Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Government United States

Is the US Government's Cybersecurity Agency Up to the Job? (cnn.com) 71

CNN reports that some critics are now questioning whether America's Cybersecurity and Infrastructure Security Agency (CISA) is equipped to protect the integrity of government systems from adversaries: Some of the nearly half-dozen government agencies affected by the hack have recently reached out to CISA for help with addressing the known vulnerabilities that were exploited in the attack but were told the agency did not have enough resources to provide direct support, according to a source familiar with the requests. The person noted the slow response has only increased the perception that CISA is overstretched. Multiple sources told CNN that CISA, which operates as the Department of Homeland Security's cyber arm, does not have the appropriate level of funding or necessary resources to effectively handle an issue of this magnitude.

"It's a two-year-old agency with about 2,000 employees, so clearly that level of responsibility is not commensurate with the resources that they have," Kiersten Todt, a former Obama cybersecurity official and managing director of the Cyber Readiness Institute, recently told CNN....

"CISA is not capable," according to James Andrew Lewis, cybersecurity and technology expert at the Center for Strategic and International, who added that the agency's failure to detect the breach months ago was largely due to the fact its attention and resources were consumed by efforts to secure the 2020 presidential election. "CISA has always been and will continue to be slammed by the responsibilities heaped on it by law," Daniel Dister, New Hampshire's chief information security officer, told CNN. "They have been overloaded with work from the start and have had a hard time coming up to the level of expertise that DoD/CYBERCOM/NSA has enjoyed."

Yesterday the New York Times noted the breach wasn't detected by any U.S. government cyberdefense agency (or the Department of Homeland Security), but by private cybersecurity firm FireEye. "It's clear the United States government missed it," the Times was told by Senator Mark Warner, ranking member of the Senate Intelligence Committee. "And if FireEye had not come forward, I'm not sure we would be fully aware of it to this day." The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.

The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security. "Early warning" sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking.

This discussion has been archived. No new comments can be posted.

Is the US Government's Cybersecurity Agency Up to the Job?

Comments Filter:
  • In typical government fashion the call for more funding is one of the first things put out. No organization has enough funding, it's up to management to sort things out and prioritize.
  • by weilawei ( 897823 )

    Because the NSA, even with their immense funding, can't do their job properly, and feel the need to spy on American citizens, in direct contravention of their charter and the law.

  • Then they are doing great

  • It is all closed door policy stuff. If we knew the answer then we would be a threat and caged or killed.

  • by Futurepower(R) ( 558542 ) on Sunday January 03, 2021 @01:13PM (#60891260) Homepage
    Maybe NO organization has excellent technical ability, in my experience. The complexity of technology is greater than most technically-knowledgeable people know how to understand.

    We are beginning doing accounting for last quarter. NO bank or tax authority has a well-designed web site.

    Intel has poor management [slashdot.org].

    Boeing Aircraft [slashdot.org] is poorly managed.

    Microsoft is poorly managed. [slashdot.org]
    • Boeing wasn't always that way. What I understand is that it took a nosedive (pun intended) around 20 years ago. Historically, their planes hadn't been known for nosediving. The prevalence of incompetence in big organizations is a product of a society that increasingly rewards incompetence, and the biggest organizations attracting the ones who want the biggest reward. It doesn't necessarily have to be that way, but it will be as long as things keep consolidating and monopolizing - Microsoft with its OS, Boei

      • The real problem is that not only was Boeing ran into the ground by MBAs like GE was, but it STILL CONTINUES. The amount of inept ppl at the top of Boeing is nothing less than sad. Best thing that can happen is to break them up vertically (i.e. 3-4 companies, each with all of the same sub-depts, such as Commercial, Space, Military, etc.). This way, if several of them fuck up, not a big deal.

        Totally agree with you about reagan and his merry bunch of idiots. W continued the same BS, and Clinton/GOP did a f
    • Need to add Google to that list. And yes, Google is VERY POORLY MANAGED.
    • by sinij ( 911942 )
      Is this the sign of approaching idiocracy?
    • by AmiMoJo ( 196126 )

      The NSA might have excellent technical ability. Unfortunately they are one of the foes that US Cybersecurity is up against.

    • Maybe NO organization has excellent technical ability, in my experience. The complexity of technology is greater than most technically-knowledgeable people know how to understand.

