FBI Official on Cyber War: "We're not winning."

RobertKaucherRobertKaucher A cornfield in OhioMember Posts: 4,299 ■■■■■■■■■■
U.S. Outgunned in Hacker War - WSJ.com

I'm pretty sure this comes as no surprise to any of us.

Comments

  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,738 ■■■■■■■■■■
    I think a lot of it is way over blown, and consists of more than a little paranoia, saber rattling, and of course the cyber military industrial complex.
    Currently working on: Linux and Python
  • coffeeluvrcoffeeluvr Senior Member NCMember Posts: 734 ■■■■■□□□□□
    Thanks for the link....
    "Something feels funny, I must be thinking too hard. - Pooh"
  • SponxSponx Member Posts: 161
    The government slacking...... This can't be so!
    Personal Website | LinkedIn Account | Spiceworks Account | Field Services Engineer

    Certifications (Held): A+, CWP, Dell Certified
    Certifications (Studying):
    Network+, Security+
    Certifications (In Planning): Server+,
    ICND1 (CCENT), ICND2 (CCNA)
  • Jayjett90Jayjett90 Member Posts: 30 ■■□□□□□□□□
    .....and why would this be surprising?
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Yup, a good portion of this is about keep money in their budgets and getting high paying contracts for businesses. There is a legitimate threat, but they never seem to come up with a legitimate method for migrating said threat. Vicious cycle that just throwing money at won't fix.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • RobertKaucherRobertKaucher A cornfield in OhioMember Posts: 4,299 ■■■■■■■■■■
    the_Grinch wrote: »
    Yup, a good portion of this is about keep money in their budgets and getting high paying contracts for businesses. There is a legitimate threat, but they never seem to come up with a legitimate method for migrating said threat. Vicious cycle that just throwing money at won't fix.

    I think this one of the biggest issues that government faces is how do you deal with the inherent conflict of interest you create when you build an organization (notice the etymological connection to organism) whose sole purpose is to destroy itself by eradicating its only reason to exist.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    They have legitimate methods, the problem is having enough people to do the work let alone get funding to hire the people to do the work. When I was doing work for the Navy the guys that knew how to do the work were understaffed, and the people who were supposed to do the work were lacking the knowledge to contribute. Since they had many years in the military they got positions that contractors needed to be hired to do the work for.

    I used to have stakeholder meetings and there would be 10 people on the call, only one of them was the "IT" guy everybody else had IT "titles" but I could tell when I asked them questions nobody had a clue what I was talking about but some of the senior guys liked to throw their weight around...

    The big problem was if you already had a person that was supposed to do the work, and then a contractor that actually knew how to do the work your funding gets stretched thin. There is a reason Congress doesn't want to cut defense spending because it keeps some of those people employed.

    One of the primary reasons I got so upset with government work.
  • SephStormSephStorm Member Posts: 1,732
    If they need more security pros, you would figure they would start looking at places like here or other security forums as prime real estate...
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    I think a lot of it is way over blown, and consists of more than a little paranoia, saber rattling, and of course the cyber military industrial complex.

    This. Call me a bit woo woo if you will, but I think a lot of this just has to do with the desire for more monitoring and control of communications over the Internet. They really dislike people being able to express themselves easily to lots of people, look at what the Internet has enabled with the Arab Spring.. they don't want that to happen here. Granted real threats do exist - I think they stand to benefit in a couple ways here.
  • WafflesAndRootbeerWafflesAndRootbeer Member Posts: 555
    How to improve cyber-security in the US.....

    1. Eliminate the contractors like Lockheed Martin and Northrup Grumman. They are the biggest problem and they are the ones sucking up huge amounts of money to not do their work and they refuse to adhere to the protocols and guidelines they helped create. Every single investigation over the past decade has concluded this and nothing has ever been done about it. Where I live, just outside of DC, we've had over 1 billion dollars in contractor fraud relating to the cyber infrastructure, specifically networking and security management over the last year alone.

    2. Consolidate the infrastructure. There is too much spread out all over the place under the auspices of too many different agencies and groups. Stuff needs to be locked down and there is no reason at all that it can't be done all in one place. Hundreds of millions of dollars has been wasted on networked infrastructure and data centers for individual agencies, often at significant overpaid expense such as what DHS did to the tune of many wasted millions per year on an overpriced agreement with another agency that owned the space.

