U.S. Security Scare: Dumb and Dumber

[InfoSec News <isn () C4I ORG>]

http://www.ecommercetimes.com/news/viewpoint2000/view-000914-1.shtml

By Mick Brady
E-Commerce Times
September 14, 2000

Everyone must be stupid. That's the only conclusion possible in light
of the recent report released by the General Accounting Office (GAO)
on the lamentable state of U.S. government Web site security.

Certainly, the 24 government agencies reviewed must be stupid. The GAO
report said they have "serious and widespread weaknesses" in spite of
the fact that they were alerted to the problems by a similar negative
report in 1998.

Nobody's Perfect

The GAO says that personal information about individuals can easily be
obtained from government computers; defense secrets are at risk of
exposure; IRS data can be modified or destroyed; Social Security
information is unprotected; and EPA computers are highly vulnerable to
tampering -- to name just a few items in a litany of unsettling
findings.

All these disclosures about security holes have me thinking the GAO
must be stupid, too. Why would an arm of the government spread the
word about vulnerabilities that "put critical operations and assets at
risk" in a report that is available for the reading pleasure of every
cracker, hacker and terrorist from here to Libya?

The Democrats must be stupid for giving the Republicans such a clear
target in an election year -- after all, national security is a pretty
important issue, and the administration has had at least two years to
get this part of the house in order. Astonishingly, there doesn't seem
to be an outcry from the Republican camp. Oh. They must be stupid,
too.

Where's the Greed?

What is most incredible is the seeming lack of interest -- or further
evidence of stupidity -- on the part of every Tom, Dick or Jane who
might want to erase his income tax debt or fatten her monthly Social
Security check.

Why haven't radical environmentalists or money-grubbing polluters
tampered with EPA files to advance their causes? Why haven't
anarchical college students, Colombian drug lords or Slobodan
Milosevic brought down the Department of Defense? Stupid, stupid and
really stupid.

Perhaps there is an alternative explanation.

In Defense of Geeks

My theory is that the weaknesses the GAO is so hot about are not so
critical after all -- they would either have been fixed by now or the
sky would have long since fallen.

Now, I'm as willing as the next cynic to believe that politicians and
government bureaucrats are so consumed with ulterior motives that they
could conceivably put the country at risk through self-centered
promotion of their own agendas. But those guys aren't running the
government's computers.

The government's computers are being run by computer technicians. As a
class, they are highly trained, sometimes even brilliant, and often
apolitical. Fortunately, you don't have to be one to know that for the
most part, they are very far from being stupid.

Don't Panic

I am not proposing that those 24 agencies should thumb their noses at
the GAO for another two years, but I am suggesting that the accounting
office may well have gone a little over the top with its warnings and
exclamation points -- perhaps because it felt snubbed the last time it
got hit in the head with a rock.

Certainly, if the security breaches are anything like as serious as
the report implies, the potential crises should be addressed in dimly
lit underground chambers far from snooping ears or eyes, by high
ranking officials entrusted with the safety of our nation -- rather
than broadcast in the media.

If the weaknesses are more along the lines of nuisance holes that
allow access to scoundrels like the hacker "Pimpshiz" -- who broke
into some government sites to spray cyber-graffiti on content pages --
well, they should be fixed, but they shouldn't assume priority over
more pressing jobs that may need to be done.

Like fixing the Y2K bug.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".