Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] TheReg, 22.03.04: The farce of federal cybersecurity,
Ein Kommentar vom Sicherheitsberater Forno zur Lage der Cybersicherheit in 
der US-Verwaltung:
- Die alljährlichen desaströsen Berichte seien wie alljährliche 
Zahnarztbesuchen: Man wird gescholten, das Zahn- oder IT-System besser zu 
pflegen, ändert aber nichts.
- in federal security circles, "activity" (e.g., certification and 
accreditation) has been confused with "progress" (e.g., actually fixing 
- "agency technology executives" und CIOs sollten entlassen werden, wenn 
sie die Informationssicherheit in ihren Behörden nicht erhöhen
- "today's federal cybersecurity woes result more from flawed technology 
management practices than flawed technology"; "it's time to start holding 
the people in charge accountable to them"


The farce of federal cybersecurity
By Richard Forno
Posted: 22/03/2004 at 11:39 GMT
Over the past several years, various Washington entities, from the General 
Accounting Office to assorted Congressional committees, conducted surveys 
and issued reports on the state of the federal government's information 
security posture. In each case, with few exceptions, the findings range 
from the scathing to the downright embarrassing, and remain essentially 
unchanged since the mid-1990s.

Like any other issue involving government oversight, this process has 
become an annual Washington tradition - the reports are released; there's 
back-and-forth blather in Congress about how we need "to do more" to 
secure our federal networks; agency leaders and CIOs are called to testify 
on the Hill; some more blather, and perhaps a piece of legislation is 
introduced and dies before reaching the floor; and then the issue recedes 
into digital memory until next year's survey results are released - and 
the process begins anew, with little or nothing really changing.

It's no different than our annual visit to the dentist. We know he's going 
to admonish us to brush more and cut out the sweets, and we know that 
we're going to be embarrassed or uncomfortable as he tells us this to our 
face and makes notes in our patient file, but we endure it year after 
year, because it's something we have to do for good oral hygiene. Of 
course, we ignore his advice because it's inconvenient and, besides, candy 
is a tastier snack than celery.

This seems to be the approach taken by the majority of the federal 
government when dealing with the security of federal information systems. 
As you can see in the following articles going back to the late 1990s, 
there's much bad news and many prescriptions for improving things, but the 
patient refuses to cooperate... and the dentist is powerless (in this 
case, unwilling) to force him to change his ways:

    Fed agencies' networks at risk
    24 September 1998

    Network security weaknesses in the 24 largest U.S. government 
agencies, including the Internal Revenue Service and the Defense 
Department, put critical government operations and data at "great risk of 
fraud, misuse, and disruption," according to the investigative arm of 

    Study: Government Web sites weak on privacy, security
    12 September 2000

    U.S. government Web sites and computer systems are failing to ensure 
adequate privacy and security, according to reports issued by the General 
Accounting Office. The reports strongly suggest that the federal 
government has not gone far enough to protect information submitted to the 
Web sites of its various agencies or in defending information systems from 
predators. The GAO's privacy study used the Federal Trade Commission's 
methodology for judging commercial sites as a yardstick for assessing the 
government's Web efforts. The FTC's fair information guidelines say that 
Web sites should post a privacy notice before collecting information from 
consumers, let consumers opt out of disclosing information, let consumers 
review information before submitting it, and provide adequate security to 
prevent unauthorized usage.

    Report raps FAA for continued security lapses
    27 September 2000

    Despite its efforts to remedy serious security problems outlined in a 
government study this summer, the Federal Aviation Administration is still 
failing to protect its critical computer systems, including those used for 
air traffic control, according to a new government report on computer 
security released today. The report by the General Accounting Office was 
released and discussed at a hearing before the House Science Committee to 
investigate continuing computer security lapses at the FAA and how these 
lapses could affect travelers, the committee said in a statement.

    U.S. agencies flunking in tech security
    9 November 2001

    Government agencies have some chronic problems with their computer 
security, according to testimony at a congressional hearing Friday. A 
subcommittee of the House Committee on Government Reform issued a set of 
grades - mostly failing - to government agencies regarding how well they 
are protected against hackers, terrorists and other miscreants. "There's 
no significant relationship between the percent of (an agency's) IT 
spending on security and the security performance of that agency," Mark 
Forman, associate director for information technology and e-government at 
the Office of Management and Budget, said at the hearing.

