×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

U.S. Agencies Earn D+ on Computer Security

CowboyNeal posted more than 9 years ago | from the but-it-still-passes dept.

Security 190

MirrororriM writes "Seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks. 'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

190 comments

Psst... (5, Funny)

Anonymous Coward | more than 9 years ago | (#11707280)

D isn't failing.

Re:Psst... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11707289)

holy shit, i got FP!

from the but-it-still-passes dept. (0)

Anonymous Coward | more than 9 years ago | (#11707302)

See, they know that.

Oh, and you blew your chance to do:

"This gets an F"

P

This gets an S (0)

Anonymous Coward | more than 9 years ago | (#11707312)

TFU

This gets a - (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11707317)

1, Flamebait.

This gets a + (0)

Anonymous Coward | more than 9 years ago | (#11707358)

5, Broccoli.

Not Approved! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11707523)

D-

Re:Psst... (5, Insightful)

JPriest (547211) | more than 9 years ago | (#11707413)

I don't even have to read the article to guess that the suggested remedy is to secure more funds to spend more money on the problem. Anytime any government agency goes public with information it is because they need more money.

Re:Psst... (5, Informative)

perlionex (703104) | more than 9 years ago | (#11707549)

D isn't failing

You're right, it isn't. The agencies that failed got F. I was going to make a spiel on how /.ers never read the article, when I realised that the article didn't clearly state this.

More info in links below:

Washington Post [washingtonpost.com]

Report Card [house.gov]

Statement and links [house.gov]

Re:Psst... (2, Funny)

friedknut (743359) | more than 9 years ago | (#11708015)

Homeland Security: Who cares about computer security when we can just make up some random shit about Star Wars.

Re:Psst... (1, Interesting)

Anonymous Coward | more than 9 years ago | (#11708026)

When I studied computer science, you needed over 65% on both the lab portion and theory portion of any 2nd, 3rd or 4th year class in order to pass. Anything less C = {C-,D+,D,D-,F} was considered a failing grade. The US government isn't alone in it's failing grade, though that doesn't let them off the hook for having poor security.

asdfasdfas (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11707281)

first post? I hate this site

Oh, the dreaded D+ (5, Funny)

Anonymous Coward | more than 9 years ago | (#11707282)

"You're below average, but you do it very well!"

Well Slashdot earns a F for uptime (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11707283)

503 Service Unavailable

The service is not available. Please try again later.

Give them a little credit when you can't do any better :)

and... (0, Offtopic)

Anonymous Coward | more than 9 years ago | (#11707285)

this surprises anyone?

GW Bush says (5, Funny)

Profane MuthaFucka (574406) | more than 9 years ago | (#11707286)

"A D+ is NOT a failing grade. Sure, there's some room for improvement, and we're working on this. It's hard work. But the fact that these agency passed the test, even by a slim margin, is good news."

Now watch this drive.

Re:GW Bush says (1)

poisoneleven (310634) | more than 9 years ago | (#11707309)

Had you read, it said "seven of..." not all, both article and description say that

Re:GW Bush says (1)

Doc Ruby (173196) | more than 9 years ago | (#11707329)

What are *you* reading? The post doesn't refer to the failing ones, it refers to the 7 that got a D+. You're partisan-blind.

Re:GW Bush says (5, Funny)

R.Mo_Robert (737913) | more than 9 years ago | (#11707355)

From what I hear, he's actually planning to put the department on a watch list in accordance with the No Department Left Behind Act.

Kerry says (0)

Anonymous Coward | more than 9 years ago | (#11707403)

"I voted for the D+ before I voted against it. This does not pass the global test."

Re:GW Bush says (3, Interesting)

Aqua OS X (458522) | more than 9 years ago | (#11707439)

I love the fact that we have this awesome new homeland security department... as well as fairly crappy homeland security.

Re:GW Bush says (3, Interesting)

superpulpsicle (533373) | more than 9 years ago | (#11707580)

This generation of old crusty politicians running the homeland security department is not going to be much, so an F grade wouldn't surprise me.

I would worry in the next generation when legit techies + Patriot Act starts invading all your privacy.

It is easy to get an A+ (2, Insightful)

AKosygin (521640) | more than 9 years ago | (#11707608)

Unplug the network cable and lock it up in a guarded vault. Only power and no other access, instant A+ security. You don't even need to fiddle with password security.

