The Boom (Or Bubble) In Federal Cybersecurity 72
Hugh Pickens writes "The Washington Post reports that the increasing number and intensity of cyberattacks has attracted the attention of the Obama administration and Congress, which have begun steering dollars to the problem. Much of that new spending, estimated at $6 to $7 billion annually just in unclassified work, is focused on the Washington region, as the federal government consolidates many of its cybersecurity-focused agencies in the area. 'I think it is a real growth opportunity in coming years,' says David Z. Bodenheimer, a partner at law firm Crowell & Moring in Washington, who leads the firm's homeland security practice and specializes in government contracts. 'The market is still rather fragmented and in flux, but is developing with a speed that it is attracting both the major defense and homeland security contractors who are establishing independent business units to pursue these opportunities, and it is also a real opportunity for the smaller players who have niche products.' One reason the field is attracting so many companies is that the barriers to entry are low — at least, relative to other defense industries. But as start-ups and others rush to stake claims, some wonder if a bubble of sorts is beginning to inflate and recall that many venture firms in the early 2000s chased similar prospects. 'A lot of the early people made significant money,' says Roger Novak, founder of Novak Biddle Venture Partners. 'But there were [also] a lot of "me too" companies.'"
Bubbles are not as nasty in labor-intensive sector (Score:1)
It will suck when people get laid off, but you're not buying a huge quantity of equipment that you have to sell at rock-bottom prices. Or entire streets of homes which won't sell even if they are heavily discounted. You're probably ensuring that software is properly patched, hardware is not using default passwords and maybe some penetration testing. Apart from office furniture/computers, I don't see a great deal of capital investment. There may be investment in equipment, but that'll be for the client (
Re: (Score:3, Insightful)
No, this money wont go anywhere near the people who need it. First, the jobs this money creates is only going to be available to people who are able to be "cleared". If you are unfamiliar with the security clearance process, you should check it out. Many people apply, few (with the exception to political appointees) are accepted. The job market for cleared people is nearly always good (but has gotten pretty tight under the anti-military/intelligence Democratic congress/white house), so this will only make l
Re: (Score:2)
and the real nasty bit about this is most folks that could really do this kind of thing well (and can prove it) have clearance "issues".
Not necessarily. (Score:2)
It depends on the job. If it's something like writing a keylogger or understanding how to do stuff like that, you can experiment on your own network and learn 90% of what you need to know without ever having to break the law.
Re: (Score:2, Interesting)
I have been in the DoD world for over 7 years now, all of those with a pretty good clearance. When the batch of people I started with were first getting our clearances, the first one to be finalized (adjudicated, as they say) was the guy who admitted to being a drug dealer in the past. Outside of treason like activities, or being a documented member of some anti-America movement there is nothing that is a clear cut NO for a clearance.
I can not say that the other types of clearance are the same (DoE, for e
Re: (Score:1, Insightful)
Re: (Score:1, Funny)
Are your writing and communication skills an example of the kind of Fed person we should take very seriously?
Re: (Score:2)
No, he is capable of using a computer. This puts him head and shoulders above your average Fed.
How does one apply for a clearance? (Score:2)
No, this money wont go anywhere near the people who need it. First, the jobs this money creates is only going to be available to people who are able to be "cleared". If you are unfamiliar with the security clearance process, you should check it out. Many people apply, few (with the exception to political appointees) are accepted. The job market for cleared people is nearly always good (but has gotten pretty tight under the anti-military/intelligence Democratic congress/white house), so this will only make life better for them.
Second, the money is going to the Washington DC area... where "skilled" jobs are always in abundance. The big loss in jobs has been in the "low/unskilled" and the trade markets, which this "bubble" will do nothing to improve outside of the support industries.
I never heard of that even being possible. From what I've heard you apply for a job which requires a clearance and you either get the job or you don't. And despite what you think about the Democrats, they take national security just as serious and have pet projects of their own.
My conclusion is that you don't know what you are talking about if you believe all the jobs will go directly to DC.
Re: (Score:2)
You have to be employed in a job that requires a clearance in order to get a clearance. Which is a bit of a catch-22 unless the employer will pay for you to do something else while the background check is going on.
