Report Again Finds US Government IT Security Sucks, Three Years After Saying The Same Thing

from the giant-wheel-of-dysfunction dept

Three years ago a US Senate Committee report showcased that the U.S. government's cybersecurity defenses were the IT equivalent of damp cardboard. The study found numerous government agencies were using dated systems that were expensive to maintain but hard to properly secure. It also noted how from 2008 to 2018, the government repeatedly failed to adequately protect sensitive data at the Social Security Administration and Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education.

Three years have gone by and guess what: very little has actually changed. The latest 47 page report (pdf) found that little meaningful improvement was made in the last three years, with cybersecurity at those same eight federal agencies earning four grades of D, three Cs, and a single B:

"It is clear that the data entrusted to these eight key agencies remains at risk. As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable."

This report is just one of countless instances over the last two decades where the government was warned that it's expensive, shitty, dated systems simply weren't secure. In this report, of the eight agencies, only the DHS showed meaningful improvements in IT security:

"What this report finds is stark. Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data."

Much like election security, there's a lot of bloviation and consultant bucks that get thrown around -- often with little to show for it. DC lawmakers often talk a lot about the importance of cybersecurity, but only as so far as it pertains to being helpful in terms of partisan fear mongering, lining the pockets of campaign contributors, weakening encryption for their own surveillance purposes, or protecting the interests of dominant domestic corporations. But when it comes to taking actual, intelligent, meaningful action (like oh, shoring up the security nightmare that is the internet of broken things), we fail repeatedly.

The report of course comes about seven months after Russian government sponsored hackers used a massive supply chain attack to gain access to systems at numerous US government agencies and over 100 corporations. And just four months after Chinese government sponsored hackers breached multiple federal agencies by exploiting vulnerabilities in the Pulse Secure VPN. While both events have taken the usual DC consternation, hand wringing, and big dollar consultant payouts in to new levels, who the hell knows if any of it leads to actual, meaningful reform.

Filed Under: cybersecurity, government it, government technology, homeland security, it, security

Power Outage For Federal Court Computer System Screws Up Three Months Worth Of Job Applications?!?

from the how-is-that-possible? dept

For years, we've talked about what a total joke the federal courts' PACER system is. That's the computer system the federal courts use for accessing court documents. It acts like it was designed in about 1998 and hasn't been touched since (and even when it was designed, it wasn't designed well). But that's not the only fucked up computer system that the federal courts use. A few years back when I was an expert witness in a federal case, I had to make use of a different US court website just to get paid by the government -- and while it's been a few years, I still remember that it required you to use Internet Explorer. Internet Explorer! It had lots of other issues as well.

By now you may have realized that every computer system in the federal court system seems to be antiquated and poorly designed. And now we've got even more evidence of that. On Friday, the federal court system announced that a "power outage" probably fucked up clerkship and staff attorney applications going back three months.

Law school students and graduates who filed applications for federal court clerkships and staff attorney positions from June 7 to Aug. 31, 2019 using the OSCAR system may have to refile some documents in their applications. Notifications and instructions for refiling will be sent early next week.

Documents filed during that period may have been affected by a major power failure at one of the Judiciary’s service providers. The electrical outage affected the Online System for Clerkship Application and Review (OSCAR), which is used to process clerkship and staff attorney applications. The OSCAR system is back up and running.

Only applications filed during the period June 7 to Aug. 31 were affected. Judges and staff attorney offices that accepted applications through the OSCAR system during this period also are being notified.

Okay, sure, power outages happen. But... how is it possible that three months worth of applications and documents may be messed up from a single power outage? What sort of backup system are they running over there? I get that federal computer systems are antiquated, but this makes literally no sense at all. At some point in the last two decades, someone should have designed a computer system that doesn't lose documents in the event of a power outage. Or, at the very least, it should have only lost documents that were filed in like the split second prior to the power outage.

Honestly, I'm beginning to wonder if PACER is honestly "the best" our federal court system can do.

Filed Under: clerkship, computer system, federal courts, it, job applications, oscar, power outage, us courts

Senate IT Tells Staffers They're On Their Own When It Comes To Personal Devices And State-Sponsored Hackers

from the not-the-best-way-to-handle-an-impossible-situation dept

Notification of state-sponsored hacking attempts has revealed another weak spot in the US government's defenses. The security of the government's systems is an ongoing concern, but the Senate has revealed it's not doing much to ensure sensitive documents and communications don't end up in the hands of foreign hackers.

The news of the hacking attempt was greeted with assurances that nothing of value was taken.

That gap in security was brought front and center for Senate IT staffers on Jan. 12, when cybersecurity firm Trend Micro announced findings that seven months earlier, the same Russian government hacking group responsible for hacking Democratic Party targets in 2016 had created a phishing campaign that specifically targeted Senate staffers’ emails.

There’s no indication that the attempts were successful, and Trend Micro immediately alerted the FBI and the Office of the Sergeant at Arms, the agency responsible for Senate security, the firm said. Hours after Trend Micro’s report, multiple Senate staffers told BuzzFeed News, the sergeant-at-arms called a private meeting of Senate IT personnel to assure them that there was no real threat, as it had blocked the avenues the hackers would have tried to use.

It blocked those avenues, but Senate IT left a lot of avenues wide open. According to the Buzzfeed report, those in this meeting were told the protections offered would not include personal devices or email accounts. This makes some sense, as personnel have a responsibility to ensure their devices/accounts are as secure as possible if they're going to be using them for government work.

