DHS derided due to dodgy digital defenses (and not MS Surface)

Fantastic-fantastic, it's Friday's IT Blogwatch: in which the Dept. of Homeland Security gets hauled over the coals for its lousy IT security. Not to mention Microsoft Surface, as you've never seen it before (i.e. hilarious)...

Jaikumar Vijayan reports :

A House subcommittee investigating cybersecurity vulnerabilities at the U.S. Department of Homeland Security yesterday blasted the agency's CIO for his alleged lack of leadership on key security issues. Subcommittee members also questioned DHS CIO Scott Charbo's willingness to make needed security fixes and his ability to head the agency's IT operations. Charbo rebutted the charges, saying that much of the criticism was based on outdated data that ignored security improvements the agency has been making.

The attacks on Charbo came at a hearing held by a subcommittee of the Committee on Homeland Security ... In prepared testimony, ... Rep. James Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, which held the hearing ... expressed "shock and disappointment" that the DHS had reported as many as 844 security incidents in fiscal years 2005 and 2006. The incidents occurred on IT networks at DHS headquarters, and those belonging to Immigration and Customs Enforcement, Customs and Border Protection (CBP) and the Federal Emergency Management Agency.

The security issues highlighted by Langevin in his testimony included one in which a password dumping utility was found on two DHS servers. In addition, Trojans and other malicious programs were found on numerous agency servers, and classified mail was found to have been sent out over insecure networks ... the agency has so far failed to mandate two-factor authentication across its networks, perform ingress or egress filtering on its networks, or perform audits to look for rogue tunnels ... Langevin also expressed dismay at what he said was Charbo's unwillingness to invest needed resources to fix such issues.

Brian Krebs adds:

[These] data [show] hundreds of digital break-ins and shoddy security practices at the very agency that is supposed to lead the government's cyber security efforts ... DHS and its constituent agencies have suffered more than 800 serious computer security incidents from 2005 through 2006, including compromised agency Web sites, unchecked computer virus and worm infections, and digital intruders that were quietly transmitting stolen data out of government networks [also] system compromises that lead to "classified data spills" within DHS.
...
DHS's chief information security officer's budget shrank or remained stagnant over the past three years, even in the face of persistent security problems at the agency. In 2005, DHS allocated just $17.5 million for its CISO office, a figure that fell to just $15 million in FY2007.

Rodney J. Petersen squints to see the light at the end of the tunnel:

Witnesses which included the CIO from DHS and representatives of the Government Accountability Office were cautious to acknowledge that progress is being made despite shortcomings in DHS information security program. Rep. Thompson remarked, "The American people are tired of hearing that getting a 'D' is a security improvement," referring to the recent Annual Report Card on Computer Security for Federal Departments and Agencies.

Barry Levine stretches an analogy to breaking point:

Some observers might characterize this latest development as the governmental equivalent of the shoemaker's children going barefoot, except that other major U.S. departments -- and their offspring agencies -- are also going barefoot.

In April, a report by a House committee gave failing grades for computer security to eight federal agencies, including the Departments of Defense, Agriculture, Commerce, Education, Interior, State and Treasury, and the Nuclear Regulatory Commission. DHS earned a D, an improvement from 2005. Overall, the federal government posted a C-, which wouldn't be good enough to get into Harvard but was an improvement over its previous marks ... [but] there has been criticism from outside organizations that the criteria for these security grades relate more to how well departments can fill out forms than their ability to implement actual precautions, including tests to measure their vulnerability to attack.

Nate Anderson hits the déjà vu button:

It's not news that the Department has security problems. The Transportation Security Administration, the branch of the DHS which handles airport security, just recently suffered a high-profile data breach when a hard drive containing TSA personnel information (including the names of past federal air marshals) went missing, and DHS employees admitted to Congress that this was Kind Of A Big Deal™.
...
Scott Charbo, the chief information officer at DHS, told Congress that DHS planned to spend $332 million (PDF of his testimony) on IT security in 2007, and he claims that DHS is making progress. Investigators from the GAO agree, but say that the Department still has a long way to go.

But Your Humble Blogwatcher waves his hand dismissively:

Trojans? Unencrypted sensitive email? Oh, big fat hairy deal. C'mon, this is nothing that you couldn't find in most organizations of that size. It's hardly DHS's fault.

Give them a break. In fact, give them all a big pay rise -- especially those nice officers who work the immigration and customs desks at America's fine airports (and the ones who sit in Canada, too). I do like them a lot, and look forward to my time chatting with them every time I visit the U.S.

They are all, without exception, wonderful people, and anyone who says otherwise is probably some sort of terrorist.

Buffer overflow:

Around the Net

• Paul Krill: Messaging standard OK'd for Web services
• Bobbie Johnson: Why Yahoo! would be mad to sell to Murdoch
• Marc Andreessen: The Pmarca Guide to Big Companies, part 1: Turnaround!
• Michael Farnum: How security assessments are like going to the dentist
• Storage anarchist:: a terabyte isn't enough for my home
• Epicenter: Flight of the Googlers: Benchmark Capital Raids Mountain View
• Artur Bergman: Amazon Web Services and the lack of a SLA
• Mike Masnick, Techdirt: No, An iPhone Isn't Designed For Enterprise Security; Did Anyone Claim It Was?
• Eric Roch: SOA Maturity Model
• Anne Broache: Internet radio to go silent on June 26?

Around Computerworld

• Robert L. Mitchell: iPod teardown: Study reveals where the parts come from; where the money goes
• Michael R. Farnum: PayPal using security tokens
• Shark Tank: Just...all of them, OK?
• Richi Jennings: A (partial) spammer taxonomy
• Preston Gralla: Google: Do no evil ... except in China
• Shark Bait: My boss made me ask the CEO to write a report

Previously in IT Blogwatch

• Microsoft caves to Google complaint (and future-hate)
• EFF wins 4th Amendment email victory (and megayachts)
• Yahoo! loses! CEO!, Blockbuster <3 Blu-Ray (and C5jet)
• Dell rings bell for PR hell (and creator-Clippy)
• Linspire prefers Microsoft (and space cam)
• Older posts

And finally... How SarcasticGamer would have promoted Microsoft Surface

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.