A friend of mine will routinely pass me stories of just how out of whack with reality government employment is.

Hold their jobs on the line, that is if you can get pass the miles of red tape and union rules.

A private organization could have their board taken to the cleaners by their stockholders, let alone various "Government" regulating bodies.

Remember, rules don't apply to those who enforce them.

let me get this straight

[perlchild]

As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State.

so let me get this straight, if all those failed security provisions are hacked, you'd get:
1) hacked into the place that controls whether or not you go to prison(funny they're also the ones that investigate election fraud if I recall, I could be wrong, I'm Canadian)
2) hacked into the place that controls nuclear power plants
3) hacked into debt(identity theft) through the place that controls employment, etc...
4) hacked into the place that determines if there is war or not
(agriculture, interior, and "housing and urban development weren't good targets)

*notices how Canada doesn't announce that kind of thing, I think they're embarassed at how badly they do*

Re:let me get this straight

[Savage-Rabbit]

4) hacked into the place that determines if there is war or not

Phew!!! One shudders to think what would have happened if Saddam Hussein had known this back in March, "Operation Canadian freedom" ????

Re:let me get this straight

[corbettw]

3) hacked into debt(identity theft) through the place that controls employment, etc...

Actually, DHHS controls medicare and related programs, not unemployment. Unemployment details are left at the state level down here. Though if the IRS (part of the Treasury deparment) were hacked, you would get completely screwed. (DHHS is also the office of the Surgeon General, so maybe tobacco companies could use this to get a ringing endorsement.)

Also, the State Department controls things like visas, so hacking in there could be a step to getting into the country in the first place.

Hacking the Interior and Agriculture departments could be useful to get yourself some free money. They both have pretty large budgets for either grants or subsidies. I believe the Indian Bureau is part of the Interior, too, so maybe some random tribe could use it to get more money.

Housing and Urban Development gives money to poor people in the inner city, so someone could easily use them to embezzle obscene amounts of money.

The one I'm most scared of is the Department of Energy. They're responsible for keeping nuclear weapons from being smuggled into the country. If someone tried to float a nuke up the Chesapeake, for instance, the boys in the Energy Department have the tools to notice it and alert the Navy and Coast Guard. So getting root there means you can wave your fingers and tell everyone "this is not the tanker you're looking for."

Re:let me get this straight

[poot_rootbeer]

It's unfair to say that any of these agencies "control" anything. They may establish macro-level policies, but it's not as if by hacking the Justice Dept. you can get a friend released from prison, or by hacking the Dept. of Energy you can initiate a core meltdown in one of the nation's (privately-owned) nuclear power plants.

Our government doesn't make all of our decisions for us. (Yet...?)

High Expectations.

[Anonymous Coward]

Let's flip this 180. Is there anything those agencies would get an "A" on? Didn't think so, so why should we be disappointed with this news?

Here's the score and grade breakdown

[dat00ket]

Agriculture 40 F
AID 70.5 C-
Commerce72.5 C-
DOD* 65.5 D
Education77 C+
Energy 59.5 F
EPA 74.5 C
GSA 65 D
HHS 54 F
DHS 34 F
HUD 40 F
Interior43 F
Justice 55.5 F
Labor 86.5 B
NASA 60.5 D-
NRC 94.5 A
NSF 90.5 A-
OPM 61.5 D-
SBA 71 C-
SSA 88 B+
State 39.5 F
Transportation 69 D+
Treasury* 64 D
VA* 76.5 C

Government-wide Average 65 D

Re:Here's the score and grade breakdown

[TedCheshireAcad]

Well that's before the curve. We're probably looking at a B- if the professor isn't a dick.

Re:Here's the score and grade breakdown

[Petronius]

Exactly. Expect the Bush whitehouse spin machine to kick in anytime soon.

Re:Here's the score and grade breakdown

[kiwimate]

Looks like they need to bring in some university professors as consultants on grade inflation.

Re:Here's the score and grade breakdown

[WebMasterJoe]

Slight correction on NASA's score - that's in metric, should actually be 92.4.

Re:Here's the score and grade breakdown

[corbettw]

DHS 34 F

Who's surprised that the department charged with protecting our nation's infrastructure got the lowest score?

Tell me again that government is the answer to all life's problems.

Re:Here's the score and grade breakdown

[MrNybbles]

I will sleep much better knowing that I will have power (NRC), People permoting Science (NSF), and Social Security which I will pay into all my life and not get my money's worth (SSA).

Who needs the Department of Agriculture anyway? It's not like crops will stop growing if the compuers are hacked, right?