And for the overachievers... (0)

Anonymous Coward | more than 9 years ago | (#11707714)

And an A++ comes from taking the computer with the sensitive data and pulverizing it into pebbles using a piledriver.

Hack THAT!

But I'm not... (5, Funny)

Avyakata (825132) | more than 9 years ago | (#11707290)

If I was more involved in politics, and, for some unknown reason, absolutely hated Bush...my commment would read something like:

Ah...stupidity is a communicable disease...

Do people lose their jobs? (0)

Anonymous Coward | more than 9 years ago | (#11707291)

Is anyone at any level held accountable? Will we get change until these things happen?

Re:Do people lose their jobs? (1)

oil (594341) | more than 9 years ago | (#11708022)

Sure, people will lose their jobs and be held accountable. However, just like in the rest of the government and much of the business world, the people being held responsible are not the ones truly at fault; just scapegoats.

Uh-Oh, Here Comes the Bush-Bashing (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11707292)

three...two...one--bash away!

FOIA makes computer security mute (-1, Offtopic)

Dancin_Santa (265275) | more than 9 years ago | (#11707294)

(First off, let's just get out of the way the fact that if they were using Macintoshes instead of Windows, they'd be secure by default.)

But in another related vein, the Freedom of Information Act makes the process of hacking into a government computer system essentially mute. Whereas it took a lot of effort to break in and sirens went off when you were caught, now it is just a matter of saying "I want XYZ information" and the government hands it over on a silver platter.

Since computer security is the least of the problems that the DHUD faces, perhaps they'd better spend money on training their officers rather than buying the latest and greatest obsolete laptops for their chiefs.

Re:FOIA makes computer security mute (1, Informative)

Anonymous Coward | more than 9 years ago | (#11707321)

(In reference to the Apple security comment)

Security through obscurity isn't a good security tactic.

Re:FOIA makes computer security mute (1)

aslate (675607) | more than 9 years ago | (#11707365)

And if the US Govt. has them, then every script-kiddie in the world will be putting their efforts in too!

Re:FOIA makes computer security mute (0)

Anonymous Coward | more than 9 years ago | (#11707330)

I think he was trying to say "moot". That's based on the context.

Re:FOIA makes computer security mute (0)

Anonymous Coward | more than 9 years ago | (#11707333)

(First off, let's just get out of the way the fact that you're an idiot.)

But in another related vein, you're an idiot.

moot

Re:FOIA makes computer security mute (0, Troll)

lrslrslrs (621601) | more than 9 years ago | (#11707340)

If there where using mac's they would not be in 'business', as the the rest of the world does not use them (yet). Also if you used the default then you are lazy in general and would fail security anyway.

Re:FOIA makes computer security mute (0)

Anonymous Coward | more than 9 years ago | (#11707386)

What are you trying to do, win an award for all-time least intelligent Slashdot user?

Re:FOIA makes computer security mute (4, Informative)

GileadGreene (539584) | more than 9 years ago | (#11707421)

I think that you mean moot [wiktionary.org], not mute [wiktionary.org].

Besides, FOIA does not mean that you can get all of the information that you want from the government. FOIA requests can be refused for a variety of reasons (these reasons are specified in the act [usdoj.gov]). Requests for "sensitive" data are often refused. So computer security isn't moot anyway.

SLASHDOT (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11707297)

OMG this site sucks

Go APPLE (-1, Flamebait)

Joe123456 (846782) | more than 9 years ago | (#11707298)

If thay go apple there grade will go up

Re:Go APPLE (0)

Anonymous Coward | more than 9 years ago | (#11707407)

They have to balance security and accessability. Apple definitely falls on the secure end of that spectrum....

The Failing Grades (2)

Zotnix (844035) | more than 9 years ago | (#11707299)

Honestly it isn't surprising that our government is behind on security, especially when it comes to computers. Technology moves really fast and I imageint the US would have to spend billions just to keep up. It isn't entirely practical. All they can really do is hope for the best. Those that are a threat to security will always be one step ahead.

Re:The Failing Grades (4, Funny)

arootbeer (808234) | more than 9 years ago | (#11707327)

Yes...I would hate to think the Government would have to spend billions on something as unimportant as securing their computer systems. Couldn't they just do it as a supplemental request [defenselink.mil]?

