[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] TheReg, 22.03.04: The farce of federal cybersecurity
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
Ein Kommentar vom Sicherheitsberater Forno zur Lage der Cybersicherheit in
der US-Verwaltung:
- Die alljährlichen desaströsen Berichte seien wie alljährliche
Zahnarztbesuchen: Man wird gescholten, das Zahn- oder IT-System besser zu
pflegen, ändert aber nichts.
- in federal security circles, "activity" (e.g., certification and
accreditation) has been confused with "progress" (e.g., actually fixing
things)
- "agency technology executives" und CIOs sollten entlassen werden, wenn
sie die Informationssicherheit in ihren Behörden nicht erhöhen
- "today's federal cybersecurity woes result more from flawed technology
management practices than flawed technology"; "it's time to start holding
the people in charge accountable to them"
========================================
http://www.theregister.co.uk/content/55/36429.html
The farce of federal cybersecurity
By Richard Forno
Posted: 22/03/2004 at 11:39 GMT
Over the past several years, various Washington entities, from the General
Accounting Office to assorted Congressional committees, conducted surveys
and issued reports on the state of the federal government's information
security posture. In each case, with few exceptions, the findings range
from the scathing to the downright embarrassing, and remain essentially
unchanged since the mid-1990s.
Like any other issue involving government oversight, this process has
become an annual Washington tradition - the reports are released; there's
back-and-forth blather in Congress about how we need "to do more" to
secure our federal networks; agency leaders and CIOs are called to testify
on the Hill; some more blather, and perhaps a piece of legislation is
introduced and dies before reaching the floor; and then the issue recedes
into digital memory until next year's survey results are released - and
the process begins anew, with little or nothing really changing.
It's no different than our annual visit to the dentist. We know he's going
to admonish us to brush more and cut out the sweets, and we know that
we're going to be embarrassed or uncomfortable as he tells us this to our
face and makes notes in our patient file, but we endure it year after
year, because it's something we have to do for good oral hygiene. Of
course, we ignore his advice because it's inconvenient and, besides, candy
is a tastier snack than celery.
This seems to be the approach taken by the majority of the federal
government when dealing with the security of federal information systems.
As you can see in the following articles going back to the late 1990s,
there's much bad news and many prescriptions for improving things, but the
patient refuses to cooperate... and the dentist is powerless (in this
case, unwilling) to force him to change his ways:
-------
Fed agencies' networks at risk
24 September 1998
Network security weaknesses in the 24 largest U.S. government
agencies, including the Internal Revenue Service and the Defense
Department, put critical government operations and data at "great risk of
fraud, misuse, and disruption," according to the investigative arm of
Congress.
Study: Government Web sites weak on privacy, security
12 September 2000
U.S. government Web sites and computer systems are failing to ensure
adequate privacy and security, according to reports issued by the General
Accounting Office. The reports strongly suggest that the federal
government has not gone far enough to protect information submitted to the
Web sites of its various agencies or in defending information systems from
predators. The GAO's privacy study used the Federal Trade Commission's
methodology for judging commercial sites as a yardstick for assessing the
government's Web efforts. The FTC's fair information guidelines say that
Web sites should post a privacy notice before collecting information from
consumers, let consumers opt out of disclosing information, let consumers
review information before submitting it, and provide adequate security to
prevent unauthorized usage.
Report raps FAA for continued security lapses
27 September 2000
Despite its efforts to remedy serious security problems outlined in a
government study this summer, the Federal Aviation Administration is still
failing to protect its critical computer systems, including those used for
air traffic control, according to a new government report on computer
security released today. The report by the General Accounting Office was
released and discussed at a hearing before the House Science Committee to
investigate continuing computer security lapses at the FAA and how these
lapses could affect travelers, the committee said in a statement.