Laws and policies have been put in place to deter people from taking their sensitive work home with them. But they address a problem government agencies often exacerbate by treating employees as always on duty, even where they're off the clock. Multiple top government officials have been caught storing sensitive documents on private devices or in private accounts. Hillary Clinton underwent an FBI investigation because of this. Two years ago, a teenage hacker got a hold of documents detailing US military operations by gaining access to the CIA director's AOL account.

So, drawing a line at personal devices seems like the right thing to do, but only if you ignore the attack vectors left open by this policy. Even banning personal devices from government offices has its problems -- going far beyond the fact that this policy is pretty much unenforceable when there are thousands of staffers to keep an eye on.

Reached for comment, a sergeant-at-arms representative declined to give a formal statement, but told BuzzFeed News that its cybersecurity team’s specific directive is to protect Senate email accounts and Senate-issued devices.

But that could be a problem if a Senate staff member – there are thousands – uses a Senate device to also access personal email. If the staffer downloads a malicious program from personal email on a Senate-issued computer, that program could gain access to the device.

So… I don't know… throw the CFAA at them? [I'm joking, DOJ. Please don't do this.] There's no great solution to this problem. You can push the responsibility back on the person who became the attack vector but that just leaves sensitive government systems as weak as the weakest person with access. And employees should rightfully be wary of government attempts to "secure" devices and accounts, which could lead to lots of snooping into non-government communications.

It's impossible to secure everything but Senate IT shouldn't be so quick to wall off personal devices and accounts. Ignoring attack vectors doesn't solve the problem. Consistent enforcement of policies governing the handling of sensitive documents and communications might reduce the chances of a breach. But the problem remains the government's to deal with. As a former White House staffer notes in the article, the tools government employees need to do their jobs effectively aren't all supplied by the government. Many are supplied by third parties and may only run (or run well) on personal devices. The government can't be expected to be all things to all employees, but maybe it should consider extending its protective services to the devices and accounts it unofficially expects staffers to use.

Filed Under: encryption, hackers, it, privacy, security, senate, surveillance

UK Welfare Project Boss Says He Didn't Use Open Source Because It 'Wasn't Available' Two Years Ago

from the how-do-some-people-get-into-power dept

Filed Under: it, open source, uk, universal credit, welfare

Perhaps The NSA Should Figure Out How To Keep Its Own Stuff Secret Before Building A Giant Database

from the just-saying... dept

Among the questions is how a contract employee at a distant NSA satellite office was able to obtain a copy of an order from the Foreign Intelligence Surveillance Court, a highly classified document that would presumably be sealed from most employees and of little use to someone in his position.

A former senior NSA official said that the number of agency officials with access to such court orders is “maybe 30 or maybe 40. Not large numbers.”

Mr. Snowden has now turned over archives of “thousands” of documents, according to Mr. Greenwald, and “dozens” are newsworthy.

Edward Snowden sounds like a thoughtful, patriotic young man, and I’m sure glad he blew the whistle on the NSA’s surveillance programs. But the more I learned about him this afternoon, the angrier I became. Wait, him? The NSA trusted its most sensitive documents to this guy? And now, after it has just proven itself so inept at handling its own information, the agency still wants us to believe that it can securely hold on to all of our data? Oy vey!

The scandal isn’t just that the government is spying on us. It’s also that it’s giving guys like Snowden keys to the spying program. It suggests the worst combination of overreach and amateurishness, of power leveraged by incompetence. The Keystone Cops are listening to us all.

Even assuming the U.S. government never abuses this data -- and there is no reason to assume that! -- why isn't the burgeoning trove more dangerous to keep than it is to foreswear? Can anyone persuasively argue that it's virtually impossible for a foreign power to ever gain access to it? Can anyone persuasively argue that if they did gain access to years of private phone records, email, private files, and other data on millions of Americans, it wouldn't be hugely damaging?

Think of all the things the ruling class never thought we'd find out about the War on Terrorism that we now know. Why isn't the creation of this data trove just the latest shortsighted action by national security officials who constantly overestimate how much of what they do can be kept secret? Suggested rule of thumb: Don't create a dataset of choice that you can't bear to have breached.

Filed Under: database, ed snowden, it, leaks, nsa, nsa surveillance, risks

Justice Department IT Staff So Incompetent They Block All Webex Conferences

from the the-software-may-suck,-but... dept

SPECIAL NOTE TO DEPARTMENT OF JUSTICE ATTORNEYS/STAFF:
The WebEx web conferencing website is not accessible to DOJ attorneys/staff due to internet blocks set in place by your IT department, therefore you are unable to register for a webinar training class or participate in the WebEx training room session itself. However, the option to participate in only the teleconference portion of the training class is available and will still prove useful.

Filed Under: blocking, doj, it, justice department, webex, webinars
Companies: webex

If They Can't Pass SOPA... Senators Ask FTC To Magically Stop Foreign Software Infringement

from the say-what-now? dept

"This unfairness harms the affected companies and their employees, as well as consumers and the broader economy," the senators wrote. "It also stifles innovation by forcing law-abiding American businesses — large and small — to compete against those businesses that reduce their operating costs through the use of pirated IT."

Filed Under: ftc, it, jurisdiction, software piracy