    Study: Feds Have Not Identified Vulnerable IT Assets
    2 April 2003

    More than four years after a receiving a presidential directive to 
determine if their networks were vulnerable to terrorist attacks, at least 
four federal agencies have not completed the processes of identifying 
critical agency assets and assessing their vulnerabilities, according to a 
General Accounting Office report released Wednesday. The GAO report, 
ordered by the House Energy and Commerce Committee to measure the pace of 
the critical infrastructure protection efforts of the agencies under the 
committee's purview, examined the Department of Energy, the Department of 
Health and Human Services, the Department of Commerce and the 
Environmental Protection Agency. "The agencies still have not completed 
the fundamental step of identifying their critical infrastructure assets 
and the operational dependencies of these vital assets on other public and 
private assets," the report states. "Once these assets and dependencies 
are identified, further steps will be necessary, such as conducting or 
updating vulnerability assessments, managing identified vulnerabilities, 
and ensuring that these assets are appropriately considered in planning 
for the continuity of essential agency operations."

    U.S. Gov't Computers Get Barely Passing Grade
    11 December 2003

    Acknowledging that there is considerable work to be done, Adam H. 
Putnam (R-Fl), chairman of the U.S. House of Representatives Subcommittee 
on Technology, Information Policy, Intergovernmental Relations and the 
Census, reported that the federal government's computer security has 
improved from a failing grade in 2002 to a passing grade in 2003. "The 
Federal Government should be the standard bearer when it comes to 
information security. Unfortunately, today's report card indicates 
anything but that. The Federal Government ? overall ? scored a D. While 
that's an improvement over last year's F, it's nothing to be proud of and 
much more must be done to secure our government computer networks," said 

    House Panel Slams Federal IT Security
    17 March 2004

    Federal agencies aren't doing enough to secure their network systems, 
even as documented cyber-attacks against the U.S. government continue to 
dramatically rise, U.S. Rep. Adam Putnam (R-FL) said Thursday. Putnam 
pointed to the federal agencies' overall security grade of "D" issued in 
December and a General Accounting Office (GAO) study released Thursday 
reporting 1.4 million cyber-security attacks launched against government 
agencies and departments in 2003. The report said there were 489,890 
attacks in 2002.


In some cases, these reports show marked improvements in specific offices 
or sub-agencies of the federal government, and those success stories 
should be made known both to the American people (as a sign that there are 
clueful security people making a difference in their agencies) and 
throughout the federal government as a helpful roadmap to improve security 
practices elsewhere. Unfortunately, these few truly noteworthy success 
stories are seldom reported by the mainstream press because good news 
doesn't pull in the ratings the way gloom, doom, and old-fashioned 
Washington finger-pointing does.

Like the much-vaunted but ineffective "certification and accreditation" 
process required for government and military systems, these annual 
assessments are an exercise in bureaucratic idleness designed to "address" 
but not "resolve" security problems in any meaningful fashion. After 
several years, the logic seems to be "why fix the problem when talking 
about it keeps us (and our contractors) employed?"

As a result, and contrary to popular belief and rhetoric, security for 
federal systems has been reduced to a check-box on our government's annual 
to-do list - as long as federal enterprise leaders can prove that work is 
being done on the matter, that's perfectly acceptable, it seems, because 
in federal security circles, "activity" (e.g., certification and 
accreditation) has been confused with "progress" (e.g., actually fixing 
things) and "job security" has been confused with "effective security". 
Agency leaders confirming this with Congress each year generally can avoid 
anything stronger than a verbal reprimand about their job performance, no 
matter how dismal security really is back home.

