
U.S. government worse than all major industries on cyber security - pgoggijr
http://www.reuters.com/article/us-usa-cybersecurity-rankings-idUSKCN0XB27K
======
bpchaps
Schools are pretty bad, too, who are strongly enforced by federal security
policies.

Recently I had an fMRI done as part of a research program at North Western and
had to sign a bunch of paperwork where it was said that my data would be
secured with a best effort.

Well, fast forward to last night where I was curious if their psych department
had any webservers exposed to the internet, which it shouldn't. I found sip
servers, printers with admin rights, routers, personal computers, etc etc etc.
HIPAA hell. And that was only on three subnets and only 80/443.

I sent their heads of technology an email to see if they could look into it,
since I'd prefer that my data not be stolen by anyone who knows how to run
wget. They closed the ticket with this:

 _bpchaps, I believe you do have good intentions. That being said, we are
already performing regular scans of our systems. If you do stumble upon
anything significant, please do contact us again._

:(

~~~
hodwik
UMD has a great class where their cyber security students do pentesting on the
school network for credit, simultaneously securing the network and providing a
great education.

[http://www.cyber.umd.edu/sites/default/files/documents/sympo...](http://www.cyber.umd.edu/sites/default/files/documents/symposium/SecureMD_MC2Symposium_2013.pdf)

Nothing to get a network admin to close a hole like an annoying undergrad
stopping by your office every day, trying to get his extra credit before the
semester is over.

~~~
woodruffw
I'm a UMD student, and I had no idea this existed!

I've been hesitant about reporting holes/vulnerabilities in the school's
infrastructure until now, but it's reassuring to see that there are official
channels for doing so.

------
studentrob
This will make you laugh..

The President just formed a commission to make Americans safe in cyberspace
[1]

His Press Secretary says "Issues related to encryption will not be considered
by the commission" [2]

[1] [https://www.whitehouse.gov/blog/2016/04/13/announcing-
presid...](https://www.whitehouse.gov/blog/2016/04/13/announcing-presidents-
commission-enhancing-national-cybersecurity)

[2]
[https://youtu.be/FCx2uJWfyao?t=1h4m20s](https://youtu.be/FCx2uJWfyao?t=1h4m20s)

~~~
0xcde4c3db
I'm not really sure what the problem is with that. I feel like the broader
infosec situation is bad enough that having them debate encryption would be
like arguing over what lock to put on your cardboard door.

~~~
studentrob
The commission is going to have to talk about encryption if they're to address
information security. It might not be the same debate as the iPhone case, but
encryption is central to cybersecurity. So, to say they won't talk about
encryption is a non sequitur.

------
entee
I think part of this stems from the nuttiness that is government contracting
and the massive organizational sprawl inherent in our current governmental
structure.

Looking at some of the details it seems some agencies are somewhat better than
others, it would be interesting to see the whole report and see which agencies
do better and which really suck (NASA seems to have done quite poorly).

Given that the security needs for the EPA may quite different than those for
the DoD, not to mention countless other agencies, it's easy to understand how
standards and enforcement could quickly fragment. A lot of these agencies will
hire contractors to do the work, they'll hire different contractors, who are
themselves drawn from a limited pool of authorized contractors and soon enough
you have Healthcare.gov version 1 again.

Additionally, if FB or Google have a breach, there's a clear line of
responsibility that ends up at the CEO. While in theory that's true in
government, in practice you have both the executive branch and congress that
muck about in the operations of an agency, so although you may get security
person X to resign, it's far less easy to get at the people who are actually
responsible (Which congressperson? How do you vote them out of a gerrymandered
district? Should the president fire his cabinet secretary? How does he get a
new one past congress)

~~~
mc32
Probably procurement processes weed out all but the most patient of
candidates, along with their pay schedule. But their process can take months
before final approval, so by then the candidate is gone.

They need to streamline the hiring process and offer competitive pay.

~~~
entee
It's not just about patience, there are a lot of guidelines and hurdles to
jump through to be eligible for certain contracts. Some of this is for good
reason, there have been plenty of cases of contractors bilking the government
out of millions with little or no accountability. But it makes the process too
complicated for real competition to occur, so perversely although the
government turns to the private sector for more competitive prices and cutting
edge solutions, it ends up with inferior products.

Also, it's not as though the contractors themselves offer poor compensation. A
lot of them actually offer at least market rate, and in some cases higher pay.
It's not so easy to figure out how much something is going to cost over the
lifetime of a contract. This, combined with the general opacity and
bureaucratic hurdles of government contracting makes it so makes it so the
government doesn't get the best deal over the lifetime of the contract despite
picking what may look to be a good idea at the onset. Of course this is all
ignoring political considerations and lobbying issues.

The US Government is the largest corporation in the world, I think the US
Defense Department is alone the largest corporation in the world. And none of
it is subject to the free market (in many ways for good reason). It's very
difficult to do things efficiently at that scale, and its even harder to do it
with external political influences of all sorts.

------
11thEarlOfMar
"President Barack Obama has made improving cyber defenses a top priority of
his remaining year in office."

