×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

The Boom (Or Bubble) In Federal Cybersecurity

Soulskill posted more than 4 years ago | from the subprime-defense-systems dept.

Businesses 72

Hugh Pickens writes "The Washington Post reports that the increasing number and intensity of cyberattacks has attracted the attention of the Obama administration and Congress, which have begun steering dollars to the problem. Much of that new spending, estimated at $6 to $7 billion annually just in unclassified work, is focused on the Washington region, as the federal government consolidates many of its cybersecurity-focused agencies in the area. 'I think it is a real growth opportunity in coming years,' says David Z. Bodenheimer, a partner at law firm Crowell & Moring in Washington, who leads the firm's homeland security practice and specializes in government contracts. 'The market is still rather fragmented and in flux, but is developing with a speed that it is attracting both the major defense and homeland security contractors who are establishing independent business units to pursue these opportunities, and it is also a real opportunity for the smaller players who have niche products.' One reason the field is attracting so many companies is that the barriers to entry are low — at least, relative to other defense industries. But as start-ups and others rush to stake claims, some wonder if a bubble of sorts is beginning to inflate and recall that many venture firms in the early 2000s chased similar prospects. 'A lot of the early people made significant money,' says Roger Novak, founder of Novak Biddle Venture Partners. 'But there were [also] a lot of "me too" companies.'"

Sorry! There are no comments related to the filter you selected.

Bubbles are not as nasty in labor-intensive sector (1)

Glass Goldfish (1492293) | more than 4 years ago | (#32147786)

It will suck when people get laid off, but you're not buying a huge quantity of equipment that you have to sell at rock-bottom prices. Or entire streets of homes which won't sell even if they are heavily discounted. You're probably ensuring that software is properly patched, hardware is not using default passwords and maybe some penetration testing. Apart from office furniture/computers, I don't see a great deal of capital investment. There may be investment in equipment, but that'll be for the client (government) to buy and maintain.

Hopefully it'll create some work for people who desperately need it.

Re:Bubbles are not as nasty in labor-intensive sec (3, Insightful)

antirelic (1030688) | more than 4 years ago | (#32147846)

No, this money wont go anywhere near the people who need it. First, the jobs this money creates is only going to be available to people who are able to be "cleared". If you are unfamiliar with the security clearance process, you should check it out. Many people apply, few (with the exception to political appointees) are accepted. The job market for cleared people is nearly always good (but has gotten pretty tight under the anti-military/intelligence Democratic congress/white house), so this will only make life better for them.

Second, the money is going to the Washington DC area... where "skilled" jobs are always in abundance. The big loss in jobs has been in the "low/unskilled" and the trade markets, which this "bubble" will do nothing to improve outside of the support industries.

Re:Bubbles are not as nasty in labor-intensive sec (1)

RobertLTux (260313) | more than 4 years ago | (#32147918)

and the real nasty bit about this is most folks that could really do this kind of thing well (and can prove it) have clearance "issues".

Not necessarily. (1)

elucido (870205) | more than 4 years ago | (#32150268)

It depends on the job. If it's something like writing a keylogger or understanding how to do stuff like that, you can experiment on your own network and learn 90% of what you need to know without ever having to break the law.

Re:Bubbles are not as nasty in labor-intensive sec (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32151128)

I have been in the DoD world for over 7 years now, all of those with a pretty good clearance. When the batch of people I started with were first getting our clearances, the first one to be finalized (adjudicated, as they say) was the guy who admitted to being a drug dealer in the past. Outside of treason like activities, or being a documented member of some anti-America movement there is nothing that is a clear cut NO for a clearance.

I can not say that the other types of clearance are the same (DoE, for example, has a complete different system). This is just what I know about the classic "Confidential Secret Top Secret" DoD style things.

Re:Bubbles are not as nasty in labor-intensive sec (3, Insightful)

hiscross (1226636) | more than 4 years ago | (#32147996)

"where "skilled" jobs are always in abundance. Please, I am a Fed IT person who is surrounded by meeting making fed and contractors who produce nothing. Most feb security people can barley run a software update, let along stop a cyberattack. No one in the US Governments build secure code nor do they understand the importance of building secure code. The do the SDLC/FISMA thing and say we've done are part. Once they get hacked, then they have a tons of meetings, bring SAIC or CSC and declare victory, that is until they get hacked again. Good security people are rare breed who will always be in high demand. Hint, if a vendor shows up and that vendor is from China or India, tell him the position is closed. They know nothing about security. Now if a vendor is from Russia or Israel take them very seriously.

