On Point: Senate Cyber Security Report Is Damning


by Austin Bay
February 4, 2014

On Feb. 4th, the Senate Homeland Security and Governmental Affairs committee's minority staff released a 19-page assessment entitled "The Federal Government's Track Record on Cybersecurity and Critical Infrastructure." Retiring Sen. Tom Coburn (R-Oklahoma) sponsored the assessment. The footnoted assessment draws on more than 40 agency audits and inspector general reviews.

Coburn's short and readable document supports its high-tech horror story with vivid, near-slapstick examples of bonehead stupidity and reckless laziness magnified by supervisor irresponsibility and senior leader neglect. 

Slapstick and bonehead by "The Three Stooges" is comedy. Persistent, uncorrected cybersecurity errors by agencies handling extremely sensitive information is a scandal with the potential for tragedy.

By reputation, the Nuclear Regulatory Commission is a tech-savvy organization. When President Gerald Ford signed the NRC's authorizing legislation, he said that licensing and regulating the civilian use of nuclear materials is a complicated job with "special potential hazards."

Nuclear reactors must be protected from earthquakes, terrorists and cyber attacks on the computers monitoring their output. However, investigators discovered that the NRC "stored sensitive cybersecurity details for nuclear (power) plants on an unprotected" computer. Storing security data for reactor computers on a non-secure computer is beyond bonehead. Moreover, the computer drive was "shared"; several offices could access the defenseless data. Cyberthieves and spies had multiple routes; lousy security in one office undermined tight security elsewhere. Ultimately, the report condemns the NRC's information technology experts for "perceived ineptitude."

On to money. Regulating and insuring the integrity of US stock markets is a central function of the SEC However, the SEC "routinely exposed extremely sensitive" New York Stock Exchange computer network data, including cybersecurity methods and procedures. The 2013 hack on Target stores compromised customer data and financially damaged the discount chain. The NYSE is a bigger target than Target. Hacking the Big Board wreaks global financial damage. Bonehead security sloppiness at the SEC, the NYSE's chief government regulator and policeman, gave hackers and terrorists the inside skinny on the market's IT defenses.

The report damns the U.S. Army Corps of Engineers. Hey, Corps' IT security is much worse than my pun. In January 2013, hackers penetrated Corps' computers, filching a "non-public database" with information on "the nation's 85,000 dams." The data included assessments of "each dam's condition, potential for fatalities if breached, (its) location and nearest city." If a dam's condition report addresses detailed structural weaknesses, a terrorist can better estimate exactly how much explosive his bomb requires and where he should place the device.

These sensational examples of inexcusable IT malfeasance appear on the report's introductory page. They reveal the compromise of sensitive regulatory data fundamental to each agency's central regulatory mission. Though sensational, they are representative. Other agencies have similar horror stories, including the Department of Defense, Department of Energy, the IRS, NASA, the FDA and Homeland Security. Homeland Security has experienced numerous problems in its cyber security office and its component agencies. The IRS bleeds sensitive taxpayer information. It "fails to encrypt sensitive data" and does not "properly fix known vulnerabilities."

Sophisticated hackers are a constant threat to everyone -- individuals, private businesses and government agencies. However, IG investigators found that many government breaches involve exploiting "mundane weaknesses." These include failure to install software patches and using weak passwords. Investigators often found passwords written on a worker's desk right beside a classified computer.

The government has issued numerous directives. "The National Institute of Standards and Technology, the government's official body for setting cybersecurity standards, has produced thousands of pages of precise guidance on every significant aspect of IT security. And yet agencies -- even agencies with responsibilities for critical infrastructure or vast repositories of sensitive data -- continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information."

Lots of taxpayer money buys little cyber defense. Since 2006, the federal government has spent at least $65 billion on computer and network security.

That figure is an estimate and may not include all military and intelligence agency expenditures. Despite the big bucks, security management, meaning security oversight and leadership to insure oversight, is inconsistent. Sloppiness and boneheadedness undermine discipline and thoughtful vigilance.

This is a major national security scandal. Loose disks do sink ships. It is time for the boneheads to roll.

Read Austin Bay's Latest Book

To find out more about Austin Bay and read features by other Creators Syndicate writers and cartoonists, visit the Creators Syndicate Web page at www.creators.com.

COPYRIGHT 2001 - 2024CREATORS SYNDICATE, INC.

On Point Archives:

On Point Archives: Current 2023  2022  2021  2020  2019  2018  2017  2016  2015  2014  2013  2012  2011  2010  2009  2008  2007  2006  2005  2004  2003  2002  2001

X

ad

Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close