    3. Remove the civilian Internet from the equation. You don't stick your weenie in a disease infested orifice and you don't keep your cash in a drawer by the front door of your home. The government can easily make their own private secure networks for specific uses, for very little money, yet they insist on continuing to use the Internet as the core of their whole infrastructure. We know for a fact that the very halls of power in DC are being used to run torrents, download child pornography, and a host of other illegal activities that compromise the security of government networks but nothing is ever done about it at the expense of taxpayers.

    4. Invest in some REAL training for Americans and hire them. Iran, that most huggable of huggable nations, has a state of the art Cisco network engineering training program that makes what we have here look like a Special Education program for brain damaged toddlers. Many other ME and Asian countries have similar operations and send their trainees over here to get those jobs that require a security clearance with these SMB contractors that get the government jobs. They even sell fake Cisco hardware to the government through the acquisition process to go along with their workers.

    5. Kill the aging hardware and software. XP is still widely in use as are older systems that have a high cost to maintain and those systems are not at all up to date with system patches or security fixes, making it easy to compromise things.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    How to improve cyber-security in the US.....

    1. Eliminate the contractors like Lockheed Martin and Northrup Grumman. They are the biggest problem and they are the ones sucking up huge amounts of money to not do their work and they refuse to adhere to the protocols and guidelines they helped create. Every single investigation over the past decade has concluded this and nothing has ever been done about it. Where I live, just outside of DC, we've had over 1 billion dollars in contractor fraud relating to the cyber infrastructure, specifically networking and security management over the last year alone.

    2. Consolidate the infrastructure. There is too much spread out all over the place under the auspices of too many different agencies and groups. Stuff needs to be locked down and there is no reason at all that it can't be done all in one place. Hundreds of millions of dollars has been wasted on networked infrastructure and data centers for individual agencies, often at significant overpaid expense such as what DHS did to the tune of many wasted millions per year on an overpriced agreement with another agency that owned the space.

    3. Remove the civilian Internet from the equation. You don't stick your weenie in a disease infested orifice and you don't keep your cash in a drawer by the front door of your home. The government can easily make their own private secure networks for specific uses, for very little money, yet they insist on continuing to use the Internet as the core of their whole infrastructure. We know for a fact that the very halls of power in DC are being used to run torrents, download child pornography, and a host of other illegal activities that compromise the security of government networks but nothing is ever done about it at the expense of taxpayers.

    4. Invest in some REAL training for Americans and hire them. Iran, that most huggable of huggable nations, has a state of the art Cisco network engineering training program that makes what we have here look like a Special Education program for brain damaged toddlers. Many other ME and Asian countries have similar operations and send their trainees over here to get those jobs that require a security clearance with these SMB contractors that get the government jobs. They even sell fake Cisco hardware to the government through the acquisition process to go along with their workers.

    5. Kill the aging hardware and software. XP is still widely in use as are older systems that have a high cost to maintain and those systems are not at all up to date with system patches or security fixes, making it easy to compromise things.

    Say what? You have some contractor fraud but the main reason they have contractors is because the government employees lack the talent to stay up to speed.

    The DOD and Department of State do have their own network that is isolated, the rest of the government needs to more than likely move off the civlian side as well but again who will support it? Again more contractors.

    Also the government needs interaction with the civilian sector because it services the people, not all the government agencies can isolate them from the citizens they are supposed to serve.

    And I have no clue what you are talking about other countries sending their people here to take jobs requiring security clearances. I know several US citizens that had problems getting contracts due to some issue on a background check.

    Not sure if you are being sarcastic or just over generalizing or just making things up to be honest.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    I think a number of virus infections over the years have proven that you don't need to be connected to the public internet to get infected (I.E. - usb).
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    the_Grinch wrote: »
    I think a number of virus infections over the years have proven that you don't need to be connected to the public internet to get infected (I.E. - usb).