This is also why those with clearances have a pretty good job market - the employer doesn't have to risk you failing to get a clearance. It's not hard to get a low-level clearance if you'v
Re: (Score:2)
You have to be employed in a job that requires a clearance in order to get a clearance. Which is a bit of a catch-22 unless the employer will pay for you to do something else while the background check is going on.
This is also why those with clearances have a pretty good job market - the employer doesn't have to risk you failing to get a clearance. It's not hard to get a low-level clearance if you've mostly behaved yourself.
What I heard is you can get a clearance in one of the two ways. 1. you apply for a job which requires it and you have the right connections and this combination gets you a clearance. 2. you serve in the military and you get a clearance during your military service.
The process for getting a clearance is extremely intrusive and extremely thorough, the investigation lasts for years and in some cases never really ends. So is it worth it to even get a clearance if the government agents are going to talk to every
Re: (Score:2)
Both of these are examples of employers "paying for you do to something else while the background check is going on."
Re: (Score:2)
Both of these are examples of employers "paying for you do to something else while the background check is going on."
Perhaps to move this out of the realm of "what you've heard", you should go look at http://en.wikipedia.org/wiki/Security_clearance#United_States [wikipedia.org]
Depends on who you've known and what you've done.
I did some research. From my research a TS clearance isn't worth the impact on quality of life which is sure to diminish from the intense nonstop government scrutiny. It's a personal sacrifice to get a TS clearance. Polygraph testing, drug testing, interviewing everyone you ever knew, means you have to give 100% of yourself to the government.
Is it worth it?
Re: (Score:2)
That isn't a question with a blanket yes or no answer.
Thats a bit confusing. (Score:2)
Nah, it's not actually that bad. For a TS, yes they interview a lot of people (albeit not "everyone", just most of the folks you regularly interact with over the last 10 years). But no, you don't have to do a polygraph nor a drug test (although some contracting firms might require the drug test for their own purposes; none of the ones I've dealt with have). The polygraph generally only comes in to play when you get certified for SCI access.
The polygraph is probably he most scary part of any investigation. NOBODY in their right mind would find being interrogated via polygraph a pleasurable experience. So what you are saying is the drug testing is determined by the agency or contractor and not by government mandate?
As for the scrutiny, no, I don't think it's really "non-stop" either. After the initial investigation (the worst of which, frankly, is filling out the stupid form, although some of the investigators can be annoying), they pretty much leave you alone until it's time to get it reviewed (5 years for TS IIRC; I'm not due yet), and that's not particularly intense either. I don't personally view it as a sacrifice, or giving 100% to the government, and can't say I've really noticed a negative impact on my quality of life.
Thats interesting. Some of the other people I've talked to have told me the exact opposite. That the government intrudes upon every aspect of their life, that they have not a single private moment, that everyone they know is question
Re: (Score:2)
Assuming you don't have clearance from prior military experience, you will apply for a job that is 'clearance conditional'. You get the job. Your agency submits you for approval. You may or may not get it. I'm pretty sure the success rate is much, much higher than the 10% cited elsewhere. For a TS/Poly, maybe. For a Secret? No way.
Re: (Score:2)
Assuming you don't have clearance from prior military experience, you will apply for a job that is 'clearance conditional'. You get the job. Your agency submits you for approval. You may or may not get it. I'm pretty sure the success rate is much, much higher than the 10% cited elsewhere. For a TS/Poly, maybe. For a Secret? No way.
What prevents 90% of people from receiving a clearance?
Re: (Score:2)
You'd be surprised just how much dumb stuff is done by smart people. For example, a friend's company regularly loses cleared employees for surfing porn at work.
Apparently they all went to work at the SEC next.
Re: (Score:1, Informative)
The reason it's hard to get security clearance for most is that private companies don't want to pay the thousands of dollars for the investigation, more people than you think could get a clearance, but it's just too expensive. If you want a piece of pie, do what I did and join the military for a few years, they're more than happy to give you a clearance if you choose the right job. The only people that really have trouble have financial issues, criminal records, or aren't citizens. I'm sure most of you on /
Re: (Score:2)
You've got no idea what you're talking about when it comes to clearances, the job market for those with clearances, and the spending levels of the current Congress.
