I recently came across a company with amazingly poor security practices. Over the course of time, the company was so lax about tracking its laptops that many were either lost or stolen with sensitive customer data, of course kept unencrypted on the laptop’s hard drives. For many months, the company had no Internet firewall. It didn’t track any network egress traffic and didn’t routinely examine any of its network log files to see what what actually going on across its infrastructure. Routine software updates were ignored, many of which had security implications. And the final coup de grace: it never kept any records of who had administrative access to various critical resources.
None of these things are hard to do. All can be done with technology that is common at least ten years ago, in some cases 20 years old. All require some diligence, and staying on top of things, and having the personnel who are responsible for these tasks to actually be doing them on a routine basis. So what happened? You probably won’t be surprised when I tell you that all of these activities were common IT practice at several US government agencies. We aren’t even talking about government contractors (which also fall down on the security job). These are full-time employees, and at agencies that should know better, such as the SEC or NRC. People that handle sensitive stuff.
As an aside, both agencies are among the top places to work for midsized agencies.The SEC actually has two IT specialist job openings (at least for now) that pay quite well. Sounds like a pretty cushy position to me, since you probably spend your time playing computer games or surfing the web.
And I haven’t even gotten to the latest revelations about Chinese hacking into the database of people who have applied for security clearances, which has been happening over the last year. This gives new meaning to being “red flagged.” Quite literally, and one with five yellow stars on it too.
My story gets worse. I should mention that many users were found with that old bugaboo, using “password” as their access passwords. Really? This is more than embarrassing.
And all jokes aside about going with the lowest bidder or cost overruns on $500 toilet seats. These agencies don’t have to buy anything much to cover the basics.
If a private industry CIO had this sort of security record, they would never work in IT ever again, unless to become a motivational speaker and tell people what not to do. Instead, because they are the Feds, we just shake our heads and wonder what is going on, and some how give them a free pass to mess something else up again. It really boils my blood.
I recently had a friend of mine ask me to serve as a reference for his security clearance renewal interviews. So chances are my name is in the hands of the Chinese somewhere. It was an interesting moment for me: when I met the investigator, he showed me his credentials, and I joked with him that I wouldn’t know if they were legit or not, I didn’t even know the name of the agency that he was supposed to be working for. As my friend explained, they aren’t looking for youthful indiscretions (not that I knew him when he was younger) but things that he hasn’t revealed on his application that can somehow be used to compromise him. Too bad the network administrators already blew it for him and millions of other Americans that are serving their country.
Okay, we lived through Healthcare.gov and all that mess. We made it through some pretty massive screw-ups where our 57 different intelligence agencies couldn’t even share basic threat information, or where innocent people with names that are similar to the bad guys are flagged by the TSA. This takes government tech to a new low.
When we can’t have basic, simple IT security practice that just involves people doing their jobs, that gets my goat. This is not a technology problem, it is a leadership and people problem.
Good comments, David. But I’d add it is also a budget problem, and a subset of the much larger federal government problem of false economies, not investing in infrastructure — while expecting there to be zero consequences. The IRS is ignoring requirements to archive email because it doesn’t have enough servers and is still relying on tape-rotation backup. The congressmen that made those cuts are stunned. The latest fiasco, per Ars Technica, is because the entire group doing this work was laid off and consultants were hired that were not very good — some happened to have Chinese passports. But it started with eliminating the entire department when budgets were cut.
Looping back, congress cuts infrastructure spending then, after say cutting road maintenance, holds hearings to display shock over bridge collapses. Or, cuts VA spending {in the face of an estimated $1 Trillion needed to provide lifetime care to wounded Iran/Afghan vets} then holds hearings to display shock because there are long waits to see doctors.
This isn’t only a government problem, among the Sony email leaks was the IT department saying its servers were out of date, it lacked basic security software, and the CEO getting bonuses because the short-term margins were up.
Its like the old Fram old filter commercial: You can pay me now, or you can pay me later 🙁
You somehow think the government should be better but is performing worse than industry. I can tell you that I’ve seen many corporations that make even this level of security look good. The government is a business, just like any other with some notable exceptions. One is that when they mess up, they have to tell all sorts of people and have it appear in print for all to see.
In general, I find that government has the same problem that private industry does when it comes to security. It is something they want. It is something they know they must have. But….they also aren’t very willing to pay for it, commit the resources to it, take the time to implement it, etc.
As Americans, we have this idea that there is some magic pill out there. We can do just one thing and it will all be OK. Well, unless you are planting beanstalks in a fairy tale, I doubt you will do well with that thinking.
Security has no ROI. It isn’t sexy. Sexy is easy to fund. Boring and no ROI is hard. Government has an even harder time funding security. They often make great efforts to be transparent. They want to show their citizens what they are doing. They don’t even think of terms like ROI because it is meaningless to them in most cases. But….that isn’t all that much different than the private sector. You *can* get better security. You just have to sell it better. The way to sell security is Return on Grief (ROG)–tm (by me!).
Tony Stirk: Exactly. I noted in my comment that the Sony leaks included emails from IT about how they lacked security software and basic server resources. At the same time the CEO got a large bonus for increasing margins. Meanwhile, in the gov’t agency that had the security breach, congress cut its budget, so the agency laid off basically the entire staff that handled that function and dealt with a handful of consultants. The added, and somewhat amusing complication, is that some of the consultants that had root access also had Chinese passports. A pure coincidence, I’m sure .