Re:Bubbles are not as nasty in labor-intensive sec (1, Funny)

Anonymous Coward | more than 4 years ago | (#32148966)

Are your writing and communication skills an example of the kind of Fed person we should take very seriously?

Re:Bubbles are not as nasty in labor-intensive sec (1)

gmhowell (26755) | more than 4 years ago | (#32152846)

No, he is capable of using a computer. This puts him head and shoulders above your average Fed.

Re:Bubbles are not as nasty in labor-intensive sec (0)

Anonymous Coward | more than 4 years ago | (#32153504)

The proper question should have been: Is he downloading porn while at those meetings? If he has, is he following the minimum guidelines of 8 hours a day?

How does one apply for a clearance? (1)

elucido (870205) | more than 4 years ago | (#32150248)

No, this money wont go anywhere near the people who need it. First, the jobs this money creates is only going to be available to people who are able to be "cleared". If you are unfamiliar with the security clearance process, you should check it out. Many people apply, few (with the exception to political appointees) are accepted. The job market for cleared people is nearly always good (but has gotten pretty tight under the anti-military/intelligence Democratic congress/white house), so this will only make life better for them.

Second, the money is going to the Washington DC area... where "skilled" jobs are always in abundance. The big loss in jobs has been in the "low/unskilled" and the trade markets, which this "bubble" will do nothing to improve outside of the support industries.

I never heard of that even being possible. From what I've heard you apply for a job which requires a clearance and you either get the job or you don't. And despite what you think about the Democrats, they take national security just as serious and have pet projects of their own.

My conclusion is that you don't know what you are talking about if you believe all the jobs will go directly to DC.

Re:How does one apply for a clearance? (1)

jeff4747 (256583) | more than 4 years ago | (#32151576)

From what I've heard you apply for a job which requires a clearance and you either get the job or you don't.

You have to be employed in a job that requires a clearance in order to get a clearance. Which is a bit of a catch-22 unless the employer will pay for you to do something else while the background check is going on.

This is also why those with clearances have a pretty good job market - the employer doesn't have to risk you failing to get a clearance. It's not hard to get a low-level clearance if you've mostly behaved yourself.

Re:How does one apply for a clearance? (1)

elucido (870205) | more than 4 years ago | (#32153400)

From what I've heard you apply for a job which requires a clearance and you either get the job or you don't.

You have to be employed in a job that requires a clearance in order to get a clearance. Which is a bit of a catch-22 unless the employer will pay for you to do something else while the background check is going on.

This is also why those with clearances have a pretty good job market - the employer doesn't have to risk you failing to get a clearance. It's not hard to get a low-level clearance if you've mostly behaved yourself.

What I heard is you can get a clearance in one of the two ways. 1. you apply for a job which requires it and you have the right connections and this combination gets you a clearance. 2. you serve in the military and you get a clearance during your military service.

The process for getting a clearance is extremely intrusive and extremely thorough, the investigation lasts for years and in some cases never really ends. So is it worth it to even get a clearance if the government agents are going to talk to everyone you've ever been in contact with and find out every stupid or illegal thing you've ever done?

Is it worth it to get a clearance?

Re:How does one apply for a clearance? (1)

jeff4747 (256583) | more than 4 years ago | (#32153908)

What I heard is you can get a clearance in one of the two ways. 1. you apply for a job which requires it and you have the right connections and this combination gets you a clearance. 2. you serve in the military and you get a clearance during your military service.

Both of these are examples of employers "paying for you do to something else while the background check is going on."

The process for getting a clearance is extremely intrusive and extremely thorough, the investigation lasts for years and in some cases never really ends.

Perhaps to move this out of the realm of "what you've heard", you should go look at http://en.wikipedia.org/wiki/Security_clearance#United_States [wikipedia.org]

So is it worth it to even get a clearance if the government agents are going to talk to everyone you've ever been in contact with and find out every stupid or illegal thing you've ever done?

Depends on who you've known and what you've done.

Re:How does one apply for a clearance? (1)

elucido (870205) | more than 4 years ago | (#32154792)

What I heard is you can get a clearance in one of the two ways. 1. you apply for a job which requires it and you have the right connections and this combination gets you a clearance. 2. you serve in the military and you get a clearance during your military service.

