Patching the Holes in Uncle Sam’s Security

I don’t think that the Washington Post editors really comprehend the magnitude of the federal government’s security problems:

What’s so disconcerting about the breach — other than its massive scale and possible value to Chinese espionage, of course — is that it is just one in a series of intrusions into vital computer systems of the U.S. government. The White House and the State Department last year discovered their e-mail systems had been compromised in an attack linked to Russian hackers. The OPM was the target of a smaller attack last year. Last week, the Internal Revenue Service said identity thieves had illegally obtained tax information on more than 100,000 households.

[…]

High-profile cyberattacks on such private companies as Sony Pictures Entertainment and Target prompted the White House to push the private sector to improve protections of its computer networks and share information on best methods. So there’s an unfortunate irony in the vulnerability of federal computer networks, which, as Rep. Adam B. Schiff (D-Calif.) noted, Americans expect to be “maintained with state-of-the-art defenses.”

Measures taken so far are clearly insufficient. We hope the breach at the OPM — among the largest thefts ever of government data — awakens the administration and Congress to the need for a robust strategy that puts safeguards in place and promises consequences for the people and countries who try to violate them.

The last “breach” mentioned, the exploit against the IRS, doesn’t fit the same model as the others. If the published reports are correct, nobody actually hacked anything there. They just used the system that was in place for an illegal purpose. As best as I can tell the system was inherently insecure. It should never have existed in the first place.

But let’s get to the nuts and bolts of the federal government’s lax security. Nothing can be done about it because no one can be held responsible.

If those who are notionally responsible for the security of the OPM’s systems are government employees, they’re protected by the Pendleton Act, the Civil Service Act of 1883. By the time anyone could be fired or even demoted they’d’ve retired and be living in Barbados. If they’re contractors, it’s probably a sole source. Most contracts requiring expertise are and once the company had been in place for a few years no other company would have the prerequisite knowledge or skills. The most that could happen is that they’d be yelled at. What would that accomplish? The single most important qualification for a PM on one of these contracts is a thick skin.

There are a thousand effective technical solutions to the problems. Just to name one no personally identifiable information should be retained on mass storage unencrypted. Period. If the problem is one of legacy systems, those systems should be disconnected from any possible connection to the public Internet. Would that be cumbersome? Yes. Security doesn’t mean being convenient. People might actually have to walk over to secured workstations. That’s what happens in secure environments. Horrors!

If there’s solid evidence that the exploit emanated from China, there should be more than a few cross words. There should be retaliation. As I’ve mentioned before China is not a good Internet citizen. Just on my little blog 80-90% of my unwanted traffic is from China. That’s probably true for every site in the world.