Re:The Failing Grades (4, Insightful)

Strudelkugel (594414) | more than 9 years ago | (#11707463)


Having worked with government types, I can unfortunately guess that money is not the problem - attitude is. There are many civilians employed with US tax dollars who view their responsibilty as "I am going to do the thing I was hired to do 20 years ago and keep doing it." There's another variety of employee - "I'm not really familiar with this new technology, so I will resist it's implementation because I might look bad otherwise."

Before some mod this as flamebait, I am not saying that all government employees are this way; you have to admire the CDC guys who suit up to go check out the latest hideous disease, for example. They deserve every dime they get. Of course there are other departments where people do a good job as well. That said, I suspect the US Government has the greatest number and probably the highest percentage of unmotivated, uninterested employees of any organization I have encountered. This is a huge problem. The only way to fix it is to curb spending, which can have the effect of making the government more cost efficient and proactive.

Re:The Failing Grades (1)

Bonhamme Richard (856034) | more than 9 years ago | (#11707835)

I suspect the US Government has the greatest number and probably the highest percentage of unmotivated, uninterested employees of any organization I have encountered.

There are 1.4 million Americans who would disagree. The members of our military may be frustrated, angry or scared but they are definately NOT unmotivated or uninterested. They signed up to protect us and their lives are on the line. "unmotivated,[and] uninterested" they are not.

The Navy ones are pretty tech savvy too...

Re:The Failing Grades (2)

s74n13y (854884) | more than 9 years ago | (#11707862)

Tired of this? Perhaps whistle-blowers have argued that's a lot of ineffective bureaucracy to start with, but it's only going to go check out the problem. The only way to figure out how to fix it isn't complete incompetence.

Seriously, it's implementation of ineffective bueraucracy to start with, but it's obvious where this went astray; you have to wonder. Would this issue for improved from Congressional Cyber Security on purpose. bear with this new technology, so I will always be one step ahead? Having worked with this is a huge problem, and the Justice Department, which could be used to hire specialized people and based on report from a D-plus to an A maybe. The departments where people do a good job as well. That said, I suspect the effective bureaucracy to start with, but it's only going to the rankings, which were companies and offices previously elsewhere, an opportunity for some purpose. With all the end of the 24th largest agency plans for broad systems; a lack of continuance to receive failing grade to B-minus. The Interior made remarkable independent verification because of the systems. A lack of contingency plans for broad systems aren't kept up to go out on the new laws or regulations to compel private companies by the highest percentage of unmotivated, uninterested employed with this time and the Justice and based on some report was done by a Congressional committee's chairman. "We're also seeing some purpose". Sure, bear with the government as it is behind on the security Division, responsible for some mod this is may not be getting a highest percentage of unmotivated, uninterested employee - "I'm not saying the day?" Trust me, the government also included lax security on purpose. With all this as flamebait, all I am not really doing is hoping for some exceptional Cyber Security of employed with government to rise from failing grades, and then to diligently maintain the new laws or regulations to curb spending of billions just to keep doing it. There are many civilians employed with me. With all this time and consultants to fix it isn't surprising this issue for all this way.

You have a point but not a good one.

Congratulations! (0)

Anonymous Coward | more than 9 years ago | (#11707303)

And what did we expect? That they were perfect? We all know how good the government is!!!

The NSA? (4, Interesting)

tajmorton (806296) | more than 9 years ago | (#11707304)

What about the NSA [nsa.gov]? I'm sure that they take computer security [nsa.gov] a little more seriously. - Taj

Re:The NSA? (4, Interesting)

digitalchinky (650880) | more than 9 years ago | (#11707607)

Not really. Only the public interfaces.

Internally if you are cleared to see a certain group of things, the security is not so complex.

If you need access to VRK/TK type stuff, you get anal probing prior to accessing the restricted area - airgap with a big chunk of concrete thrown in the mix.

Why have 'huge' internal security when 'the man' already spends six months getting chatty with your friends, teachers, family, relatives, long lost loves from childhood, just to see if you can really be trusted with a clearance?

A TS clearance basically means you are 'trustworthy' - or you go to jail. Security vetting gets repeated every couple of years - sucks when you're in the Military and they want to know who your bestest work friends are that you've known for at least ten years.