As for the DOD getting a D, well it already has two D's so how much could a third D hurt?

The EPA got a C. So what if they are hacked. It's not like all of a sudden I can't see the mountains in California,

Re:Here's the score and grade breakdown

[jd]

To put this in a bit of context, the DoE has its own network intrusion detector package, which is encrypted so that only DoE people can use it. (Which is dumb, as it also means nobody can audit it, and it's so much extra work, it's likely little used.)

NASA passed a directive over 5 years ago that all machines were to be behind a firewall, and that public webservers were to be accessed via proxies. In practice, a lot of servers stayed outside of the firewall and security procedures are often ignored.

Probably the worst cases are servers that are accessed by rsh (not ssh - just plain rsh) with .rhosts enabled and used. These servers are amazingly vulnerable. Why? For three reasons.

• First, the servers need to be accessed by archaic scripts on a range of external servers. This would almost be a reasonable excuse, if other authentication systems didn't exist.
  
• Second, NASA (and other Govt agencies) are kept rigidly to the FIPS-180 standard. So rigidly, in fact, that many Govt. agencies are extremely wary of using software that is not specifically stated as approved, even if all the internals are approved. For example, let's say you have an approved implementation of DES, and you then have either NIST's or the DoD's version of IPSec use that for the encryption. Sorry, not OK. IPSec is not on the list. It may be 1000% better than rsh with .rhosts, it may eliminate one of the stupidest vulnerabilities, but they aren't authorized to use it.
  
• Ancient software. This is a killer for many organizations. We are not talking a few weeks out of date, here. We're talking five to ten YEARS out of date, where there are more advisories on vulnerabilities than there are lines of code. In a few cases, vulnerable code that is decades old is still used. I've seen this in virtually every place I've worked. If you want to be secure, you can't just ignore these things. So why do they? There's no incentive to clean things up. Admins get paid to keep the bosses happy. They are not paid to perform major in-depth security audits, and are certainly not paid to find problems. Those cost money to fix. Finding problems is BAD.
  

Why are skript kiddies so successful? Because their code is any good? Don't make me laugh. They're successful because the rules and regulations any organization needs to be successful are wantonly abused, preventing essential maintenance, often because reloading from backup tape is a cost that can be written off, whereas paying for decent security might hurt the balance sheet.

In the case of Government, cost is usually not the reason. Power politics, computer-illiterate officials and self-preservation are far more common. Hackers can be passed off as inevitable. Finding gross failures in the system, though - that would be embarassing and potentially fatal to a career.

It's time to wake up. It's time forn Government departments to realize that the rules are intended to promote security, by ensuring that buggy code is prevented from being used. The rules were never intended to impose buggy code! Nor were they intended to encourage faulty practices.

I do not consider it acceptable that an organization that has taken on the responsibility of running the country cannot be relied upon to even run a server properly. If you cannot be trusted with something minor, how can you be trusted with something major?

This will never happen, but I believe that any Government agency that scores below a "B" on any task that it performs should be relieved of that task. I would like to see something similar in the private sector, with shareholders actively enforcing high standards (and thereby raising the value of the stock) rather than relying on the price to magically rise of its own accord.

These are the kinds of standards an employee would be held to, for designated work. Why, then, should implicit work be held to a lesser standard?

Re:Here's the score and grade breakdown

[GMFTatsujin]

In other news: President Bush announced today that as part of his "No Government Agency Left Behind" plan, any agency that could not show marked improvement in performance within 16 weeks would be grounded, have its allowance withheld, and would not be allowed to go to Prom. In related developments, the NRC and NSF would like their lunch money back.

NSF got A

[KD5YPT]

See what we get when there's an agency ran mostly by the intellects and not bureaucrats?

Possible reasons

[vchoy]

This is MHO:

Look how much is spent on 'physical' security and you will see why. A Government agency that is physically attacked (eg bomb, chemical, bio) usually results in human casualties/lives...and is very hard to cover up.

Now look at attacks on computer security (eg cyber attacks, worms, compromised systems). A Government agency that is 'electronically' attacked 'APPEARS' to not result in human casualties/lives.

Notice I stressed the word 'appears' in my last comment. I say this because it may be the real situation OR it maybe we don't know as previous cases have been covered up...as it is easier for an organisation to cover up these types of attacks.

I'm surprised it wasn't an 'F' Overall

[instantkarma1]

After my experiences dealing with DOD contractors, and their use of firewalls. Specifically, firewalls were used to strip out javascript on the fly; they were not used to block unauthorized access (that, of course, was left up to the administrator of each individual server).

Needless to say, this does not lend itself to a centralized, comprehensive security plan.