Re: (Score:2)
Actually, there are some similarities with security background checks and the H1B issue. I believe for security clearance, you need to be sponsored by a company. While you are getting your clearance, you technically can't do clearance-required work. So, a company who wants to sponsor someone might have them on a project that doesn't require clearance, while they are in the process. The problem with most DC companies is th
Re: (Score:2)
Your clearance technically goes "poof" as soon as you stop working at a job that requires a clearance.
However, if you held a clearance in the past, that's an extremely good indication you'll be able to get a clearance again (assuming the clearance wasn't revoked). That makes you a significant
Consolidating (Score:1)
Consolidation is the only word to describe what has been going on in Federal IT for the past 3 years. If there is money being "funneled" to the problem, than that money isnt reaching the folks in the positions who are actually doing the job to fix the problem. Perhaps this 6-7bn dollars is being sent to shovel ready projects or some other non sense that has nothing to do with cyber security.
Re: (Score:2)
But of course that's what is happening. Although the turn 'shovel ready' might not be so appropriate in the literal sense, figuratively, it's spot on.
Progress as promised!
Re: (Score:2)
But of course that's what is happening. Although the turn 'shovel ready' might not be so appropriate in the literal sense, figuratively, it's spot on.
I must be behind on the trade news again. What is now the preferred tool for moving horse and cow excrement around?
Re: (Score:1)
Official notice (Score:4, Funny)
Re: (Score:2)
No, it's been declared a munition, and your publication has been blocked lest it be exported.
http://en.wikipedia.org/wiki/Phil_Zimmermann#Criminal_investigation_by_US_Customs [wikipedia.org]
lawyerspeak for dummies (Score:5, Insightful)
Translation follows:
"Nobody has the faintest fuck of a clue what they're doing, but they desperately want to be seen to be doing something and so they're throwing money at anything. Get in right now and make out like a bandit while you can!"
Re: (Score:2)
You're good.
Re:lawyerspeak for dummies (Score:4, Insightful)
The pity to all this is that Government has needed to better fund this area for the last 10+ years. Infosec activities have been historically undermanned. This increased funding would seem like welcomed news. But, of course, it's not that simple.
Infosec in the Fed has become a Frankenstein's Monster over the past years. Cluelessness has spawned regulation. NIST requirements have some solid technical basis. But mixed in to compliance is layer upon layer of bureaucracy that requires considerable funding in it's own right. Compliance requires additional management and auditing which requires additional manpower - none of which actually does the technical work or has to have any understanding of the technical issues. In fact, NIST compliance doesn't particularly require any understanding beyond the workings of the regulations themselves. And even achieving compliance with various NIST requirements can still leave one completely open to known security issues (which isn't entirely bad in itself but can set up a false sense of security).
It is possible that some of this funding will trickle down to the layer that should have been funded all along. But it is much more likely that the lions' share of these funds will go to fueling compliance. And investing on questionable new technologies / products while ignoring fundamental architectural and cultural issues that are the real source of many Government infosec issues.
Better they spend it on this than on fighter jets. (Score:2)
They might have to spend 4-6 billion on cyber security but it would be better to spend it on that than to spend it on fighter jets which will probably never be used anyway. The new kind of war involves cyberspace, information, and almost never involves fighter jets.
So how would the enemy attack? Probably by exploiting weaknesses in systems and networks. So those systems and networks must be secured and securing them wont be free.
Re:Better they spend it on this than on fighter je (Score:4, Insightful)
So how would the enemy attack? Probably by exploiting weaknesses in systems and networks. So those systems and networks must be secured and securing them wont be free.
You missed my point. Infosec in the Government has needed funding for a long time now. Funding it is a good thing. However, I would prefer to see funding go towards programs and activities that are effective rather than powering additional levels of bureaucracy.
Having said that - don't get too wrapped up in your "new" war. When it comes down to it, physical control is still important. Those fighter jets will still have a use. AFter all, we've fought this war before - we just called it "espionage".
Re: (Score:2)
Infosec in the Government has needed funding for a long time now
Funding alone won't have an effect on the organizational dynamics.
The only way .gov security is going to improve is if qualified people have the authority to enforce effective policies.
To get qualified people you have to require regular training and testing. You also have to go where the qualified people are (by not requiring them to move to DC, Baltimore, ...). To get effective policies you have to allow them to be written per business (not government) best practices without undue influence from special
Re: (Score:2, Insightful)
Absolutely!!!