      I think the problem is that there are not enough technically minded people to go around. We are pushing people through code camps and they get hired with a few months training.

      Which is ok for a React front-end, but then they start building micro-services and don't have the foundational knowledge in networking and asynchronous processes, and things fall apart when you push them a little.

  • by stikves ( 127823 ) on Sunday January 03, 2021 @01:22PM (#60891286) Homepage

    Trying to keep "security holes" to yourself, and assuming bad actors will not exploit them is not a good way to handle national security.

    NSA has a dual focus, and one of them actually tries to make sure systems are kept secure. But that requires patching all known security holes. Even the ones known only to a few restricted people.

  • No theyâ(TM)re not up to it
  • by MpVpRb ( 1423381 ) on Sunday January 03, 2021 @01:34PM (#60891320)

    ..when you pay low wages, require drug tests and have a dress code

    • Add to that it is hard to find competent people when management is subject to political pressure.
      It is bad enough when in the corporate world management is more concerned with quarterly results and/or their own compensation rather than product quality.
      • I knew the top 2 original ppl that started this. They were BOTH inept (1 of them spent most of his time oggling his wife's pix), and instead of hiring good ppl, they hired friends that were idiots. I am guessing that they continued to hire more and more idiots.
    • You mean smart, independent thinkers don't appreciate excessive restrictions on their physical body and what they do on their own time? And then they want to be paid more than a pittance when they have to wear a monkey suit no client will ever see?

      I'm shocked!

    • ..when you pay low wages,

      We are told people in government make as much as, if not more than, private industry. So which is it?

      require drug tests

      You want people to be allowed to come to work stoned [cbsnews.com]?

      have a dress code

      Oh the horror! How has this world ever survived by requiring people in a professional environment to dress appropriately? Maybe we should allow people to dress in slippers and pajamas, like they do when they go shopping. Then we can hear how it's racist to say they shouldn't show up like that [usatoday.com].

      • require drug tests
        You want people to be allowed to come to work stoned?

        If that's your concern, then we should require people in these jobs to never use alcohol.

      • Try more like "In the last seven (7) years, have you illegally used any drugs or controlled substances?" And then list the dates and times. And if you plan on using in the future, and if not why not. Working with the feds goes FAR beyond a simple UA. Go read through the 136 pages of the SF-86, which is the "standard form" for all clearances, at least the start or that process. If your going for TS/SC then also be prepared for a polygraph. Also, warn your close friends and family that they will probably be g
  • A big problem with that security has is that they cannot impose hard restrictions. When I say hard restrictions I mean being able to say, "all software must have the source code availible" and all agencies therefore have to abide. As a result they are merely a group that gets the blame when their recommendations are overridden because it's merely easier than finding a way to cause everyone to comply.

    They are doing the best they can without having real authority and this is the result. Don't like the resu

    • They TRY, but their only able to "impose" on civilian corps if their under specific contracts and are handling CUI or higher. Apparently, though, even with requirements like "All installation software must be signed" dedicated APTs can still get through, somehow snatching SolarWind's signing cert itself.
  • You must be new here...

  • They are lacking in intelligence and experience.
  • Partition the core op sys executables & make the hash match with a 'sufficient-#bits' crypto hash.

    Make network access a privleged, whitelisted & audited service.

    *my* take is that this was a russky attempt to subvert the election *for the republicans* from US sourced IP addresses.
  • They neither implement nor enforce security. Asking if they are up to job of securing the nation is as relevant as asking âoeIs Congress running the DOJ well?â or âoeIs the President writing effective laws?â

  • The task is too big for any single government agency or company. Same goes for healthcare.

    Nothing will change until pain is brought to c-level officers. We need regulations that mandate jail time for decision makers that failed to properly secure and monitor their systems. Solarwinds, equifax and OPM decision makers should have been jailed for years.

  • No, and we're not socially capable of assembling a government agency that is, because for the past 4 decades we've been systematically attacking education and demeaning and belittling all the exceptionally smart people who aren't also evil.

  • Seriously disappointed to see this story expire without a recognizable joke. That's Slashdot 2020, whoops, Slashdot 2021 for you.

  • Let's see, pass tax cuts for the wealthy and big companies, then complain about the deficit; push for "smaller government"...

    And then complain when the "smaller government" doesn't have the resources.

    Stupid MAGAts.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...