Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
United States Government Security IT

Report: Federal Workers, Contractors Behind Half of Government Cyber Breaches 61

schwit1 writes Federal employees and contractors are unwittingly undermining a $10 billion-per-year effort to protect sensitive government data from cyberattacks, according to a published report. The AP says that workers in more than a dozen agencies, from the Defense and Education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an analysis of records.
This discussion has been archived. No new comments can be posted.

Report: Federal Workers, Contractors Behind Half of Government Cyber Breaches

Comments Filter:
  • turn off autoplay (Score:3, Informative)

    by Anonymous Coward on Monday November 10, 2014 @12:34PM (#48351373)

    If you don't want to watch 4 unrelated videos at once, turn off autoplay before visiting the sites in the summary.

    • Re:turn off autoplay (Score:5, Informative)

      by ShanghaiBill ( 739463 ) on Monday November 10, 2014 @12:43PM (#48351463)

      If you don't want to watch 4 unrelated videos at once, turn off autoplay before visiting the sites in the summary.

      Also, you don't need to click both links, since they are the exact same story, word for word. One is the AP report, the other is the Fox News verbatim repost of the AP report.

  • About right (Score:5, Interesting)

    by kilfarsnar ( 561956 ) on Monday November 10, 2014 @12:42PM (#48351453)
    The statistic I have always heard is that 60% of intrusions are internal. So 50% of breaches coming from employees sounds about right. It's a lot easier to steal stuff if you have a key. And as we have learned again over the past 6 years or so, the best way to rob a bank is to own one.
    • Re:About right (Score:4, Interesting)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday November 10, 2014 @12:52PM (#48351575)

      It doesn't even have to be that intentional. From TFA:

      They have clicked links in bogus phishing emails, opened malware-laden websites and been tricked by scammers into sharing information.

      One was redirected to a hostile site after connecting to a video of tennis star Serena Williams.

      People are usually the weakest link in a security system.

      And it does not sound like that security system is very well designed in the first place.

      • by TWX ( 665546 )
        Plus it's getting harder to avoid those kind of masquerading link attacks while still enjoying the cross-site linking capabilities that the web was designed for. I attempt to keep Javascript, Flash, and other things turned off, but it's getting harder and harder to look at web content without those things.
  • by Radical Moderate ( 563286 ) on Monday November 10, 2014 @12:47PM (#48351519)
    From TFA: "Since 2006, there have been more than 87 million sensitive or private records exposed by breaches of federal networks, ..... By comparison, retail businesses lost 255 million records during that time, financial and insurance services lost 212 million and educational institutions lost 13 million."

    My bank is constantly sending out new credit cards because businesses (hey there Home Depot!) won't implement basic security measures to prevent data theft. Data security is a serious issue that needs to be addressed, but "Blame the incompetent gubmint!!!" isn't where we should start.
    • by mysidia ( 191772 ) on Monday November 10, 2014 @01:14PM (#48351855)

      Businesses (hey there Home Depot!) won't implement basic security measures to prevent data theft. Data security is a serious issue that needs to be addressed

      Yes... PCI was a start, but we need new regulations; first of all, Businesses should be liable for costs to consumers resulting from breaches. There should also be a statutory liability for not being able to prove to within certain standards to consumers and independent auditors that their information is secure and has not been leaked.

      In the event a customer's information gets leaked; the burden of proof should rest on the business.

      And companies that collect SSNs or other PII that can be used to conduct ID theft should be required to take out an insurance policy to cover at least a portion of their potential liability.

      They should be required to have 3rd party independent oversight, and there should be a fine for failures to comply, money which should be distributed to the affected customers, AND there should be a bounty for the company overseeing them spotting an error.

      • by Jawnn ( 445279 )

        And companies that collect SSNs or other PII that can be used to conduct ID theft should be required to take out an insurance policy to cover at least a portion of their potential liability.

        That's probably not going to solve the problem. There's already a land-rush business in such policies for "covered entities" and "business associates" encumbered by HIPAA, and the general consensus is that they are not worth the paper they're written on. All include (not surprisingly) clauses that require the insured to have "implemented all required safeguards..." (or words to that effect). The problem is that there is no "standard requirement". The clause is just weasel-wording to ensure that no matter wh

        • by mysidia ( 191772 )

          All include (not surprisingly) clauses that require the insured to have "implemented all required safeguards..."