U.S. agencies flunking in tech security
9 November 2001
Government agencies have some chronic problems with their computer
security, according to testimony at a congressional hearing Friday. A
subcommittee of the House Committee on Government Reform issued a set of
grades - mostly failing - to government agencies regarding how well they
are protected against hackers, terrorists and other miscreants. "There's
no significant relationship between the percent of (an agency's) IT
spending on security and the security performance of that agency," Mark
Forman, associate director for information technology and e-government at
the Office of Management and Budget, said at the hearing.
Study: Feds Have Not Identified Vulnerable IT Assets
2 April 2003
More than four years after a receiving a presidential directive to
determine if their networks were vulnerable to terrorist attacks, at least
four federal agencies have not completed the processes of identifying
critical agency assets and assessing their vulnerabilities, according to a
General Accounting Office report released Wednesday. The GAO report,
ordered by the House Energy and Commerce Committee to measure the pace of
the critical infrastructure protection efforts of the agencies under the
committee's purview, examined the Department of Energy, the Department of
Health and Human Services, the Department of Commerce and the
Environmental Protection Agency. "The agencies still have not completed
the fundamental step of identifying their critical infrastructure assets
and the operational dependencies of these vital assets on other public and
private assets," the report states. "Once these assets and dependencies
are identified, further steps will be necessary, such as conducting or
updating vulnerability assessments, managing identified vulnerabilities,
and ensuring that these assets are appropriately considered in planning
for the continuity of essential agency operations."
U.S. Gov't Computers Get Barely Passing Grade
11 December 2003
Acknowledging that there is considerable work to be done, Adam H.
Putnam (R-Fl), chairman of the U.S. House of Representatives Subcommittee
on Technology, Information Policy, Intergovernmental Relations and the
Census, reported that the federal government's computer security has
improved from a failing grade in 2002 to a passing grade in 2003. "The
Federal Government should be the standard bearer when it comes to
information security. Unfortunately, today's report card indicates
anything but that. The Federal Government ? overall ? scored a D. While
that's an improvement over last year's F, it's nothing to be proud of and
much more must be done to secure our government computer networks," said
Putnam.
House Panel Slams Federal IT Security
17 March 2004
Federal agencies aren't doing enough to secure their network systems,
even as documented cyber-attacks against the U.S. government continue to
dramatically rise, U.S. Rep. Adam Putnam (R-FL) said Thursday. Putnam
pointed to the federal agencies' overall security grade of "D" issued in
December and a General Accounting Office (GAO) study released Thursday
reporting 1.4 million cyber-security attacks launched against government
agencies and departments in 2003. The report said there were 489,890
attacks in 2002.
-----
In some cases, these reports show marked improvements in specific offices
or sub-agencies of the federal government, and those success stories
should be made known both to the American people (as a sign that there are
clueful security people making a difference in their agencies) and
throughout the federal government as a helpful roadmap to improve security
practices elsewhere. Unfortunately, these few truly noteworthy success
stories are seldom reported by the mainstream press because good news
doesn't pull in the ratings the way gloom, doom, and old-fashioned
Washington finger-pointing does.
Like the much-vaunted but ineffective "certification and accreditation"
process required for government and military systems, these annual
assessments are an exercise in bureaucratic idleness designed to "address"
but not "resolve" security problems in any meaningful fashion. After
several years, the logic seems to be "why fix the problem when talking
about it keeps us (and our contractors) employed?"
As a result, and contrary to popular belief and rhetoric, security for
federal systems has been reduced to a check-box on our government's annual
to-do list - as long as federal enterprise leaders can prove that work is
being done on the matter, that's perfectly acceptable, it seems, because
in federal security circles, "activity" (e.g., certification and
accreditation) has been confused with "progress" (e.g., actually fixing
things) and "job security" has been confused with "effective security".
Agency leaders confirming this with Congress each year generally can avoid
anything stronger than a verbal reprimand about their job performance, no
matter how dismal security really is back home.
