Stop us if you've heard this one: US government staff wildly oblivious to basic computer, info security safeguards A US Senate probe has once again outlined the woeful state of computer and information security within Uncle Sam's civil service. A committee report (PDF) examining a decade of internal audits this week concluded that outdated systems, unpatched software, and weak data protection are so widespread that it's clear American …
Despite major data breaches like OPM ...
But this is just one example of what was discovered. What about the ones that have not yet been discovered?
If hackers were able to "plant" themselves for years in mobile phone networks then hacking their way (and planting) to some US government websites should be a walk-in-the-park.
The horse has bolted. The ship has sailed (reached the other end has come back for another trip). Sayonara and hasta la vista. Have I forgotten anyone? I hope not.
I will now be registering 3 billion voter IDs to counter the risk of people tampering with the election.
You are overlooking one little detail.
As both parties will be putting up candidates who are unremittingly hostile to Russia and China (and, come to think of it, everyone else) hacking the election results can accomplish nothing.
"As both parties will be putting up candidates who are unremittingly hostile to Russia and China"
Unless the republicans ditch Trump (fat chance) they will be field a candidate who is extremely chummy with Russia, and indeed admires Putin and dreams of having Putinesque level of control
Low paid, low status generally despised tech support staff and PHBs kowtowing to myopic short term politicians promising tax cuts and not mentioning the costs of tax cuts. Always baffled me that other nations governments outsourced to Merkin firms who in my experience were 10 years plus behind best practice.
Looks I work in the sector but these excuses of "short term politics" need to stop. The managers, directors etc in post need to push back against that and tell them - NO. It's not good enough to continue to under fund departments if we cannot meet legal requirements for protecting data. We've had a situation for far too long where politicians can purposely under fund departments and nobody takes them to task over it.
I recently got audited and failed because we'd "never fully looked at how much money we needed from government, so were unable to say whether we had adequate resources". They had a point, we'd just "made do" for years knowing we should be doing more.
Johnny Public isn't going to be able to hold politicians to account for funding of local authorities, so staff in them have to.
The ingredient you've missed from your reckoning, which explains why nothing ever gets done in federal infosec, is (a) the civil service is stuffed with incompetent political appointees given cushy numbers in return for campaign contributions, or left vacant either deliberately (Steve Bannon's original strategy of starving the state of resources) or inadvertantly (because no-one with any IQ and honest character would work for Trump, and they've run out of redneck morons to appoint.)
And secondly, because of the completely broken federal / state / county arbitrary separation of powers, plus the usual ubiquitous gerrymandering and pork barrel nonsense every Congresscritter has to bow to if they want to get re-elected.
None of this will change until they tear up the consitution and start again from scratch, and THAT'S not going to happen until the pile of bodies is much, much higher, I'm afraid.
I suspect this report could be duplicated in most Western governments, + or - a few percentage points.
When something is inconvenient people tend to consciously and unconsciously try to avoid or circumvent it. Also we can have goldfish memory for the rules.
We consistently have people try to do things that the provided training explains is a bad idea. They justify it by telling themselves they are trying to be efficient or productive or whatever, but it usually boils down to "I do that at home and I haven't had my computer hacked". Of course they have no idea whether or not they have been compromised. For that matter we probably don't really know whether we have been compromised at work - but based on our users and just how many vulnerabilities there are I would be surprised if we haven't been to some extent. We certainly try to adhere to best practices, but sometimes funding and manpower dictate prioritizing what gets done. And there I go justifying!
There is a department within the US Government that sets and publishes computer security standards. They are NIST, The National Institute of Standards and Technology. You can access their vast list of publications (49205, 100 of which deal with cybersecurity) HERE:
National Institute of Standards and Technology
A couple excellent starter publications:
1) 2017 ANNUAL REPORT NIST/ITL CYBERSECURITY PROGRAM
2) Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks
Sadly, few elected officials bother to read NIST's publications or adhere to their security standards advice. This is very old news. The hashtag: #MyStupidGovernment was born out of the events of 2007. Since 1998, China: Criminal Nation, was known and documented to have been hacking into US federal computers. In 2007, after nine years of hacking, my government decided to admit that every single government Windows computer exposed to the Internet had been infested with bots that sent every document on those computers to the Red Hacker Alliance of China, a hacking group that is now integrated into the Chinese military. 'Shameful' doesn't cover the damage caused by my government's cybersecurity incompetence. Even worse was China's 2013 cyber-theft of records from the OPM, the U.S. Office of Personnel Management. That data included names, addresses, phone numbers, social security numbers, financial data, family status and job descriptions of every US federal government employee, including those working for US security and intelligence services as well as those applying for security clearance. The number affected by this hack was eventually discovered to be more than 22 million people.
The current crop of articles about the US government's lack of security, DoH etc. suggests that computer and communications security has been an after thought - if it was even thought about, in US government circles for at least 50 years!
What is notable is that the Internet, started out in 1969 as a DoD research project and security was pretty much omitted - until IPsec arrived in 1995... Yet anyone (and we know that many from Bletchley Park went to the US) who had had any experience of WWII military communications would know that security was a fundamental...
This problem is easily solved: get rid of half of those departments. The creation of the Department of Education, HUD, HHS, Homeland Security, and a couple others has only degraded those areas. So, delete the Departments, the security problems disappear, more funding available for the remaining departments.
Early evidence suggests the US Federal Cyber Reskilling Academy will be successful at identifying employees outside IT who have an aptitude for the work. This approach has been shown to be successful in the UK. The Academy is already on its second cohort.
We've also seen some other moves in recent months by the Feds to improve the situation. Besides the usual flood of promises and recommendations with no force behind them, there's been a binding DHS directive to reduce the deadline for patching critical and high-severity issues, for example.
The wheels generally turn very slowly in government, but it does appear that there's some hope they will gradually get better. Indeed, I know personally of some sensitive government systems which are much better secured now than they were twenty years ago; that may not seem very encouraging, but it is progress.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