What happened to the first 7 years?

~~~
res0nat0r
Preventing the collapse of the world economy? Killing Bin Laden? Auto industry
bailouts?

~~~
obmelvin
I don't think the OP was suggesting that Obama has done nothing, but rather
the opposite. Obama has definitely talked about the importance of cyber
security in the past so it's a bit weird to say that it's a focus just this
year.

~~~
enraged_camel
Something can be important but not a priority.

------
Zikes
In typical US government fashion, the answer to this is to make all major
industries worse at cyber security.

------
more_corn
If anyone wants to help fix the problem, I suggest the newly formed USDS.
There are a lot of ex-Google people involved trying to help clean up and
secure IT infrastructure in the Government. I spoke with someone who did a
short stint with them and it sounds like they're actually being empowered to
fix things. [https://www.whitehouse.gov/digital/united-states-digital-
ser...](https://www.whitehouse.gov/digital/united-states-digital-
service/story)

Mike Dickerson gave a really good in-depth talk at Google about his work
cleaning up the healthcare.gov project. The Time article lacks many of the
technical details but is still pretty good. Sorry, all I can find is a link to
the PDF. [https://blog.newrelic.com/wp-
content/uploads/80893.pdf](https://blog.newrelic.com/wp-
content/uploads/80893.pdf)

From talking to people who've worked in the USDS, the problem doesn't appear
to be lack of capable people, or lack of funds. The problem seems to be in the
structure of how projects are bid and executed. The bad news is the problem is
universal. The good news it's fixable ... it's just going to take a lot of
work by a lot of smart and determined people.

Sign up and go fix it.

------
api
This is one of the pragmatic/apolitical reasons the USG (or any other
government) should not key escrow or hold encryption backdoor master keys.

------
maxerickson
Does anybody know what factors SecurityScorecard considers? The link is just a
press release for the real information.

------
ecma
As a exemplary symptom of the toxic IT culture in many aspects of government
and defence, the US Navy paid $9M for continued support of Windows XP last
year [0]. They definitely aren't the only government agency which is doing
this and it's indicative of systemic problems in business support and
procurement.

[0] [http://money.cnn.com/2015/06/26/technology/microsoft-
windows...](http://money.cnn.com/2015/06/26/technology/microsoft-windows-xp-
navy-contract/)

~~~
maxerickson
Why? It's one of the largest organizations on the planet, spending millions on
something or other doesn't indicate anything.

~~~
ecma
Spending millions on support for an operating system which is well out of life
is indicative of poor IT procurement and lifespan management. Business
interruption was a valid excuse about 5 years ago, to continue to argue that
is a farce.

------
awakeasleep
Information services, construction, food and technology were the top
performing industries in this test.

Info services and Technology seem like common sense answers, and maybe food
includes fast food which has to defend against the underground's hunger for
credit cards, but why does construction earn a top place?

Anyone have a theory?

~~~
hodwik
Construction and food are run by good old boys, who aren't going to waste a
bunch of money going to IBM for their tech, when they can go to the local
company which charges half as much. In so doing, they accidentally hired
better tech, because the big companies are bureaucratic nightmares.

The tech companies self-service.

------
nxzero
Compliance does not equal security.

------
xufi
I mean, it tok then a while to get the ObamaCare fiasco fixed ..... shows
their competence

------
Joof
This is their best effort at making government transparent!

------
CiPHPerCoder
This is unsurprising. From what I gathered from @da_667 (former NSA TAO), the
pay was terrible. Why work for the government when you can get a job making
2-3 times as much with the same responsibilities?

~~~
jonnybgood
The pay is terrible because it's set by Congress. Agencies don't have the
liberty to set pay.

~~~
angli
Perhaps it's not their _fault_ but it doesn't make it any better for a
prospective job hunter. Perhaps competitive salaries need to be part of this
push

------
siculars
You'd have to have your head examined for willingly working in government IT.
The dysfunction is legendary, the pay is abismal and there are no free
massages or vending machines. If you had the skills to secure computer systems
why would you work for the government? What possible reason?

~~~
technion
I been associated with (Australian) Government projects and whilst I don't
know much about what their own staff got paid, I can tell you not one person
there had ever still been in the office by 5:01pm. Managers didn't even have
mobile phone numbers of their staff even if they wanted to contact them after
hours. People were told not to come to work for things like "multicultural
awareness day" and a dozen other special days that never considered a holiday
at any business group.

Several of them lamented that every department had "slackers" who'd probably
be fired from any real business, but basically couldn't get sacked if they
tried due to Government policies.

It's not my thing, but there are reasons people choose these places.

~~~
Lawtonfogle
>Several of them lamented that every department had "slackers" who'd probably
be fired from any real business, but basically couldn't get sacked if they
tried due to Government policies.

Seems like the end result would be a really nasty dead sea effect.

------
Sven_
Time to just outsource USG data and services to Zuckerberg.

He's possibly handling more data, providing more services and doing it with
what...10K engineers?

We are just going to see more and more Sony type hacks, Manning/Snowden type
events. Just look at what happened with Bangladesh's Central Bank and
Philippines voter records.

Going forward I just don't see Govt IT coping on their own. Things are just
moving too fast and they have my sympathies.