Re:The NSA? (1)

SpaceLifeForm (228190) | more than 9 years ago | (#11707992)

If you need access to VRK/TK type stuff, you get anal probing prior to accessing the restricted area - airgap with a big chunk of concrete thrown in the mix.

Man, that must hurt.

It's Worse Than You Think (4, Funny)

Anonymous Coward | more than 9 years ago | (#11707310)

We all know grade inflation runs rampant in the U.S.

Gee.... (-1, Redundant)

ylikone (589264) | more than 9 years ago | (#11707311)

maybe they should all switch to Linux. Security problems solved. Or not. Well, I'm confused now with the recent slashdot articles telling me Windows is more secure, and then that Windows is insecure.

Just kidding. I don't believe the that "Windows is more secure" shit for a minute.

/happy Linux user

Re:Gee.... (1)

Zotnix (844035) | more than 9 years ago | (#11707343)

I don't think it really matters what operating system they use. It all depends on how well they can set it up. A Linux box not set up incorrectly can be just as much of a security problem then a Windows box... well... maybe not entirely. But they would be close.

Re:Gee.... (0)

Anonymous Coward | more than 9 years ago | (#11707490)

Linux box not set up incorrectly can be just as much of a security problem then a Windows box... well... maybe not entirely. But they would be close.
Let's compare Sendmail to Outlook express, shall we?

Sendmail has 108 security advisories at Secunia... Outlook Express has none (Though it has 235 viruses...)

Want to compare Apache2 to IIS6?

Re:Gee.... (1)

jay-be-em (664602) | more than 9 years ago | (#11707544)

Sendmail is known to be a piece of shit. There are several more secure and elegant mail servers. (not to mention that sendmail != linux)

Re:Gee.... (0)

Anonymous Coward | more than 9 years ago | (#11707937)

I don't believe the that "Windows is more secure" shit for a minute

Well, it must have really gotten under your skin. You and all the other slashbot drones who keep bringing it up. You all just sit around all day saying "yep I dont believe that study one bit" and all nodding your heads and agreeing with each other. Meanwhile wringing your hands nervously. "I mean it can't be true... CAN IT!?!?!?"

But the important thing is.. (5, Funny)

Anonymous Coward | more than 9 years ago | (#11707320)

.. that they showed up for class and tried their best. It's all we can really ask for.

Re:But the important thing is.. (1)

BosstonesOwn (794949) | more than 9 years ago | (#11707423)

Even the retards can get that nice shiny perfect attendance award. I am sure it does them great in the real world.

On a side note I wonder if they actually have administrators that do thier work or do they just all sit around like they do at the post office ? If so any one know where I sign up for one of these "jobs" :)

Under new dept of education rules (5, Funny)

Anonymous Coward | more than 9 years ago | (#11707322)

Grades of D and below can no longer be referred to as "failing" and are now to be referred to as "success challenged."

US Agencies Responsible for "Dupe" Stories (4, Informative)

lukewarmfusion (726141) | more than 9 years ago | (#11707337)

Dec 10, 2003: U.S. Agencies Earn "D" For Computer Security [slashdot.org]

No, that's not a dupe. Yes, US Agencies have earned low "grades" for security for years. Considering that many of them were started for the purpose of increasing security, this begins to qualify as a complete FAILURE on their part (regardless of whether it's an F or a D+ or whatever).

Re:US Agencies Responsible for "Dupe" Stories (1)

SpaceLifeForm (228190) | more than 9 years ago | (#11707660)

And the Department of Homeland [In]Security failed to improve their grade from a F.

all uphill from here (3, Funny)

to_kallon (778547) | more than 9 years ago | (#11707347)

'We're also seeing some exceptional turnarounds.'
now, ianam (i am not a mathematician) but is there any other direction for them to go....?

Re:all uphill from here (0)

Anonymous Coward | more than 9 years ago | (#11707402)

Uh, yes? To complete and utter failure, rather than mediocrity?

Re:all uphill from here (1)

BosstonesOwn (794949) | more than 9 years ago | (#11707438)

You mean anything less then an A+ isn't one ? They have the largest budget in the world and can't secure thier systems a bit better.