Sad..

[hookedup]

Added Chairman Davis, "I'm deeply concerned that too many agencies have not yet responded to FISMA's requirements; for example, the fact that 79 percent of agencies don't even have accurate system inventories casts doubt over the entire reporting process."

I work in IT for a govt. agency here in Canada, and to not have an accurate inventory of our hardware is absolutely unthinkable. 79% of agencies having no idea where their systems are (and arent) is a recipe for disaster.
This whole thing reminds me of a couple of years back, when a CSIS (Canada's spy agency) agent went to an Ottawa Senators hockey game, leaving her laptop in her car, only to have it stolen when the car was broken into.

Ugh.

[dwaggie]

The main problem with ALL government agencies is that almost all of their actually employed work is 90% opened only to internal candidates. And they try to fill it in that way. Why? Because background checks cost a lot of money, and getting clearance for people up into the higher echelons would cost even more. That's the main part of your problem right there, really. If they hired more people externally, and paid them what they're worth, no problem at all.

here's how bad it is...

[theMerovingian]

This report card was supposed to be classified.

Take it with a grain of salt

[ViolentGreen]

Did you actually expect anything different? Most anytime a report comes out about a government agencey, it is bad. The whole point of having a report is to show that it is bad. I sure the points that are raised are valid but I hardly think that the report was supposed to be balanced.

Physical Access

[rf0]

You can have all the cyber security (firewalls, IDS ) etc you want however there is still the risk of someone just stealing a laptop and getting access to a load of secret files.

Your security is only as strong as your weakest link

Rus

errata yadda yadda

[segment]

Compsec... and they had so called mapped out plans for years now too... (NATIONAL PLAN FOR INFORMATION SYSTEMS PROTECTION EXECUTIVE SUMMARY [politrix.org]). One quote I will always remember is something to the extent of "the feds are good at carrying guns not locking down machines."

There are so many variables involved with government, that they are the ones shooting themselves in the foot. Considering if you're using a machine right, and you know it's insecure, if you took it upon yourself to fix it, you could be charged with a crime. Hell slightly off topic but look at what the gov did with the so called chaplain spy [cnn.com] (charged with downloading porn).

I'm sure gov's IT staff throughout the branches are overwhelmed with things, so it's a bit unfair to call them all clueless gimps or similar. However, and I will throw this out as a `story` someone stated they worked for a gov agency. Person stated the procedures for daily wipes to ensure things are wiped, etc., ... According to person he had never seen it done, because they never bothered with it.' Now imagine if one of these machines were thrown out and the machine had material on it that was highly sensitive. It happens more often than some think.

How long before a wakeup call?

[csnydermvpsoft]

The only reason that government agencies are able to get away with this is because nothing embarassing has happened yet. Wait until a hacker manages to get a few thousand social security numbers from a government agency computer - then we'll see some real change.

As an employee

[blankmange]

of the Fed, I would have to agree. Where I work at, we rely (almost 100%) on Microsoft products (OS, applications built with Office, etc), so we are bombarded with updates, patches, and alerts. Also, I am the tech support in the District Office here, so whenever there is a problem with a workstation, it is usually (75% or so) user-related. In other words, they didn't know what the hell they were doing. My agency is one of the few that actually improved since last year, but we have a very long way to go before I would put my trust in them.

In addition, those of you who sound surprised, try reading The Myth of Homeland Security by Marcus Ranum (here [amazon.com]. It is surprisingly accurate, and not just another 'chicken little' diatribe.

Re:As an employee

[Kyoya]

Well that may be true internally but a spot check of that server list listed all 4 that I looked up as running Solaris with Netscape.

Kyoya

Re:As an employee

[blankmange]

That may be true as well, but all the workstations and servers are running Windows 2000 or XP (believe me, it is true).

Is it really the user?

[HarveyBirdman]

it is usually (75% or so) user-related. In other words, they didn't know what the hell they were doing.

Is that really user related in all cases, though? Or can it me MS products simply don't lend themselves of a deep level of understanding because of their bloat and sometimes deliberate seeming obfuscation of even the simplest tasks?

The PCs around my work regularly do wacky things for no reason anyone can fathom. Just people using them normally and no mucking about with anything sensitive, and sometimes

Link to the Actual Report Card

[richg74]

Here is the link [house.gov] to the actual page containing the report card.

Bad? Yes. Surprise? No.

