Information Security News mailing list archives
U.S. Security Scare: Dumb and Dumber
From: InfoSec News <isn () C4I ORG>
Date: Fri, 15 Sep 2000 01:23:40 -0500
http://www.ecommercetimes.com/news/viewpoint2000/view-000914-1.shtml By Mick Brady E-Commerce Times September 14, 2000 Everyone must be stupid. That's the only conclusion possible in light of the recent report released by the General Accounting Office (GAO) on the lamentable state of U.S. government Web site security. Certainly, the 24 government agencies reviewed must be stupid. The GAO report said they have "serious and widespread weaknesses" in spite of the fact that they were alerted to the problems by a similar negative report in 1998. Nobody's Perfect The GAO says that personal information about individuals can easily be obtained from government computers; defense secrets are at risk of exposure; IRS data can be modified or destroyed; Social Security information is unprotected; and EPA computers are highly vulnerable to tampering -- to name just a few items in a litany of unsettling findings. All these disclosures about security holes have me thinking the GAO must be stupid, too. Why would an arm of the government spread the word about vulnerabilities that "put critical operations and assets at risk" in a report that is available for the reading pleasure of every cracker, hacker and terrorist from here to Libya? The Democrats must be stupid for giving the Republicans such a clear target in an election year -- after all, national security is a pretty important issue, and the administration has had at least two years to get this part of the house in order. Astonishingly, there doesn't seem to be an outcry from the Republican camp. Oh. They must be stupid, too. Where's the Greed? What is most incredible is the seeming lack of interest -- or further evidence of stupidity -- on the part of every Tom, Dick or Jane who might want to erase his income tax debt or fatten her monthly Social Security check. Why haven't radical environmentalists or money-grubbing polluters tampered with EPA files to advance their causes? Why haven't anarchical college students, Colombian drug lords or Slobodan Milosevic brought down the Department of Defense? Stupid, stupid and really stupid. Perhaps there is an alternative explanation. In Defense of Geeks My theory is that the weaknesses the GAO is so hot about are not so critical after all -- they would either have been fixed by now or the sky would have long since fallen. Now, I'm as willing as the next cynic to believe that politicians and government bureaucrats are so consumed with ulterior motives that they could conceivably put the country at risk through self-centered promotion of their own agendas. But those guys aren't running the government's computers. The government's computers are being run by computer technicians. As a class, they are highly trained, sometimes even brilliant, and often apolitical. Fortunately, you don't have to be one to know that for the most part, they are very far from being stupid. Don't Panic I am not proposing that those 24 agencies should thumb their noses at the GAO for another two years, but I am suggesting that the accounting office may well have gone a little over the top with its warnings and exclamation points -- perhaps because it felt snubbed the last time it got hit in the head with a rock. Certainly, if the security breaches are anything like as serious as the report implies, the potential crises should be addressed in dimly lit underground chambers far from snooping ears or eyes, by high ranking officials entrusted with the safety of our nation -- rather than broadcast in the media. If the weaknesses are more along the lines of nuisance holes that allow access to scoundrels like the hacker "Pimpshiz" -- who broke into some government sites to spray cyber-graffiti on content pages -- well, they should be fixed, but they shouldn't assume priority over more pressing jobs that may need to be done. Like fixing the Y2K bug. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- U.S. Security Scare: Dumb and Dumber InfoSec News (Sep 15)