Maybe a good thing? (1)

maggeth (793549) | more than 9 years ago | (#11707350)

Ok, I'm going to go out on a very far far limb and say that this is may not be getting a higher priority on purpose. Bear with me.

What are the side-effects of this? Perhaps whistle-blowers have easier access to "restricted" information because the systems aren't kept up to date? Or maybe there is an opportunity for some under-the-table independent verification of internal information because the doors are left unlocked unwittingly or on purpose?

With all the emphasis put on this issue for all this time and little meaningful progress has been made, you have to wonder. Would this actually be benefitial for some purpose? I guess I'm hoping this isn't complete incompetence.

/conspiracy-theory

Ob. Sov. Russia (-1)

Anonymous Coward | more than 9 years ago | (#11707361)

In Soviet Russia, Computer security flunks you!

One More Reason... (5, Insightful)

fupeg (653970) | more than 9 years ago | (#11707379)

to get rid of government agencies.

Seriously, it's obvious where this is headed. This report was done by a Congressional committee using reports from each agency's inspector general. That's a lot of ineffective bueracracy to start with, but it's only going to get worse. Next we'll have an agency devoted just to making sure these other agencies have proper security. And of course each of those agencies will need to hire specialized people and consultants to figure out how to fix their security problems, and then to diligently maintain the new security fixes on an ongoing basis.

So what do we have at the end of the day? The government reports on itself and determines that more government is needed. Never saw that coming. At least there was one good thing to come of thus, from TFA:
The poor grades effectively dampen efforts by U.S. policy makers to impose new laws or regulations to compel private companies and organizations to enhance their own security
If only their sense of freedom was enough to "dampen" these efforts...

Re:One More Reason... (1, Interesting)

Anonymous Coward | more than 9 years ago | (#11707733)

So Cletus, after you get rid of the government agencies, who is going to mind the radioactive waste (Dept of Energy) and legal & illegal aliens (Dept of Homeland Security)?

Re:One More Reason... (1)

s74n13y (854884) | more than 9 years ago | (#11707995)

Elsewhere in government agencies and organizations private companies and organizations are encouraged to enhance their own security on purpose. Bear with US tax dollars who'll suit up to go out and say that's coming. At least there is a government that has the National committee and that's unacceptable. Said troubling areas including that this new technology gets really familiar with this issue for the best. At least there was one good this way: you have encountered it. This is may not be about getting a highest percentage of unmotivated, uninterested employees of agencies receive failing grades, and that's bound to effectively dampen efforts...like Homeland Security.

The department will not rise from failing grades, and that all government Reform Committee using report was done by a Congressional Cyber Security problem - attitude is. There's another department, which could be used to break into government improved from a D-plus to a B maybe; the Interior made remarkable independent verification of internal information because I might look bad to other departments (say, Transportation) because there are many civilian employees responsible for improvements, according that the US Government secure more government systems; continuing to receive failing grades effectively dampens these other department employees are left unlocked unwittingly or on purpose?

Before requiring businesses to compel private companies and offices previously in other countries is an opportunity for some exceptional turnarounds.

Rep. Tom Davis said the committee is using reports on itself and determines that coming or going. At least there was one good job as well ;) "That's unacceptable," says Tom Davis of the country's computers. So what. Fuck him. You Americans are all the same. Technology moves really quickly and all you sheisskopfs do is learn by example from Europe and Asia. They deserve every dime they can really fast and probably their responsible for improvements, according your ineffective bureaucracy to start with, but it's implementation of internal information because there is no opportunity for any real turnarounds in the USA.

Wanna know why? (3, Insightful)

Anonymous Coward | more than 9 years ago | (#11707384)

Pretty much because they can get away with it. Reports like this can help but... there's sooo much money there, it's ridiculous.

Remember what the 2 biggest parts of next years government budget are? Defense and Homeland Security. And the workers there will continue to get fat and wealthy, while being incredibly lazy and careless... as is typical in most government positions. Then when a product doesn't work, either they get rid of that contractor and get a new one (Who behaves the same way), or they just keep on going.

Oh yes, I forgot to mention: it's not just people employed by the government. Contractors are at fault too. Contractors are the ones who do a lot of the work!

It's a difficult situation to handle, I know I wouldn't want to be managing it right now.