[Dr. Nnivel]

Yes, this is truly pathetic. But honestly, folks... how many people are surprised by it? The U.S. government has something of a history of neglect when it comes to technology, as several have pointed out. After all, it's a sad day when major government systems can be compromised by worms of any sort. It simply shouldn't happen. Period. And yet it has. And then, there are the constant sad stories coming out of the U.S.P.O., where people are patenting things that are blatantly not their own.

So, here's what we need: A government office that is responsible for the electronic welfare of the country. Not merely a minor department in some other place, but a significant entity of its own. It would be able to stop all these government technological blunders before they happen, being comprised of tech-savvy individuals. Or at least, it would have some people who specialized in the field. Yes, it may sound Orwellian, but it wouldn't be much more so than what we have now: Now, several government agencies work completely apart from one another to regulate electronics, and each government department is responsible for its own security. This would simply take this task out of the hands of the overworked and unknowledgable, and might actually boost those grades.

Re:Bad? Yes. Surprise? No.

[HiThere]

Ah! The answer to bad government is more government!

Orwellian isn't the only problem with that answer. I'll grant you, it's one of them.

If you notice a systemic problem, you should presume that there is a basic design flaw in the system. I'm sure that one could create models that would display similar characteristics, and then compare them to see what characteristics of the system cause the problems. What would fix them. And what the expectable side effects of the fix would be. This should be a proj

Terrorist threat.

[bludstone]

According to debkafile [debka.com] Al Qaeda's next attack "will consist of a series of surprise attacks that will cut America off from communication with its armies in Muslim countries."

Then I see this news.

I dont think people realize how big of a threat poor computer security can truly be. I hope that this is fixed before a "wakeup call."

Yikes.

Another computer "security" planted story

[base3]

Notice how computer "security" gets a lot more press these days? Pretty soon, Joe Sixpack will be clamorning for his TCPA/Palladium/NGSCB "protected" PC that he believes will protect his data. Little do Joe and friends know what they'll be buying.

Sure, non-locked hardware won't be illegal right away, but it'll get a lot more expensive when it isn't mass-produced because it can't run Longhorn.

Butting your head against a wall

[andih8u]

I did contracting work for the government and most of the blame lies in trying to do anything with a couple of goverment employees in charge of what actually gets done. The stereotype of them being lazy and generally slow to get anything accomplished is absolutely correct. When you mix a fast paced IT world with a "I can coast until retirement" attitude you get bad things happening. The other half of the problem is the users who put the password for their windows login and dialin on a stickynote on top of the laptop. On the other hand, any of the actual critical servers were well monitored and they would track down any breakin attempts, etc.

Winding Up for the Throw

[4of12]

All of these security problems at Federal Agencies, with Blaster, Welchia, spam, "piracy" etc. are going into a big hopper, where they will be used as reasons to justify TCPA [cam.ac.uk], aka the Death of My Computer.

In a nutshell,

"Since IT security is in a such a poor state right now, the solution is obviously to put greater power in fewer hands."

Yeah, right.

Security is bad all around.

[MurrayTodd]

This comes as no surprise, but it's certainly not restricted to the government. Corporate security people tend to be idiots as well. I've worked for so many managers who really don't want to know how insecure their security is.

There's this nasty "kill the messenger" syndrome that makes (good) security specialists unpopular in corporations--and probably in the government as well. They are inevitably required to point out things that make other people look bad, and insecure managers are great at getting them

So here's how it worked for us

[Anonymous Coward]

I'm a sysadmin at a non-secret DOE national lab, which is run under contract by a non-profit corporation. I'm posting anonymously 'cause people higher up don't like this sort of thing discussed publicly.

So several years ago our Lab got handed an ultimatum that we had to come up with a security plan; our computing folks wrote up a proposal, it got sent back with issues needing clarification, there was another round, etc. This went on for about a year. Finally we get one of the drafts back, and we're told, in so many words, "this one's good, you have 6 months to have it in place".

So now we have 6 months to redo every system on site, with no added budget to do so and no relaxation of other goals. To have any appearance of complying we basically had to set up a system for granting exemptions where each system exempted had to present a timeline for when it would be completed, etc. So at the end of the 6 months we were able to say that everything was either under the security plan, or had an exemption on file saying when it would be under the plan, or how it would be put behind a firewall, etc.

But the real problem was that the proposal should have been met with discussion of a reasoned, planned schedule, and sufficient resources to implement it, rather than pretending a major security rework could be rolled out for free in 6 months. This goes all the way up to Congress, who passed this law about having agencies report on computer security, but so far as I know didn't designate any funds to pay anyone to do anything about it.