          If such a clause exists, then the feds' view should be that the insurance policy is not compliant with the requirement, because the purpose of the insurance requirement is to help protect consumers against insolvency of the business, as such, the insurance policy should be required to payout to a trust sufficient amounts which can only be redeemed by those whose information was leaked or who s

    • Wrong. They have basic security.

      What is really the cause is running windows combined with outsourcing to locations that have NO vested interest in the company and are paid very low relative to other nations.
      For example, nearly all of the companies that have been cracked of late (target, neiman Marcus, home depot, etc) had ( and most still do) outsourced production admin to India. In India, they pay these ppl less than $10,000 due to exchange rate manipulation. Others in China and Russia simply offer a p
  • by CaptainDork ( 3678879 ) on Monday November 10, 2014 @12:52PM (#48351571)

    ... instead of fixing the goddam problem.

    FTFA:

    "No matter what we do with the technology ... we'll always be vulnerable to the phishing attack and ... human-factor attacks unless we educate the overall workforce," said Eric Rosenbach, Assistant Secretary of Defense for Homeland Defense and Global Security.

    Bold is mine.

    So much for AI in doing anything useful in protecting systems, and it's not the overall workforce that needs educating ... it's the fucking gate keepers -- IT and software/hardware manufacturers.

    It's a bitch that we send people to schools to be experts in their craft and then we have to educate the consumers of our craft because we are so fucking incompetent.

    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday November 10, 2014 @01:04PM (#48351727)

      If education could have worked, it would have worked by now.

      So much for AI in doing anything useful in protecting systems, and it's not the overall workforce that needs educating ... it's the fucking gate keepers -- IT and software/hardware manufacturers.

      The problem is that even if the IT people are competent they have to be MORE competent than everyone who can attack them. Why does everything have to be connected to the Internet?

      And they have to that competent with the software/hardware that they're using. How many times has the purchasing decision been made before you've even been aware of the issue?

      Which leads to the issues that the software/hardware vendors have within their own companies. Ship today and we'll patch tomorrow. Got to get to market before the competition.

      And that isn't considering the problems that "management" at the company you work for keeps introducing. I cannot tell you how many times some executive simply had to have admin access on his laptop which resulted in massive infections being brought onto the network.

      Security is easy --- in theory.
      But it depends upon hundreds or thousands of decisions being made correctly. By people who have no incentive to protect the security of the systems you support.

      • I do federal government InfoSec. When there is a conflict between the mission and security the manager will overrule the system administrator every time. Even in the military where lives are potentially at risk.

        Sure, there is a lot of less-than-competent admins out there, but a lot more of the problem is political rather than technical than most people realize.

        • by khasim ( 1285 )

          Sure, there is a lot of less-than-competent admins out there, but a lot more of the problem is political rather than technical than most people realize.

          Yes. I think it is because the political issues stem from status battles. If you can overrule IT then you have more status.

          If you cannot overrule IT then you have less status than the nerds.

          And YOUR status, today, is worth more than the risk of someone else's life, possibly, sometime in the nebulous future.

          Particularly because you can still blame IT for not

        • by Anonymous Coward

          I do federal government InfoSec. When there is a conflict between the mission and security the manager will overrule the system administrator every time. Even in the military where lives are potentially at risk.

          Sure, there is a lot of less-than-competent admins out there, but a lot more of the problem is political rather than technical than most people realize.

          Definitely not true in the agency I'm in: Security rules, to the detriment of the mission. We're grinding to a halt under new security rules that have been implemented without accompanying processes in place. "We used to do X, but we can't any more for security reasons." "Okay, what's the new way?" "Y, and it'll be in place next year." "But, uh...we need to get work done NOW." "Well, you can't do X or Y." I want to keep our data safe, too, but we also need to get our projects done...it'd be nice if

        • If you IA types understood how a network actually maybe we could talk but get your CISSP and make big bucks saying NO.

          Example:
          Backup program needs Port X open to initiate backups on remote servers (remember we are an Enterprise, Remote Management and all). Vendor did not adequately document port but our firewall logs and sniffer clearly indicate this message originates from the control server and goes to the Media server to initiate the backup.

