back to article Stop us if you've heard this one: US government staff wildly oblivious to basic computer, info security safeguards

A US Senate probe has once again outlined the woeful state of computer and information security within Uncle Sam's civil service. A committee report (PDF) examining a decade of internal audits this week concluded that outdated systems, unpatched software, and weak data protection are so widespread that it's clear American …

  1. elvisimprsntr

    Why am I not surprised?

    1. Roland6 Silver badge

      So does this mean that Hilary's server was secure by comparison?

  2. SNAFUology
    Alien

    never heard that one before

    Life on Mars is rather dull, nothing to report here.

    1. wayward4now
      Alien

      Re: never heard that one before

      You're forgetting that the Blanket Bushes and Ham trees will be ready for harvest soon.

  3. Mark 85 Silver badge

    How about Congress?

    Has Congress been audited? Not sure if anyone but the political parties spying on each other would be interested but I would hope they have secure systems also.

    1. Roland6 Silver badge

      Re: How about Congress?

      I noted the absence of the IRS from the list of departments...

      1. SotarrTheWizard
        Facepalm

        Re: How about Congress?

        . . .probably because Infernal Revenue relies on positively ancient mainframes. . . . pre-Net era. Really.. .

        1. Roland6 Silver badge
          Pint

          Re: How about Congress?

          I always thought there might be a few SNA hold outs...

  4. Nick Kew Bronze badge
    Pint

    The spirit of ...

    the Senate's Permanent Subcommittee on Investigations

    It's the Department of Administrative Affairs!

    Now we know why the minister in charge there was Jim Hacker!

  5. sanmigueelbeer Silver badge
    Holmes

    Despite major data breaches like OPM ...

    But this is just one example of what was discovered. What about the ones that have not yet been discovered?

    If hackers were able to "plant" themselves for years in mobile phone networks then hacking their way (and planting) to some US government websites should be a walk-in-the-park.

    The horse has bolted. The ship has sailed (reached the other end has come back for another trip). Sayonara and hasta la vista. Have I forgotten anyone? I hope not.

    1. jgarbo
      Pirate

      Zai jian...

  6. Anonymous Coward
    Anonymous Coward

    Americans can register to vote in state and federal elections here.

    As a Russian/Chinese agent, I have registered 2 billion fake voter IDs, so whomever my boss want to win, will win, regardless of how REAL US citizens vote.

    1. Anonymous Coward
      Anonymous Coward

      Re: Americans can register to vote in state and federal elections here.

      I will now be registering 3 billion voter IDs to counter the risk of people tampering with the election.

      1. wayward4now

        Re: Americans can register to vote in state and federal elections here.

        Live in fear, Earthlings! We advanced Martian double-naught spies have raised 4 billion Nubile Space Maidens (NSMs) ready to be deployed in order to enslave all male voters.

    2. Archtech Silver badge

      Re: Americans can register to vote in state and federal elections here.

      You are overlooking one little detail.

      As both parties will be putting up candidates who are unremittingly hostile to Russia and China (and, come to think of it, everyone else) hacking the election results can accomplish nothing.

      1. jmch Silver badge

        Re: Americans can register to vote in state and federal elections here.

        "As both parties will be putting up candidates who are unremittingly hostile to Russia and China"

        Unless the republicans ditch Trump (fat chance) they will be field a candidate who is extremely chummy with Russia, and indeed admires Putin and dreams of having Putinesque level of control

      2. Kevin McMurtrie Silver badge

        Re: Americans can register to vote in state and federal elections here.

        Not true. A completely incompetent and blatantly destructive candidate is the best for your enemies. I'm surprised that the USA is still functioning after all of the recent social, economic, and technological losses.

  7. fnusnu

    Accountability is for little people

  8. Denarius Silver badge

    not suprising

    Low paid, low status generally despised tech support staff and PHBs kowtowing to myopic short term politicians promising tax cuts and not mentioning the costs of tax cuts. Always baffled me that other nations governments outsourced to Merkin firms who in my experience were 10 years plus behind best practice.

    1. Anonymous Coward
      Anonymous Coward

      Re: not suprising

      Looks I work in the sector but these excuses of "short term politics" need to stop. The managers, directors etc in post need to push back against that and tell them - NO. It's not good enough to continue to under fund departments if we cannot meet legal requirements for protecting data. We've had a situation for far too long where politicians can purposely under fund departments and nobody takes them to task over it.

      I recently got audited and failed because we'd "never fully looked at how much money we needed from government, so were unable to say whether we had adequate resources". They had a point, we'd just "made do" for years knowing we should be doing more.

      Johnny Public isn't going to be able to hold politicians to account for funding of local authorities, so staff in them have to.

      1. Tom Paine Silver badge

        Re: not suprising

        The ingredient you've missed from your reckoning, which explains why nothing ever gets done in federal infosec, is (a) the civil service is stuffed with incompetent political appointees given cushy numbers in return for campaign contributions, or left vacant either deliberately (Steve Bannon's original strategy of starving the state of resources) or inadvertantly (because no-one with any IQ and honest character would work for Trump, and they've run out of redneck morons to appoint.)