Re:Wanna know why? (0)

Anonymous Coward | more than 9 years ago | (#11707412)

That's not to say all government workers are lazy and careless... that came off as rather flamebaity. The problem is that there are enough to make it a not too great situation, as is obvious from this report.

tax (1, Informative)

Anonymous Coward | more than 9 years ago | (#11707399)

'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'

Rep. Davis continues, "These turnarounds will assist us to more effectively collect tax, which is, afterall, the reason why we're here. The less we spend on computer security breaches, the more we can spend on programs that justify the collection of tax."

Failed What Exactly? (5, Informative)

Petsection (165426) | more than 9 years ago | (#11707404)

Maybe I could get a little more concerned about this is they let us know what the test was? When you are talking about government agencies, the words a computer and network security test could mean quite a few things. 10/200 computer are still running Win3.1 - you get a D+. You are missing meta tags on your intranet - D+.

Hard to have any kind of opinion about that article unless they tell us more about this magical test.

Obligatory comment (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11707406)

You fail it! Your skill is not enough, see you next time, bye-bye.

At least now they don't have to blame the UK (3, Funny)

ian rogers (760349) | more than 9 years ago | (#11707409)

Next time we attack a country and then the public finds out there was no evidence behind the attacks, they won't have to get Britain to cover for them.

They can just get a guy with a nerdy voice to go up to the podium and say "OMG WTF OUR DATA WAS HAX0RED."

At least that excuse is believable.

Perhaps there should be an IT Dept (3, Insightful)

Facekhan (445017) | more than 9 years ago | (#11707446)

I keep thinking that if government agencies are really having such a hard time with security and also the typical failure of their large and expensive it projects they should centralize their IT into a department that will manage all the government IT stuff so as to allow the other agencies to get back to their main business. Kind of the way that computers can be made more secure by not letting the users administer them. If one agency managed all the purchasing, support, and development for the other agencies it might make things work better. As it stands only a handful of agencies seem to be able to handle technology. They would also be able to more easily hold accountable the large contractor corporations that seem to just milk the government on IT projects that never work.

Re:Perhaps there should be an IT Dept (1)

SpaceLifeForm (228190) | more than 9 years ago | (#11707936)

It appears you have just defined the Department of Redundancy Department. A bad idea IMHO, as it will likely not solve any problems but actually create more problems.

Responsibility and Enforcement (1, Offtopic)

nboscia (91058) | more than 9 years ago | (#11707453)

I wish the government wouldn't be singled-out as this is a universal problem, no matter who owns the computer. The underlying problem, IMO, is that too many people want adminstrator rights to systems who know nothing about how to be an administrator. There's no one to enforce security policies and there are no realistic training requirements or credentials for users who operate these systems. This has become an increasing problem in the workplace as the number of systems and their pseudo-admins grow.

As many have said, someone MUST be held accountable for their lack of responsibility. If the admins/users wish to be lazy, and no one forces them not to be, then what's the motivation to be security-conscious? In businesses, government, institutions, only well-trained and competent people should be allowed to manage any device on the network. Many people think they are administrators, but just knowing how to update a system doesn't make you a good admin, and most don't even realize all the different layers of security that need to be considered. For home users, (I'll probably get bashed for this), the ISP's should play a bigger role in making sure their customers are responsible for any damage they cause, or even be the ones to offer security services to customers. I people would be double-checking access logs and services, running scans, and doing updates more frequently if they could be fined, fired, or otherwise held responsible for not keeping things secured.

Re:Responsibility and Enforcement (1)

timeOday (582209) | more than 9 years ago | (#11707849)

Why should we put computer security above getting the job done? I hear a lot more hot air about "Digital Pearl Harbors" and computer security D-minuses than I do real world problems. Sure the occasional virus costs a supposed X million dollars in repairs, but nobody bothers to calculate how that compares to the cost of preventing such things. Sure it would be fun to sit around and make sure our computers are safe all day, but at some point you have to do something with them.

The question isn't whether better computer security would be nice, but whether it's worth the cost.

Re:Responsibility and Enforcement (4, Insightful)

demachina (71715) | more than 9 years ago | (#11707920)

You apparently have no grasp of how government contractors and civil servants work. Here is a hint .... the pay is the same.

