the_Grinch wrote: »
Yup, a good portion of this is about keep money in their budgets and getting high paying contracts for businesses. There is a legitimate threat, but they never seem to come up with a legitimate method for migrating said threat. Vicious cycle that just throwing money at won't fix.
veritas_libertas wrote: »
I think a lot of it is way over blown, and consists of more than a little paranoia, saber rattling, and of course the cyber military industrial complex.
WafflesAndRootbeer wrote: »
How to improve cyber-security in the US.....
1. Eliminate the contractors like Lockheed Martin and Northrup Grumman. They are the biggest problem and they are the ones sucking up huge amounts of money to not do their work and they refuse to adhere to the protocols and guidelines they helped create. Every single investigation over the past decade has concluded this and nothing has ever been done about it. Where I live, just outside of DC, we've had over 1 billion dollars in contractor fraud relating to the cyber infrastructure, specifically networking and security management over the last year alone.
2. Consolidate the infrastructure. There is too much spread out all over the place under the auspices of too many different agencies and groups. Stuff needs to be locked down and there is no reason at all that it can't be done all in one place. Hundreds of millions of dollars has been wasted on networked infrastructure and data centers for individual agencies, often at significant overpaid expense such as what DHS did to the tune of many wasted millions per year on an overpriced agreement with another agency that owned the space.
3. Remove the civilian Internet from the equation. You don't stick your weenie in a disease infested orifice and you don't keep your cash in a drawer by the front door of your home. The government can easily make their own private secure networks for specific uses, for very little money, yet they insist on continuing to use the Internet as the core of their whole infrastructure. We know for a fact that the very halls of power in DC are being used to run torrents, download child pornography, and a host of other illegal activities that compromise the security of government networks but nothing is ever done about it at the expense of taxpayers.
4. Invest in some REAL training for Americans and hire them. Iran, that most huggable of huggable nations, has a state of the art Cisco network engineering training program that makes what we have here look like a Special Education program for brain damaged toddlers. Many other ME and Asian countries have similar operations and send their trainees over here to get those jobs that require a security clearance with these SMB contractors that get the government jobs. They even sell fake Cisco hardware to the government through the acquisition process to go along with their workers.
5. Kill the aging hardware and software. XP is still widely in use as are older systems that have a high cost to maintain and those systems are not at all up to date with system patches or security fixes, making it easy to compromise things.
the_Grinch wrote: »
I think a number of virus infections over the years have proven that you don't need to be connected to the public internet to get infected (I.E. - usb).
tpatt100 wrote: »
That was the problem with SIPR I kept running into was military personnel using USB drives to move stuff from NIPR to SIPR. Once it was on SIPR it stayed SIPR but idiots always tried to be sneaky eventually they blocked ports with group policy and then started tracking USB use.
tpatt100 wrote: »
Well hackers in Russia are attacking and stealing information from online credit report sites, Mastercard just disclosed they had a ton of personal information stolen. It is a problem but the private industry in my opinion is a better, easier, more effective target than the governent. If I were an enemy of the state I would go after the financial sector first to disrupt services, then I would take out mobile companies and finally Facebook. (I am serious here lol).
DISA banned the use of USB flash devices. Only approved USB HDD's are allowed and we use DLP (a epo HBSS module) to lock these down. Its a process to get it approved but it works.
Say what? You have some contractor fraud but the main reason they have contractors is because the government employees lack the talent to stay up to speed.
SephStorm wrote: »
And yet nearly a year after that policy was enforced, The air force stuck one in a plane and got infected. Its all about enforcement, and as long as there is someone who can say no, we're going to do this, its going to happen.
I take issue with that. The employees can stay up to spped, but there are a variety of issues that effect that. I'll refrain from specifics because I would not want to air our dirty laundry, but I can confirm that contractors often come in and the employees get pushed to the back. i've seen it for years now. Its due to a lack IMO, of faith in the people that were hired to keep up, not an inability to do so. And I believe the poster makes a valid point. Contractors make a lot of concessions, and are not held to the same standard as official employees. An employee can say "No, you can't do this, its in our policy." A contractor generally will generally fall back to the contract they were hired under, which often simply requires them to provide services. (there may be a clause regarding compliance with company policy, but how many of them sit through a class and learn the policies of the company they are going to work for? They get to work setting up systems and providing support.)