"After 9/11, we had to show how committed we were by spending hugely greater amounts of money than ever before, as rapidly as possible." - Rep. Christopher Cox, R-Calif., chairman of the Homeland Security Committee on why the TSA squandered $4.5 billion on malfunctioning equipment; he also inadvertently admitted that the agency is merely window-dressing for the Feds
Re: (Score:2, Interesting)
The real trick is getting the contract renewal. For most contractors the first is usually their only. The really good contractors or the really corrupt ones (is there really a difference) not only get the renewals, they get them without bidding as is the prerogative of the government.
Re: (Score:2)
I thought that dubious honor fell to theodp.
Something seems fundamentally off.... (Score:1)
...about this.
I'm really not sure what but it seems to me that's an awful lot of money to be spending on something that can be addressed as simply as turning computers off.
On the flip side, quantum computing pretty much can make encryption pointless.
Realizing the direction of technology advancements its clear this cyber security thing is a bubble that will burst.
Considering spam is the number one cyber problem and that it is generally dealt with in addressing the symptom of people generating it, dealing wit
Re:Something seems fundamentally off.... (Score:4, Insightful)
Your missing the bigger problem. Communications in the commercial world has dramatically advanced due to e-commerce and electronic digital communication. Government is very, very far behind the commercial world, but is looking to catch up. This cannot be done with an isolated and secure network. The need for e-government is becoming ever more evident. With the slow increase in population coupled with the dramatic increases in regulation and bureaucracy, the US government will simply grind to a halt if it does not provide more access to government services via the internet.
This is where the big need for security comes from. How do you provide more access to more services and information while restricting that information to the appropriate parties. Also, once these services become integrated and relied upon, they will become targets for hostile foreign elements. This is a "good" problem to have, but it is one that needs to be addressed now, before massive electronic outreach programs become part of our daily lives (even more than they are now).
Whether your a conservative, or a liberal, government cyber security needs to be addressed. If we go more big central government, then there will be more eggs in one basket. If we go the federalist route, then more information will need to passed between states (in a safe and accountable fashion). Either way the old "paper" way isnt sufficient and will not work forever (unless we have a massive population decrease).
What is e-government? does it include e-cops? (Score:1, Troll)
"This is where the big need for security comes from. How do you provide more access to more services and information while restricting that information to the appropriate parties. "
What type of services exactly? What services do you expect the government to provide? Do you mean a setup so we can instant message the FBI to report a crime in progress? Do you mean giving twitter accounts out? What services does the government provide that is so important that we will need e-government to provide it?
With the slow increase in population coupled with the dramatic increases in regulation and bureaucracy, the US government will simply grind to a halt if it does not provide more access to government services via the internet.
This is where the big need for security comes from. How do you provide more access to more services and information while restricting that information to the appropriate parties. Also, once these services become integrated and relied upon, they will become targets for hostile foreign elements. This is a "good" problem to have, but it is one that needs to be addressed now, before massive electronic outreach programs become part of our daily lives (even more than they are now).
WTF? What services? What exactly do you imagine we will be relying on the government for and since when did the government provide anything for free? The government expects you to serve it in
Re: (Score:3, Insightful)
I'm not arguing the politics of it (I agree with you from that point). I'm simply telling you how much the brontosaurus needs to eat... I'm not telling you why, how, or where you are going to get the food from.
The "services" is giving people a means to more readily comply with regulation, fill out required form, and easily pay it more money.
Re: (Score:2)
I'm not arguing the politics of it (I agree with you from that point). I'm simply telling you how much the brontosaurus needs to eat... I'm not telling you why, how, or where you are going to get the food from.
The "services" is giving people a means to more readily comply with regulation, fill out required form, and easily pay it more money.
Okay now your point makes sense.
"Bubble of sorts" !? (Score:1, Funny)
What kind of weird geek-humour is that, please tell!?
government security vs government management (Score:4, Insightful)
Good luck to the security professionals who think they can make a difference in the Federal government. I subcontracted at the GAO many years ago and saw some of the same issues. Mentioned them to higher-ups, and higher-higher-ups. No repsponse, no improved security, not even a formal recognition of the problem. The primary contractors themselves were just as much to blame. Their main goal seemed to be maintaining the contract at any expense, including bad security, including shooting the messenger.
