Unisys, the IT computer services biz, is in hot water with the US government for allegedly twiddling its thumbs while foreign hackers had their way with Department of Homeland Security computers. The FBI is investigating Unisys, which holds a $1.7bn DHS security contract, over failing to detect data breaches linked to a Chinese …
1. The pretty easy one that just as Bush &Co. could claim they were mislead about WMD in Iraq by the CIA & FBI, so apparently the DHS is allowed to fob off gaping holes in it's systems on someone else. Thus: perhaps we ought to hold the executors of policy responsible for the execution of policy, not merely it's enunciation.
2. Outsourcing is an excellent way to occult the facts. Outsource less savoury military, paramilitary and spy activities in Iraq to private contractors (mercenaries): the details can be hidden behind privacy laws and contractual obligations - obscuring that the gov't had a responsibility for the conduct of the war; outsource DHS IT and leaks can be blamed on the contractor not the DHS - obscuring that the DHS has a responsibility to ensure data security. In both cases the idea that one can trust the contractor without oversight is implicit, but that don't make it so.
3. WRT specifically the DHS, though the managers of that organization to have the authority to outsource the IT, they are still responsible for ensuring the IT operation is clean - whether contractors or employees do the work. There is an attempt to lay the blame and the cost elsewhere, protecting the people who run DHS and failed to ensure data security. This is much the same technique Bush & Co. have used to duck the responsibility for starting the Iraq war - apparently shoddy auditing followed by bare faced claims that "it was them, not us". Not have good auditing is a failure of duty by the people who run DHS, and they should be held to account.
My, hopefully even toned, $0.02.
And this is a surprise to...who?
To quote Hanlon's Razor: Never attribute to malice what can be adequately explained by stupidity.
An unknown number of Chinese citizens make a living by "gold farming". Some gold farmers play online games such as WoW for hours on end, collecting virtual goods to sell to westerners. More advanced gold farmers exploit the game's host servers/software in order to create virtual goods more rapidly. Some of these more advanced farmers are loosely organized into associations and cooperatives, and share knowledge about WoW (and other) server security.
Many USA Government systems are less well protected than typical online multiplayer gaming servers. (Sad but true.)
This entire fiasco could easily be the result of aggressive Chinese (gold) farming cooperatives looking for new ways to make money. They have the tools, personnel, time, skills, etc.
The government should just hire Blizzard Entertainment to run their secure server farms. Or maybe Google. Unisys is clueless. As are many of the old school telecomm companies.
- The Garret
You get what you pay for
From the Wash Post article:
"...under the follow-on contract, "DHS, citing lack of funding, elected to stop paying for security monitoring services," but that the firm continued to provide the monitoring anyway."
The follow-up contract started in '05. DHS wasn't PAYING for security monitoring, but Unisys did it anyway (which is illegal, I believe). Therefore during the breach in 2006, DHS basically got what they paid for.
Furthermore, IDS sensors are totally useless without constant skilled monitoring, and even then, you're going to miss something.
I agree totally that this is DHS's management utterly failing and Unisys getting the blame for it.
I've heard this excuse before...
Sounds like my kid: "I went thru the motions, so if the job didn't get done it isn't MY fault."
Do what I would do - withhold everyone's allowance.
Yeah, Go Ahead. Privatize National Security.
This is the end result of outsourcing critical functions to private contractors, the government can't even protect itself.
Which kind of begs the question, how can they claim to be able to protect us?
This is a surprise?
DHS culture does not embrace IT security.
It is always a cost issue in that organization.
And these compromises are not because of outsourcing to private contractors, but rather outsourcing to the lowest bidder.
Who was responsible for auditing DHS computer security?
It's not clear from the article what was compromised; for example desktops or servers, or both? Were the machines behind the corporate firewall or in the DMZ?
DHS ought to have an independent security officer whose job it is to do a comprehensive security risk analysis and a thorough compliance audit, especially where contractors are concerned, to ensure that standards are adhered to and maintained. The responsibility for ensuring this happens lies squarely with DHS senior management. Vigilant, independent scrutiny of contractors is a basic 'must-have' where strategic IT is outsourced and contractor incentives and penalties must be appropriately aligned to prevent commercial interests from compromising quality of service.
Desktops running Windows are especially vulnerable. For handling sensitive information, thought should be given to systems which are easier to secure and present more difficult targets for hackers. In any case, steps should have been taken to ensure that the compromise of a desktop does not necessarily lead to the theft of information.
Having network intrusion detection is good, but security should be multi-layered and the set up provided by Unisys, for whatever reason, was clearly unable to prevent the theft of important information and the misuse of DHS assets.
Fed'l gov't contracting may be to blame
Both sides may be accurate as reported publicly, one would need to see the actual contract to understand in fullness.
Gov't contracts can be v-e-r-y specific, as in "Do task X in just this way". Unisys may very well have done exactly what they were hired to do, and the contract didn't ask them to do the specific things which would have detected or prevented the attack.
Can you imagine the uproar if the gov't had awarded Unisys a contract that said "do whatever it takes to make DHS secure" and Unisys had billed commensurately with "whatever it takes"?