This solution is favored by politicians and agency heads who can avoid
responsibility for fixing today's problems simply by deferring them into
the future. In other words, the favored remedy for federal security
problems is more talk, long-term research, meaningless reports, industry
courting, and less real action in the here-and-now - all with the unspoken
goal of maintaining the status quo and avoiding any responsibility
whatsoever for today's many problems. The 2002 White House National
Cybersecurity Strategy comes to mind as an example of this
politically-safe and traditional approach to America's cybersecurity
needs, however flawed it may be.
Indeed, billions of dollars are allocated for new commissions, long-term
research on the "next" type of threats to our networks, continued
"certification and accreditation" activities, and pondering the
next-generation of security technologies (e.g., "activity") but there's
little if anything spent on resolving the many problems that plague
federal networks on a daily, if not hourly basis (e.g., "progress") to
improve security today. To make matters worse, Congress seems more
interested in having sensational authors and profit-seeking industry
executives testifying on the matter - and espousing their special
interests - than in a serious dialogue with well-known technologists who
can provide rational thoughts on how to improve security effectively drawn
from their ongoing real-world operational involvement with the IT security
community and firsthand understanding of the threats, vulnerabilities, and
risks of the digital age.
This contributes to a general level of ignorance and hypocricy in Congress
and the federal government when making and enforcing federal (or national)
cybersecurity policy. Or, as my network security friend ruefully notes
about the wisdom of Congressional oversight in this area: "You have a
basically clueless congressman whose own governmental body is one of the
absolute worst offenders, infosec-wise, who has the gall to give us an F
in security. I don't think [Congressman] Adam Putnam (R-FL and chairman of
a House subcommittee conducting federal cybersecurity oversight) would
know a secure system if it bit him in his rear....of course, he and his
cronies have conveniently made Congress exempt from the examinations they
so righteously pound the rest of us with every year." (Ironically, this is
the same fellow proposing the government mandate computer security
standards for the private sector last year.)
In the government's defense, however, such regular assessments are a
useful tool to grade the management effectiveness of a federal CIO in
exercising a significant part of their job description, but only if its
findings are acted upon in a meaningful, lasting way. Specifically, and
most importantly, this means holding senior agency leaders responsible for
their agency's information security posture - or lack thereof.
If the security of federal systems is as important an issue as we're led
to believe, there is no reason (other than political) why an agency
technology executive or CIO should still be employed if there is not a
marked improvement in his agency's information security over a prolonged
period of time. Simply giving such leaders (or their supervisors, usually
the agency head) an annual reprimand is a joke - absent any meaningful
punitive sanction for failing to secure their networks adequately, there's
no incentive for these executive-level folks to do anything more than
continue confusing "activity" with "progress" and "job security" with
"effective security" - thus perpetuating indefinately this
federally-funded, frustrating, and dangerous cycle of inaction and
ineffective security.
In most cases, keeping such people employed is a clear demonstration that
mediocrity is the accepted standard for federal computer security
practices. We continue to forget that no amount of gee-whiz GSA-certified
technology or turnkey professional security certification programs will
replace demonstrated career-based competence and common sense in those
charged with overseeing the security of our most critical national or
corporate networks - and that deferring today's unresolved problems into
the future, while convenient, is an unacceptable course of action.
Perhaps before spending more to fix recurring technology problems, we try
fixing the people responsible for repeatedly tolerating such problems in
the first place. Technical engineers and systems administrators can be
fired for poor job performance - it's about time that enterprise IT
leaders get held to the same standards of job performance as well.
Granted, popular enterprise technology is nowhere as secure as it should
be, but today's federal cybersecurity woes result more from flawed
technology management practices than flawed technology. To that end, we
need to foster and reward innovative, effective management processes in
the federal computer security arena and terminate the current technology
management and oversight philosophy that tolerates and rewards idleness
and mediocrity while doing little to actually eliminate them.
The standards for acceptable cybersecurity are known: it's time to start
holding the people in charge accountable to them.
Richard Forno is a Washington, DC-based security consultant and author.
During the 1990s, he worked information security at the US House of
Representatives when Congress first became 'wired' and started examining
technology security issues. His home in cyberspace is at
http://www.infowarrior.org.
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.