Bottom line is that .gov security issues are not really security issues as such, they are organizational issues. As long as you don't address the fundamental problem of entrenched, mid-level, non-technical management all the money in the world won't fix it.
Re: (Score:2)
"mid-level, non-technical management", non-technical, non-interested, non-present and counting the days to retirement!
Use too many polysyllabic words in a complicated sentence and their eyes glaze over and they begin to snore.
Re: (Score:3, Interesting)
Industry has the same problems. Try to change out IE 6.0 because of security issues in any large organization with investment in its sclerotic infrastructure and you will be met with, "Yes, well, security is your problem, now fix the problem and let us continue using IE 6.0".
Government IT "professionals" come from industry IT "professionals", government managerial "professionals" come from industry "professionals". PHBness seems to come with the territory.
Or I should say, PHBness comes from Business School
Re: (Score:3, Funny)
Sounds great, except for the part about living in the D.C. area ...
Good point. This is a _large_ part of the problem. The best IT people are simply not going to move for a government job that pays less, has double the bureaucracy. and requires them to live in someplace like DC (which has some pretty nice neighborhoods actually, just not when compared to the West Coast in general and Silicon Valley in particular).
Re: (Score:2)
Don't forget the people... Northern Charm combined with Southern Efficiency!
I actually think the parks and weather in DC are actually quite nice; but I grew up in Bangkok so I have a different threshold for hot and humid than most. It's also great to have 4 seasons, where it gets hot enough to kill people, cold enough to kill people, and occasionally windy enough to kill people with the freak tornado. I'd go nuts living in a desert, like arid SoCal.
But back to the people... if I had to pick any place to
Re: (Score:2)
A ton of this work isn't being done in DC. DC is just where the HQ is, so it gets all the attention from the media.
What most of this "IT security work" really is... (Score:5, Insightful)
Most of work involves commodity certification & accreditation (C&A) that involves the following:
Phase 1
a "system owner" (Govt IT manager) has staff prepare documentation of the security controls implemented on a "system" (Logical grouping of computers). The security controls are in NIST 800-53, this is FISMA in action.
C&A process http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf [nist.gov]
NIST Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf [nist.gov]
NIST Audit process http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-A%20Rev.%201 [nist.gov]
Phase 2
A certification agent comes in, assesses the system using tools and configuration analysis. This is heavily slanted towards audit, instead of true security analysis.
Phase 3
A senior executive (Authorizing official) makes a decision about the risk acceptability of the system to operate, and may make the system owner do corrective action. The system then moves into continuous monitoring (phase 4).
That is how certification and accreditation operates in theory. Now I am going to tell you how the system is gamed.
During Phase 1, it implies you actually have competent IT security professionals on hand, performing work for the system owner. This is a false assumption. Most system owners don't know security, nor do their staff.
Phase 2 - First of all, have the certification agent companies don't understand security. They can talk the talk (CISSP) but have no solid IT / IT security expertise (not security testers). Many certification agents will not even test systems. They play a game of bringing in cheap staff or running vulnerability scanners then passing them off as "penetration tests". The amount of utter garbage in the field is amazing. Even more so are the reports they write up are audit garbage. If you asked most certification agents about a security methodology, they haven't heard of the OSSTMM or similar. They use NIST 800-53A (heavily audit driven) then they write up meaningless reports, equating technical weaknesses as just as relevant as a gap in a policy.
Phase 3 - The vast majority of government executives are clueless when it comes to IT. They know a little bit, like the name of an operating system (Linux - buzzword - yay!) but not much else. So, they are easily led astray. Most will allow a system to operate regardless of how bad it is, based on a horrible security review performed by incompetent certification agents, on a package made by the almost as clueless system owner and his staff.
After a system gets an authorization to operate, many staffs stop doing all security for 3 years, til the next C&A comes around.
It is not uncommon for a federal cabinet level agency to have 300+ systems, with 300+ system owners, with 300+ completely separate, unique and underfunded security implementations that have more holes than swiss cheese.
If you notice, what is missing from above is actually rigorous security analysis. Code is rarely audited. Configurations are rarely checked 100%. Policy is viewed as important as technical controls. Most testing is a wash. Penetration tests are vulnerability scans by nitwits.
