We’re about a week out from the scheduled release of Obama’s Cyber Security Policy and Framework, and the environment is really getting interesting.
A few year-old arguments to Obama’s approach continue even today: Should the Department of Homeland Security (DHS) be responsible for/have oversight of private-sector security? What authority does this give the government over private-sector critical infrastructure (including financial institutions)? The same opponents voicing these and other concerns have a new one: how can the government issue a cyber-security framework when many federal agencies have been found deficient in even fundamental security.
The latter argument was augmented with a report from the Republican members of the Senate Homeland Security and Governmental Affairs Committee, titled
The Federal Governments Track Record on Cybersecurity and Critical Infrastructure,released this week. The report details various Federal Government security shortfalls (and in some cases, outright failures) of various Agencies including the SEC, the Department of Education, and the Department of Energy.
A great example is about the Internal Revenue Service:
“Lousy user passwords. In March 2013, GAO [government accountability office] reported that [the] IRS allowed its employees to use passwords that “could be easily guessed.” Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the agency’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards and Technology. In some cases, IRS users had not changed their passwords in nearly two years. As a result someone might gain unauthorized access to taxpayers’ personal information and it “would be virtually undetectable,” potentially for years. GAO has cited IRS for allowing old, weak passwords in every one of its reports on IRS’ information security for the past six years.”
And considering Obama proposes that the DHS manage oversight of the program, this is a not so reassuring finding. “The IG found vulnerabilities arising from missing patches on computers at the National Protection and Programs Directorate (NPPD), which houses the bulk of DHS’s cybersecurity efforts; on servers supporting U.S. Secret Service intelligence work; on computers supporting ICE Homeland Security Investigations’ Intelligence Fusion Systems, a powerful system allowing agents to query several sensitive databases; and on dozens of servers supporting TSA’s Transportation Worker Identification Credential (TWIC) program, which keeps biometric information and credentials for over two million longshoremen, truckers, port employees, mariners and others.”
The Cyber Security framework is scheduled to be issued Feb. 13. Ranking member on the Senate Homeland Security committee, Sen. Tom Coburn of Oklahoma, alludes to administration initiatives aimed at the private-sector, not the government. To date, we’ve heard no plans for the government to get its own critical networks more secure, networks known to come under attack quite frequently, so it’ll be interesting to see if they take their own advice.