          What does IA do? Stops all backups until paperwork is finished,

      • by SeaFox ( 739806 )

        The problem is that even if the IT people are competent they have to be MORE competent than everyone who can attack them. Why does everything have to be connected to the Internet?

        Because there is always someone who thinks they need to be able to access the system from wherever they are in the world. Either a big-wig who wants access to data, or an IT person who wants to be able to work on system issues from his home when things happen in the middle of the night.

        Security suffers at the hands of the human penchant for laziness.

  • by Anonymous Coward

    And here I thought those guys didn't do anything all day...

  • by Cid Highwind ( 9258 ) on Monday November 10, 2014 @01:14PM (#48351859) Homepage

    Dear US military and federal contracting wanker-sphere,
    I know you were 30 years late discovering this whole internet thing, so imagery and phrases from 1980s cyberpunk still sound super-duper-cutting-edge to you, but can you please stop using "cyber" as a catch-all for everything connected to computers? Thanks.

    PS: When you leave a laptop full of citizen's private information on the bus, and a million people's social security numbers turn up on pastebin the next day, that's called "negligence" not "a cyberattack".

    • Actually, the "US military and federal contracting wanker-sphere" were among the few organizations that spent big bucks on the foundational concepts of networking that eventually led to the Internet. Look up the history of DARPA sometimes. The first letter in the acronym, D, stands for Defense.

      Their reasons for using "Cyber" in front of everything are for completely different reasons. Beancounters in the massive federal bureaucracy system need distinctive search keywords for disparate efforts. If they just

    • Do you know who created the internet? Hint: it wasn't Al Gore. What does DARPA stand for again?
  • They need to be taking proactive steps to securing their systems not only against outside threats, but from the idiots using their systems/networks. Isn't this like common knowledge, your users are your worst enemy?

    Oh wait, its the guberment. All bets are all, I guess. Common sense need not apply.

  • by gestalt_n_pepper ( 991155 ) on Monday November 10, 2014 @02:38PM (#48352803)

    All of it can be overcome by a janitor with a USB drive with penetration software.

    Security culture is worse. Elaborate passwords. Two or three factor identification. Putting the security burden on the user in general. All you do is:

    1) Inconvenience users and make productivity next to impossible.

    2) Create an entire culture of employees who must, in order to get any work done, know how to hack their way into corporate systems from outside (I know of two ways. My IT guy knows about 6 entirely different ways), and frequently, inside.

    The problem is that security guys get bonuses for reducing intrusions (as they count them). Everyone else gets bonuses for getting their work done and being productive, which frequently isn't something that ever gets on a spreadsheet.

    And upper management, as usual, is too stupid, distracted with power politics and just plain pig-ignorant to understand this.

  • Why are government employees web surfing. Don't the have anything better to do?
    • by SeaFox ( 739806 )

      Why are government employees web surfing. Don't the have anything better to do?

      Don't you love it when people complain about government workers/contractors doing non-work related activities, but then they turn around and complain about their own boss treating them like a machine and expecting them to be productive every minute they're on the clock?

  • Workers are responsible for half of cyber incidents? Well, if opening an email or clicking a link as described in the article makes the worker responsible, then so be it. But, in the days before the internet, when corporate (or government) espionage was the issue, it wasn't the worker who created the report that was responsible for it being stolen, but the actual thief. So, other than another attempt to denigrate government workers, why if somebody sends a malicious link is it not the person who sent the li

  • ... a person in the workforce asks me if an email is safe.

    I grab their email.

    The sender is apparently UPS, and the package ain't going nowhere until I click on the attached invoice and correct the ship-to address and stuff.

    NOW PAY ATTENTION:

    I look at the attachment and it's a .zip file. I double-click the .zip and, inside, there's a goddam .exe.

    UPS isn't going to send an attachment in the first place, and it damn sure isn't going to be an .exe, right?

    Why in Sam Hill can't a small, fast AI scrubber do this

  • "Report: Federal Workers, Contractors Behind Half of Government Cyber Breaches"

    Since the government employs about half of the people in the US this is probably statistically correct for anything :)

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...