And you wonder why the Chinese are plundering the US govt on a daily basis?
Re: (Score:2)
Sounds like a great way to pass the buck to me :P
Also sounds exactly like a lot of what's going on in education.
Seems like there should be a way to give the professionals who administer systems the tools and resources to ply their trade. But all the money is tied up in political / administrative overhead so they can shuffle the accountability and blame around. Awesome that.
Me Too (Score:1, Insightful)
Re: (Score:1)
One snake-oil bubble, coming right up! (Score:5, Insightful)
This cyber-security stuff is largely nonsense, IMO.
The fact is, the Internet was designed from the ground up to support flexible and open standards, and it makes certain assumptions about the credibility and honesty of those put in charge of its routing. (I was just reading an article complaining about the lack of "action" taken after the Bush administration did a security review of the Internet back in the 2003 time-frame and determined it was, indeed, quite possible to take down the entire Internet in a matter of hours or less, thanks to weaknesses in how traffic is routed. The fact is though, all the major ISPs expressed NO interest in changing the current system -- because they realize that would still require a "central authority" someplace to determine the "correct" routes traffic should follow to get from point A to B. The current system is rather like trying to drive on a road trip from, say, Dallas to San Francisco, except you have no road map in advance. You simply start out on your journey and follow the road signs as you go, until you arrive. Except in the case of the Internet, even those "road signs" aren't controlled by any central authority. If someone accidentally or purposely changes one, traffic gets shunted in the wrong direction (possibly to a destination router that just black-holes all of it, since it wasn't expecting it).
As we can see though, it generally works quite well, because the people doing most of the heavy-duty routing are ISPs with a vested interest in making sure it keeps performing well. If and when something goes wrong, they tend to pick up the telephone and start making phone calls, getting people to intervene and make manual routing changes to eliminate the problem.
As you look past this supposed "security weakness" and get more detailed about security of individual destination points on the Internet, you see a similar situation. People bitch and moan about security issues (PCI compliance, for example), and spend thousands of dollars trying to address it. Yet in the end, you still HAVE to place trust in your employees. If they're willing to let outsiders in to get information you're trying to protect? All bets are off, no matter how much you spend on the latest "next generation firewall solution" or what-not. (Remember the huge credit card breach AOL had a while back? Turned out to be an inside job.)
Right now, as an I.T. manager, I'm seeing a large number of start-up and obscure "computer security" businesses trying to get my attention. I was just invited to listen to a presentation given by Palo Alto Networks, for example, followed by a free pre-screening of Iron Man 2. (Yep, I went.... not a bad way to get our attention, actually!) But the presentation honestly didn't tell me anything new. It was full of a bunch of well-heeled customers of theirs talking about liking the device, and their founder making a few rather arrogant comments - suggesting they were going to be huge in the future, because unlike most companies doing firewalls, they were focused on "innovation". He commented that "Checkpoint hasn't innovated in at least a decade." and "Cisco has NEVER innovated at all. They just bought a bunch of start-ups."
I can't speak for the quality (or lack thereof) of their product, but I CAN say that it was exactly what I was expecting them to try to sell.... another "next gen firewall/traffic flow controller" device that tries to "wow" middle and upper management types by acting like they've unlocked a huge revelation, by realizing that port and IP based firewall rules aren't the complete answer for companies today.
Funny, but I think Rapid7 was just calling, trying to get me to attend a seminar about THEIR product that was essentially the same idea, and to hear them talk, THEY thought of it all first, too.
A lot of people see a chance to grab some money thanks to fear of the unknown out there, and they may have products that really DO address specific scenarios really well. But I'm convinced most companies would b
WOO HOO! BILLIONS FOR SNAKE OIL! (Score:2)
I can see it now.
Our [Crappy Product We're Selling] will lock you up so tight that if you take a crap, we'll be able to tell exactly what you had to eat a month and a half ago from the leavings! You will be secure, SECURE, SEH-CURE BABY!
Just fork over that phat gub-a-mint dole! MONEY MONEY MONEY MO-NEY! MO-NEY!
Truly the finest in buzzword-laden insecure security!
Broken the first time a government worker (or mabye A. Random Janitor) find out that their porn is blocked and get around it all.
Security throug