    That was the problem with SIPR I kept running into was military personnel using USB drives to move stuff from NIPR to SIPR. Once it was on SIPR it stayed SIPR but idiots always tried to be sneaky eventually they blocked ports with group policy and then started tracking USB use.
  • RoguetadhgRoguetadhg CompTIA A+, Network+. Member Posts: 2,489 ■■■■■■■■□□
    Probably blown out of proportion - Granted it did hit the headlines, a lot. (Thank you sony, twice)

    Hacking has never really disappeared. Whether it's grown, it probably has with more and more systems using the public internet as it's backbone. Security, however, is not my forté. I stay away from diving too deep into the black depths of the internet - *shudders*
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Yup. The other issue I always have is when people say "we need to consolidate all the various network connections". While it may be a pain to defend so many points, you open a can of worms when you create a couple choke points. Now instead of having to attack 100's of points, you have only a dozen or so. A well funded and determined attacker will not be stopped, too many ways to get around or through the defenses. Exercise best practice with all setups (network, server, desktops), provide security awareness training, perform audits (and actually fix issues that are discovered), and finally always be prepared. Not terribly difficult to follow those steps and be reasonably secure. You'll never be 100% secure, but with a solid risk assessment and disaster recovery plan you can at least be prepared.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Well hackers in Russia are attacking and stealing information from online credit report sites, Mastercard just disclosed they had a ton of personal information stolen. It is a problem but the private industry in my opinion is a better, easier, more effective target than the governent. If I were an enemy of the state I would go after the financial sector first to disrupt services, then I would take out mobile companies and finally Facebook. (I am serious here lol).
  • higherhohigherho Member Posts: 882
    tpatt100 wrote: »
    That was the problem with SIPR I kept running into was military personnel using USB drives to move stuff from NIPR to SIPR. Once it was on SIPR it stayed SIPR but idiots always tried to be sneaky eventually they blocked ports with group policy and then started tracking USB use.

    DISA banned the use of USB flash devices. Only approved USB HDD's are allowed and we use DLP (a epo HBSS module) to lock these down. Its a process to get it approved but it works.


    The biggest problem is the amount of work to secure a network but the LACK of help to do it. I see more and more management personal but they wont hire more IT individuals.
    I would think the private sector is much worse. Also, developers need to think of securing their programs before they are on production or even test systems.
  • afcyungafcyung Member Posts: 212
    "Nobody ever defended anything successfully, there is only attack and attack and attack some more." --Gen Patton

    Cyber attacks are going to continue to rise as long we do nothing but react to them.
  • tpatt100 wrote: »
    Well hackers in Russia are attacking and stealing information from online credit report sites, Mastercard just disclosed they had a ton of personal information stolen. It is a problem but the private industry in my opinion is a better, easier, more effective target than the governent. If I were an enemy of the state I would go after the financial sector first to disrupt services, then I would take out mobile companies and finally Facebook. (I am serious here lol).

    I would prob take out Facebook First as most of the people in the Financial sector must be on it more than doing there Jobs. :D
    Currently reading: Syngress Linux + and code academy website (Java and Python modules)


    "All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
  • SephStormSephStorm Member Posts: 1,732
    DISA banned the use of USB flash devices. Only approved USB HDD's are allowed and we use DLP (a epo HBSS module) to lock these down. Its a process to get it approved but it works.

    And yet nearly a year after that policy was enforced, The air force stuck one in a plane and got infected. Its all about enforcement, and as long as there is someone who can say no, we're going to do this, its going to happen.
    Say what? You have some contractor fraud but the main reason they have contractors is because the government employees lack the talent to stay up to speed.

    I take issue with that. The employees can stay up to spped, but there are a variety of issues that effect that. I'll refrain from specifics because I would not want to air our dirty laundry, but I can confirm that contractors often come in and the employees get pushed to the back. i've seen it for years now. Its due to a lack IMO, of faith in the people that were hired to keep up, not an inability to do so. And I believe the poster makes a valid point. Contractors make a lot of concessions, and are not held to the same standard as official employees. An employee can say "No, you can't do this, its in our policy." A contractor generally will generally fall back to the contract they were hired under, which often simply requires them to provide services. (there may be a clause regarding compliance with company policy, but how many of them sit through a class and learn the policies of the company they are going to work for? They get to work setting up systems and providing support.)
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    SephStorm wrote: »
    And yet nearly a year after that policy was enforced, The air force stuck one in a plane and got infected. Its all about enforcement, and as long as there is someone who can say no, we're going to do this, its going to happen.