This solution is favored by politicians and agency heads who can avoid 
responsibility for fixing today's problems simply by deferring them into 
the future. In other words, the favored remedy for federal security 
problems is more talk, long-term research, meaningless reports, industry 
courting, and less real action in the here-and-now - all with the unspoken 
goal of maintaining the status quo and avoiding any responsibility 
whatsoever for today's many problems. The 2002 White House National 
Cybersecurity Strategy comes to mind as an example of this 
politically-safe and traditional approach to America's cybersecurity 
needs, however flawed it may be.

Indeed, billions of dollars are allocated for new commissions,  long-term 
research on the "next" type of threats to our networks, continued 
"certification and accreditation" activities,  and pondering the 
next-generation of security technologies (e.g., "activity") but there's 
little if anything spent on resolving the many problems that plague 
federal networks on a daily, if not hourly basis (e.g., "progress") to 
improve security today. To make matters worse, Congress seems more 
interested in having sensational authors and profit-seeking industry 
executives testifying on the matter - and espousing their special 
interests - than in a serious dialogue with well-known technologists who 
can provide rational thoughts on how to improve security effectively drawn 
from their ongoing real-world operational involvement with the IT security 
community and firsthand understanding of the threats, vulnerabilities, and 
risks of the digital age.

This contributes to a general level of ignorance and hypocricy in Congress 
and the federal government when making and enforcing federal (or national) 
cybersecurity policy. Or, as my network security friend ruefully notes 
about the wisdom of Congressional oversight in this area: "You have a 
basically clueless congressman whose own governmental body is one of the 
absolute worst offenders, infosec-wise, who has the gall to give us an F 
in security. I don't think [Congressman] Adam Putnam (R-FL and chairman of 
a House subcommittee conducting federal cybersecurity oversight) would 
know a secure system if it bit him in his rear....of course, he and his 
cronies have conveniently made Congress exempt from the examinations they 
so righteously pound the rest of us with every year." (Ironically, this is 
the same fellow proposing the government mandate computer security 
standards for the private sector last year.)

In the government's defense, however, such regular assessments are a 
useful tool to grade the management effectiveness of a federal CIO in 
exercising a significant part of their job description, but only if its 
findings are acted upon in a meaningful, lasting way. Specifically, and 
most importantly, this means holding senior agency leaders responsible for 
their agency's information security posture - or lack thereof.

If the security of federal systems is as important an issue as we're led 
to believe, there is no reason (other than political) why an agency 
technology executive or CIO should still be employed if there is not a 
marked improvement in his agency's information security over a prolonged 
period of time. Simply giving such leaders (or their supervisors, usually 
the agency head) an annual reprimand is a joke - absent any meaningful 
punitive sanction for failing to secure their networks adequately, there's 
no incentive for these executive-level folks to do anything more than 
continue confusing "activity" with "progress" and "job security" with 
"effective security" - thus perpetuating indefinately this 
federally-funded, frustrating, and dangerous cycle of inaction and 
ineffective security.

In most cases, keeping such people employed is a clear demonstration that 
mediocrity is the accepted standard for federal computer security 
practices. We continue to forget that no amount of gee-whiz GSA-certified 
technology or turnkey professional security certification programs will 
replace demonstrated career-based competence and common sense in those 
charged with overseeing the security of our most critical national or 
corporate networks - and that deferring today's unresolved problems into 
the future, while convenient,  is an unacceptable course of action.

Perhaps before spending more to fix recurring technology problems, we try 
fixing the people responsible for repeatedly tolerating such problems in 
the first place. Technical engineers and systems administrators can be 
fired for poor job performance - it's about time that enterprise IT 
leaders get held to the same standards of job performance as well.

Granted, popular enterprise technology is nowhere as secure as it should 
be, but today's federal cybersecurity woes result more from flawed 
technology management practices than flawed technology. To that end, we 
need to foster and reward  innovative, effective management processes in 
the federal computer security arena and terminate the current technology 
management and oversight philosophy that tolerates and rewards idleness 
and mediocrity while doing little to actually eliminate them.

The standards for acceptable cybersecurity are known: it's time to start 
holding the people in charge accountable to them.

Richard Forno is a Washington, DC-based security consultant and author. 
During the 1990s, he worked information security at the US House of 
Representatives when Congress first became 'wired' and started examining 
technology security issues. His home in cyberspace is at

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.