Absolutely Bill, That is always the case with the government (I have worked with them a lot). They build lots and lots of procedure and process and dumb standards (mandatory POSIX compliance?!?!?, that was a good one) when step one would have been to get current firewall technology in place, have current operating systems, and patch known vulnerabilities (which is why you want the current operating systems). Instead, they go out and commission multi-million dollar consulting contract that spend time drawing up blueprints for the be-all end-all systems that no one is going to fund. When you look at the way the government goes about things like simply setting up the Healthcare website, it is miraculous that they even knew they got hacked. I will bet for every documented breech like this there are hundreds of continuous vulnerabilities being exploited that they don't even know about. These are just the weak ones that got caught. They still tend to look at these systems like their old mainframe based systems instead of looking at desktops, servers, and networks as separate independently upgradable parts. This makes all of their planning so massive that it can never be implemented so no one ever starts. Eventually the desktop OS gets too old to support, the servers have to stay compatible with the old desktops, the software application can't be upgraded because it does not run on the old database, etc etc etc... until the whole system collapses and you have to get the forklift. This director has nothing to do with it. I think they might need to eliminate some useless department and create or hire an IT organization that operates like a service provider to all of these agencies. Steve Naslund Chicago IL
Hi Ronald,
The core problem here is that the Authority To Operate (ATO) process consumes essentially the entire activity of a USG computing project's security staff. The non-sensical compliance requirements, which if taken literally just about >prevent you from ever connecting any computer to any other, get in the way of architecting systems around pragmatic and effective security.
There's no use blaming the director for a broken system she's compelled to employ, one far out of her control. The next warmer of that seat is constrained to do no better.
Regards, Bill Herrin