    I take issue with that. The employees can stay up to spped, but there are a variety of issues that effect that. I'll refrain from specifics because I would not want to air our dirty laundry, but I can confirm that contractors often come in and the employees get pushed to the back. i've seen it for years now. Its due to a lack IMO, of faith in the people that were hired to keep up, not an inability to do so. And I believe the poster makes a valid point. Contractors make a lot of concessions, and are not held to the same standard as official employees. An employee can say "No, you can't do this, its in our policy." A contractor generally will generally fall back to the contract they were hired under, which often simply requires them to provide services. (there may be a clause regarding compliance with company policy, but how many of them sit through a class and learn the policies of the company they are going to work for? They get to work setting up systems and providing support.)

    I was a government contractor for almost 12 years, from "my" experience which does make my opinion heavily bias the government employees are usually "cradle to grave" employees. And with that comes the attitude from the several places I worked at of "if you need it you better send me to training" vs "Well let me research it, practice in the practice lab, read some documents and test it out".

    I ran into that every single place I was a contractor. We always followed government policy, in fact we were used as examples numerous times if one of our people violated a policy. We had government employees download inappropriate stuff on issued laptops they get a warning, one of our guys installed a game and got busted, boom out the door, he was then used as a warning to the government employees. I remember on the help desk a guy called and needed a file off another employees machine, I said we could not do that without his permission. What does he do? He moves to the guys desk and calls from his phone claiming to be him and says "hey I forgot my password can you reset it for me?" the lady I worked with asks me "didn't some guy call asking about getting a file off this machine?" I get on the phone and he hears my voice and hangs up. We file a report? Nothing the union surrounded him and protected him.

    Everytime there was something new brought into the environment like when we got Sun servers, the few govt employees had to go to training while we just read a book and we still had to train them on what we trained ourselves.

    When I finally had it was when I was helping the Navy get their systems certified. Only one person on the conference calls had any knowledge of what to do, how to do it or what to do. Even their own written policies stated what their responsibilities were but they just would say "oh don't worry the contractor will do it". When the CISO came down hard and announced they had to do their own work, the stuff they were supposed to be doing for the past several years? Panic set it. So much finger pointing, they were all pencil whipping documents so long that technically they were supposed to be shut down because network diagrams no longer reflected anything like they had. Systems were added but not documented, etc, etc. They were all government employees/retired military who got GS positions to sit in a chair and sign stuff. None of them had any IT experience or they were so obsolete. The government wanted to keep them around so they get shuffled around.
  • 70P6BV870P6BV8 Registered Users Posts: 7 ■□□□□□□□□□
    Good Morning to All,

    After reading the comments here about the FBI report, I am of 2 minds: One is, I am not surprised and the other side says, what is not being said, but is louder than the words we read.

    I was a Cryptologist Analysts (US Navy) for many years and I got used to reading between the lines as we were taught that what is not being said can be more important than what is written. Well, the report shows me that the FBI is awash in bureacratic mud and everyone is either sinking or stuck in the "same ole environment" that lets throw money at it and add more bodies and we will surely fix the problem. Can we fix the problem, sure but it would take a mammouth person to change the course, re-evaluate all personel on a true work, knowledge base, set a pay scale that is more a fair market set up and create less managers and then give the managers the ability to "manage" their people. Now, do I believe this will happen.....no.

    If anyone here has worked or is working in DC, you know that it is a different world inside the beltway. Totally different than most of what we see and hear in the real world. The mentality of working in "government" is truly a different experience and can so easily get caught in it and become part of the buble that is DC. I wished that their were people, with the ability to change this places to actually manage the offices like businesses and then, you would start getting a better job done.

    Now for reading between the lines, anyone hear about the new facility in Utah and who it belongs too? try the NSA and where do you think the best of the super computers are? Thats right, in Utah. I believe that the notion that we cannot keep up may be just a slight of hand while the other hand is doing the real work. Just my thoughts.
Sign In or Register to comment.