back to article Homeland Security demands a 911 for reporting security holes in federal networks: 'Vulns in internet systems cause real-world impacts'

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday ordered US federal agencies outside the defense and intelligence communities to develop a working vulnerability disclosure policy. In an online memo, Bryan Ware, Assistant Director for Cybersecurity at CISA, described …

  1. Imhotep

    I Love Train Wrecks

    I'll be a first responder. My theory is that any network security problem can be resolved by extracting the network cable from the device and a pile of cash from the government.

    I may be becoming an entrepeneur.

    1. amanfromMars 1 Silver badge

      Re: I Love Train Wrecks

      Finding governments that listen to other than themselves is the problem.

      And everyone knows the system just loves the whistleblower because it invariably treats them as a RAT [Remote Access Trojan]

      That realisation and proaction, .... which in extremis has one in real danger of being incarcerated in a penitentiary, wilfully persecuted and even prosecuted in secret behind closed doors/in camera ... if one survives and is not the subject and object of a monumental number of unbelievable blunders which coincidentally, quite conveniently just also proven themselves to be so very helpful in delaying the emergence of particularly enlightening first party evidence ...... is all too often the case not to be true, the abiding unfortunately pervasive and subversive and consistently damaging experience one can expect of governments as they dither and deliberate on matters before bursting forth again onto the greater picture scene to race around like headless chickens and three wise monkeys with the idea of protecting themselves from their own unsavoury or challenging behaviour, thought or language ........ as they profess to save worlds and economies with media moguldoms in tow either as their complicit ignorant following or arrogant leading lackeys, for without that virtual global megaphone are they both practically and virtually as nothing ?

      It does have one a'wondering and a'pondering on who and/or what is thinking themselves in charge of commands and controls running whom and/or what and for why ..... to what glorious end, does it not? And to marvel at its present complex current simplicity.

  2. MJI Silver badge

    911

    Had a drive in one once.

    Not an exciting car in the supercar sense, but so well made.

    1. sitta_europea Silver badge

      Re: 911

      "Not an exciting car in the supercar sense..."

      And the headroom in the back seats was ridiculous! Not even enough for my grandma -- and we used to call her 'lofty' on grounds of her 4'2" stature.

  3. DoctorNine

    The Eye of Sauron Would Like Your Assistance

    The dodgy part comes when the identified security flaw was built-in on purpose, although supposedly 'hidden', and some well-meaning interloper points it out to our helpful Homeland Security forces. What's exactly to prevent that helpful techie from becoming an involuntary guest of Russia for the rest of his or her life for pointing it out?

    I can think of a few examples where the impulse to scruples ended badly.

  4. Mike 137 Silver badge

    "Houston, we have had a problem"

    Except that investigating a vulnerability may well fall foul of the DMCA, so we could have a conflict of interest here.

    Quite apart from which, we're still concentrating on finding foul ups after the fact instead of trying to prevent them happening in the first place. Not a good strategy really. Practically every reported data breach over the last couple of decades has been fundamentally down to sloppy management, rather than primarily due to technical issues. The technical issues typically arise from sloppy management at one or more points on the life cycle.

  5. Mike 16

    Following form?

    I suspect this will end up like the system at [REDACTED], a major network equipment manufacturer, back when I worked there. Any question was answered with "It's on [internal website of all company info]". But of course it wasn't. And the "report problems" link was a mailto: to a no longer existing email address (if that address ever existed). Then the telephone number listed for similar problems/errors rang on the desk of someone who was more than adequately aware of the fact that they were _not_ the responsible party, and had no idea who that might be.

    (And of course given recent news, any report that treads on any toes will be filed in the room with the "Beware of the Leopard" sign.)

  6. s. pam
    Pint

    Don't worry Uncle Sam...

    The grunt work will be farmed out via a big US consulting firm to some small 3rd world country.

  7. BPontius

    What protections will be in place for the poor schmuck who finds one of these problems, then get charged with hacking a Government system? In order to find vulnerabilities in websites you have to do more than browse through the source code, there is the network, server side software/hardware, databases, certificates...etc. And how do you differentiate between a white hat and a guy trying to break in, where do you draw the line?

    1. Anonymous Coward
      Anonymous Coward

      Probably if you visit the site by clicking a link from google or bing and it spills it's entire database to you then you will be fine reporting it.

      If it went wrong after you logged in then it might be a bit dodgier to report

      If you actually dared to type a new url in the address bar of your browser to make it mess up then you're in trouble.

      If you used the well known F12 keyboard shortcut to enable and access the incredibly dangerous hacking tool called developer tools to examine or modify requests then you can expect no less than 25 years

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like