I recently came across a company with amazingly poor security practices. Over the course of time, the company was so lax about tracking its laptops that many were either lost or stolen with sensitive customer data, of course kept unencrypted on the laptop’s hard drives. For many months, the company had no Internet firewall. It didn’t track any network egress traffic and didn’t routinely examine any of its network log files to see what what actually going on across its infrastructure. Routine software updates were ignored, many of which had security implications. And the final coup de grace: it never kept any records of who had administrative access to various critical resources.
None of these things are hard to do. All can be done with technology that is common at least ten years ago, in some cases 20 years old. All require some diligence, and staying on top of things, and having the personnel who are responsible for these tasks to actually be doing them on a routine basis. So what happened? You probably won’t be surprised when I tell you that all of these activities were common IT practice at several US government agencies. We aren’t even talking about government contractors (which also fall down on the security job). These are full-time employees, and at agencies that should know better, such as the SEC or NRC. People that handle sensitive stuff.
As an aside, both agencies are among the top places to work for midsized agencies.The SEC actually has two IT specialist job openings (at least for now) that pay quite well. Sounds like a pretty cushy position to me, since you probably spend your time playing computer games or surfing the web.
And I haven’t even gotten to the latest revelations about Chinese hacking into the database of people who have applied for security clearances, which has been happening over the last year. This gives new meaning to being “red flagged.” Quite literally, and one with five yellow stars on it too.
My story gets worse. I should mention that many users were found with that old bugaboo, using “password” as their access passwords. Really? This is more than embarrassing.
And all jokes aside about going with the lowest bidder or cost overruns on $500 toilet seats. These agencies don’t have to buy anything much to cover the basics.
If a private industry CIO had this sort of security record, they would never work in IT ever again, unless to become a motivational speaker and tell people what not to do. Instead, because they are the Feds, we just shake our heads and wonder what is going on, and some how give them a free pass to mess something else up again. It really boils my blood.
I recently had a friend of mine ask me to serve as a reference for his security clearance renewal interviews. So chances are my name is in the hands of the Chinese somewhere. It was an interesting moment for me: when I met the investigator, he showed me his credentials, and I joked with him that I wouldn’t know if they were legit or not, I didn’t even know the name of the agency that he was supposed to be working for. As my friend explained, they aren’t looking for youthful indiscretions (not that I knew him when he was younger) but things that he hasn’t revealed on his application that can somehow be used to compromise him. Too bad the network administrators already blew it for him and millions of other Americans that are serving their country.
Okay, we lived through Healthcare.gov and all that mess. We made it through some pretty massive screw-ups where our 57 different intelligence agencies couldn’t even share basic threat information, or where innocent people with names that are similar to the bad guys are flagged by the TSA. This takes government tech to a new low.
When we can’t have basic, simple IT security practice that just involves people doing their jobs, that gets my goat. This is not a technology problem, it is a leadership and people problem.