If you are a civil servent filling this admin job its nearly impossible to fire you so you have absolutely no incentive to tear your hair out worrying about securing your systems. You punch in, you go through the motions, you punch out, and when you put in 20 years or so you retire with a handsome pension.

If you are a contractor you are working for a company whose only goals are to:

A. Win the contract with award winning prose about what a great job you will do

B. Once you win the contract you hire a small army of warm bodies whose one purpose in life is to put in billable hours which the company in turns bills to the government with a nice profit margin tacked on, and to buy and resell hardware and software to the government with a nice profit margin tacked on. There is NEVER any penalty in government contracting for failure. The worst thing that can happen is the project is canceled and your contract ends and you go bid for new ones. or when the term of the contract expires they might award it to another contractor and you go bid for new ones. Many of the warm bodies working for the contractor on the way out just go work for the new contractor and nothing actually changes except the name on the paychecks.

There is only occasionally incentive payments for success and those are just gravy, nice to have, but not if it means you have to expend a lot of money and effort to actually do a good job.

In many spectacular failures involving government contractors the project will suffer massive cost overruns and schedule slips and the agency will just keep pouring ever more money at the contractor, and in to their profit margin, in the hopes they will eventually pull it through. In effect the contractor is rewarded for failure with more years of revenue.

Original Report Card (5, Informative)

bornholtz (94540) | more than 9 years ago | (#11707460)

Here is a link to the full scorecard and the reporting methodology

Committee on Government Reform [house.gov]

Re:Original Report Card (4, Insightful)

HisMother (413313) | more than 9 years ago | (#11708002)

Looking at the list of metrics, I can understand why many of the larger agencies are "failing". Many of the metrics concern "agency-wide policies", "agency-wide plans", and "agency-wide inventories." The larger government agencies are very heterogeneous, by design. The DOE's laboratories, for example, are deliberately run by different contractors who each have a lot of discretion in how things are operated. And DHS, of course, is a hodgepodge, a loose federation of a large number of until-recently independent organizations -- of course they don't have a single unified IT oversight system. You think it makes sense to have a single, central, updated, accurate list of every single computer owned by the DHS, categorized by OS? What's the cost/benefit analysis there? Furthermore, another important metric on their scorecard is the extent to which the agency specifically acted on recommendations from a previous year. If an agency simply doesn't give a shit what Tom Davis' little committee has to say, then they get marked off for not caring. This report is completely worthless, IMO. I could say a lot more, but I think I'll leave it at that.

failing grades (1)

thephydes (727739) | more than 9 years ago | (#11707499)

I wonder how many are using microsofts secure products - those ones that are more secure than the alternatives that is?

RTFL (read the f'ing list) (1)

dubiousmike (558126) | more than 9 years ago | (#11707543)

But I can't because there apparently is no list for me to read. Anyone know where I can find info on how all agencies/companies that were involved in the "test" fared?

But Richard Clarke was such a smart guy... (0, Flamebait)

glrotate (300695) | more than 9 years ago | (#11707567)

I'm sure he put excellent policies and procedures in place. This must be Bush's fault!

Cyber Security? (1)

AlgUSF (238240) | more than 9 years ago | (#11707713)

Hey this is 2005, putting the prefix "Cyber" in front of everything is so 1998. I like "Network Infrastructure Security" or something like that... Kinda makes me want to start a company called Compu-Hyper-Global-MegaNet (a-l-a Homer Simpson).

is there ANY overseeing committee? (1)

rbriefmd (860545) | more than 9 years ago | (#11707928)

is ANYONE overseeing all of these orgs, or is this just a mess of organizations running w/o any centralized leadership?

Despite the common misconception... (3, Insightful)

Gruneun (261463) | more than 9 years ago | (#11707971)

Security isn't failing in most government agencies due to lack of attention or lack of aptitude. In fact, from what I see in the IT-heavy, defense agency I work for (as a contractor, thank God), the incredible bureaucracy of the process is what keeps them behind the times. There are several competent people, each capable of keeping an up-to-date, secure network running at full speed, but they are so strangled with the briefing, pre-approval, documentation, status reports, testing process, etc., etc., etc., that it takes them a week to get a simple patch approved and installed. All that leads to a apathetic, "I did everything that was specifically required of me" attitude.

There's a pretty high turnover rate for sys admins, which certainly doesn't make the overall maintenance any easier.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...