        And secondly, because of the completely broken federal / state / county arbitrary separation of powers, plus the usual ubiquitous gerrymandering and pork barrel nonsense every Congresscritter has to bow to if they want to get re-elected.

        None of this will change until they tear up the consitution and start again from scratch, and THAT'S not going to happen until the pile of bodies is much, much higher, I'm afraid.

  9. Will Godfrey Silver badge
    Linux

    Shirley Knot

    I thought these people were supposed to be highly trained professionals - the only ones employed by 'gifted ones' (tm) who know everything and are much superior to the rest of us.

    How will I ever cope with the disappointment?

    /s {if needed}

  10. Nunyabiznes Silver badge

    Humans

    I suspect this report could be duplicated in most Western governments, + or - a few percentage points.

    When something is inconvenient people tend to consciously and unconsciously try to avoid or circumvent it. Also we can have goldfish memory for the rules.

    We consistently have people try to do things that the provided training explains is a bad idea. They justify it by telling themselves they are trying to be efficient or productive or whatever, but it usually boils down to "I do that at home and I haven't had my computer hacked". Of course they have no idea whether or not they have been compromised. For that matter we probably don't really know whether we have been compromised at work - but based on our users and just how many vulnerabilities there are I would be surprised if we haven't been to some extent. We certainly try to adhere to best practices, but sometimes funding and manpower dictate prioritizing what gets done. And there I go justifying!

  11. Jay Lenovo

    Usually the opposite party in power will raise a fire to fix these issues.

    But unfortunately neither do it well and the ownership of the issues is largely a collective blame.

  12. adam payne Silver badge

    unnamed Congressional source in reporting that there are no hearings scheduled nor legislation in the works to address the findings of the report.

    So why produce the report if no one is going to do anything about it?!?!

    1. AndrueC Silver badge
      Meh

      So why produce the report if no one is going to do anything about it?!?!

      Gotta keep the staff busy, lest your budget be cut.

  13. DerekCurrie
    Facepalm

    #MyStupidGovernment continues SNAFU

    There is a department within the US Government that sets and publishes computer security standards. They are NIST, The National Institute of Standards and Technology. You can access their vast list of publications (49205, 100 of which deal with cybersecurity) HERE:

    National Institute of Standards and Technology

    A couple excellent starter publications:

    1) 2017 ANNUAL REPORT NIST/ITL CYBERSECURITY PROGRAM

    2) Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks

    Sadly, few elected officials bother to read NIST's publications or adhere to their security standards advice. This is very old news. The hashtag: #MyStupidGovernment was born out of the events of 2007. Since 1998, China: Criminal Nation, was known and documented to have been hacking into US federal computers. In 2007, after nine years of hacking, my government decided to admit that every single government Windows computer exposed to the Internet had been infested with bots that sent every document on those computers to the Red Hacker Alliance of China, a hacking group that is now integrated into the Chinese military. 'Shameful' doesn't cover the damage caused by my government's cybersecurity incompetence. Even worse was China's 2013 cyber-theft of records from the OPM, the U.S. Office of Personnel Management. That data included names, addresses, phone numbers, social security numbers, financial data, family status and job descriptions of every US federal government employee, including those working for US security and intelligence services as well as those applying for security clearance. The number affected by this hack was eventually discovered to be more than 22 million people.

    1. Roland6 Silver badge

      Re: #MyStupidGovernment continues SNAFU

      The current crop of articles about the US government's lack of security, DoH etc. suggests that computer and communications security has been an after thought - if it was even thought about, in US government circles for at least 50 years!

      What is notable is that the Internet, started out in 1969 as a DoD research project and security was pretty much omitted - until IPsec arrived in 1995... Yet anyone (and we know that many from Bletchley Park went to the US) who had had any experience of WWII military communications would know that security was a fundamental...

  14. C. P. Cosgrove
    Thumb Down

    Now I understand why there has been such a continuously negative response in the USA to any suggestion of introducing GDPR in any form there. Departmental budgets would be swallowed up paying fines !

    Chris Cosgrove

    1. scepticat

      Nah, they would exempt themselves from anything they pass. They always do!

  15. Guus Leeuw

    Better late than never

    Dear Sir,

    Should President Trump not declare war on the US for even allowing the computer systems to be so easily hacked by, say, Iranian agents?

    Regards,

    Guus

  16. G Olson

    Simple solution, remove the source

    This problem is easily solved: get rid of half of those departments. The creation of the Department of Education, HUD, HHS, Homeland Security, and a couple others has only degraded those areas. So, delete the Departments, the security problems disappear, more funding available for the remaining departments.

  17. Michael Wojcik Silver badge

    On a positive note...

    Early evidence suggests the US Federal Cyber Reskilling Academy will be successful at identifying employees outside IT who have an aptitude for the work. This approach has been shown to be successful in the UK. The Academy is already on its second cohort.

    We've also seen some other moves in recent months by the Feds to improve the situation. Besides the usual flood of promises and recommendations with no force behind them, there's been a binding DHS directive to reduce the deadline for patching critical and high-severity issues, for example.

    The wheels generally turn very slowly in government, but it does appear that there's some hope they will gradually get better. Indeed, I know personally of some sensitive government systems which are much better secured now than they were twenty years ago; that may not seem very encouraging, but it is progress.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020