Bureaucracy is the reason

[Ignorant Aardvark]

My father is a lawyer for the Department of Justice, and part of the reason for the insecurity is the federal bureaucracy. I'm a Linux advocate and my dad is a pretty techie guy. He was running a webserver on the WAN for his colleagues and wanted me to help him set up Apache. That was shut down directly by his superiors: Microsoft IIS is the only webserver "supported and recognized" by the IT department, and anything else is not allowed. In addition, the only browser you are allowed to use is IE and the only mail reader you are allowed to use is Outlook. I really wanted to help my dad secure his workplace by switching him away from a mailviewer that executes all attachments and a webserver known for its insecurities. But the Microsoft culture is so entrenched there that it wouldn't fly.

This is an unwinnable war.

[karmaflux]

The DoD is something I know about -- I can't even get rights to install another network printer. I'm in the Army Reserve, and we're told we have to talk to the "building network administrator," who isn't there on weekends... which is the only time we're there. In a DoD network, all this stuff comes down to one guy per building/unit/whatever. If he's not on the ball, the whole unit can go down in a blaze of MSBLAST.

Why not see this as an opportunity to do good?

[LazloToth]

Okay, I know, I know - - I'm the soft-hearted liberal who still thinks government does some good and stops some evil. Anyway, with such lousy marks coming out, why don't some of the Slashdot geniuses who are not yet employed go into consulting, get some security contracts, and make some dough while improving things for all of western society?

Just a thought . . . .

On the other hand, we could just go on talking about how lousy the government is in every aspect and wait for the whole thing to implode like a cow patty.

The actual survey filled out...

[rice_burners_suck]

House Government Reform Subcommittee on Technology
Survey Questions

(1) Name of your government agency:
(2) Number of computers installed:
(3)Do any of your computers run Windows and/or other software from Microsoft?

Scoring: Use the following chart to score your agency's computer security:
Do NOT use Microsoft products: A.
Use Microsoft products: F.

Thank you for taking the time to fill out this survey.

Re:Grades

[thinkliberty]

Actually they were using Linux (from netcraft.com Microsoft-IIS/6.0 25-Nov-2003 63.208.194.46) until they switched to 2003 server on 11/26/2003.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:This is no surprise!

[segment]

However, to redo the systems right now, and have them made secure by professional people would probably cost even more, so... Not necessarily so. Trusted Solaris meets gov C2 security specs out of the box. It would cost a slight bit more as opposed to normal Solaris, but the TCO in the long run is better than using normal Solaris.

Security breaches are pretty rare because physical security people are everywhere in these places, (james bond stuff aside). Unsure of what's been going on nowadays since I sta

True to form, though, you have to say

[ianscot]

The "Department of Homeland Security" is easily the most Orwellian Government entity ever, right down to its name, and it's accomplishing exactly what you'd expect -- giving people the soft fuzzies about someone important working on our security while actively undermining the constitutional protections that've kept us secure.

Welcome to the new America, where the "Forest Service" has finally completed its transformation into a lumber industry-owned and -operated body, the "Immigration and Naturalization Se

You keep using that word...

[neocon]

You keep using that word... I do not think it means what you think it means...

Whatever you may think about the Department of Homeland Security, it has, in point of fact, the most honestly descriptive of almost any of the department names. That is to say, whether it does a good job or not, it is here to secure the American homeland.

Now, if you want to talk about `Orwellian' names, meaning names like 1984's Ministry of Truth (which handled propaganda), Ministry of Peace (which handled war), and Ministry of Love (which handled torture and brainwashing), let's look at some of the big social-program departments which you seem more fond of:

• The Department of Agriculture -- which pays farmers not to grow crops
• The Department of the Interior -- which mainly handles subsidies for Indian casinos
• The Department of Labor -- which pays the unemployed not to work

just to pick a few examples.

Of course, since the rest of your post is at least as confused as your use of the work ``Orwellian'', right down to your last example (the `Peacemaker', of course, was a famous Colt firearm, as used by the sherrif in just about any old western -- though if you want to wax philosophical, even Gorbachev has admitted that it was the inability to keep up with American defense spending that brought about the Soviet Union's collapse, so the missile made peace in a very literal sense as well), and the general tendentiousness of your claims shows that your looking for political points more than accuracy anyhow...

Re:The test is biased!!!

[zulux]

We can't have this much failure in the US Govenment!!!

These security grades are obviously created by the MAN to keep their security grades up while making everybody else look BAAAAAAD.

We need a newer test that encompases more to make it fair. I sugues we measure the following to determine if their security grades.

Are their packet-filter inclusive?
Do they secure Appletack, Tokenring or just Ethernet?
To the set aside special days and allow special packets in?
To they support 2 letter passwords, and not just