Both of these are examples of employers "paying for you do to something else while the background check is going on."

The process for getting a clearance is extremely intrusive and extremely thorough, the investigation lasts for years and in some cases never really ends.

Perhaps to move this out of the realm of "what you've heard", you should go look at http://en.wikipedia.org/wiki/Security_clearance#United_States [wikipedia.org]

So is it worth it to even get a clearance if the government agents are going to talk to everyone you've ever been in contact with and find out every stupid or illegal thing you've ever done?

Depends on who you've known and what you've done.

I did some research. From my research a TS clearance isn't worth the impact on quality of life which is sure to diminish from the intense nonstop government scrutiny. It's a personal sacrifice to get a TS clearance. Polygraph testing, drug testing, interviewing everyone you ever knew, means you have to give 100% of yourself to the government.

Is it worth it?

Re:How does one apply for a clearance? (1)

jeff4747 (256583) | more than 4 years ago | (#32159088)

Is it worth it?

That isn't a question with a blanket yes or no answer.

Re:How does one apply for a clearance? (0)

Anonymous Coward | more than 4 years ago | (#32159230)

I did some research. From my research a TS clearance isn't worth the impact on quality of life which is sure to diminish from the intense nonstop government scrutiny. It's a personal sacrifice to get a TS clearance. Polygraph testing, drug testing, interviewing everyone you ever knew, means you have to give 100% of yourself to the government.

Nah, it's not actually that bad. For a TS, yes they interview a lot of people (albeit not "everyone", just most of the folks you regularly interact with over the last 10 years). But no, you don't have to do a polygraph nor a drug test (although some contracting firms might require the drug test for their own purposes; none of the ones I've dealt with have). The polygraph generally only comes in to play when you get certified for SCI access.

As for the scrutiny, no, I don't think it's really "non-stop" either. After the initial investigation (the worst of which, frankly, is filling out the stupid form, although some of the investigators can be annoying), they pretty much leave you alone until it's time to get it reviewed (5 years for TS IIRC; I'm not due yet), and that's not particularly intense either. I don't personally view it as a sacrifice, or giving 100% to the government, and can't say I've really noticed a negative impact on my quality of life.

Is it worth it?

Considering the issues I had finding a position when I landed the one requiring a clearance, yeah, I think it was.

(BTW, in case it wasn't obvious, yes, I do have a TS clearance. That's also why I'm posting anonymously -- not so much that I'm worried about people knowing, as despite the clearance I know virtually nothing of interest, but more to stem the inevitable tide of other folks with clearances whining about opsec if I don't. Heck, they'll probably whine anyway...)

Thats a bit confusing. (1)

elucido (870205) | more than 4 years ago | (#32161952)

Nah, it's not actually that bad. For a TS, yes they interview a lot of people (albeit not "everyone", just most of the folks you regularly interact with over the last 10 years). But no, you don't have to do a polygraph nor a drug test (although some contracting firms might require the drug test for their own purposes; none of the ones I've dealt with have). The polygraph generally only comes in to play when you get certified for SCI access.

The polygraph is probably he most scary part of any investigation. NOBODY in their right mind would find being interrogated via polygraph a pleasurable experience. So what you are saying is the drug testing is determined by the agency or contractor and not by government mandate?

As for the scrutiny, no, I don't think it's really "non-stop" either. After the initial investigation (the worst of which, frankly, is filling out the stupid form, although some of the investigators can be annoying), they pretty much leave you alone until it's time to get it reviewed (5 years for TS IIRC; I'm not due yet), and that's not particularly intense either. I don't personally view it as a sacrifice, or giving 100% to the government, and can't say I've really noticed a negative impact on my quality of life.

Thats interesting. Some of the other people I've talked to have told me the exact opposite. That the government intrudes upon every aspect of their life, that they have not a single private moment, that everyone they know is questioned/interviewed, and more which I wont detail on this site. From what they've told me it certainly isn't worth it but maybe every experience is subjective. They did mention drug testing so I assumed that was necessary.

Considering the issues I had finding a position when I landed the one requiring a clearance, yeah, I think it was.
(BTW, in case it wasn't obvious, yes, I do have a TS clearance. That's also why I'm posting anonymously -- not so much that I'm worried about people knowing, as despite the clearance I know virtually nothing of interest, but more to stem the inevitable tide of other folks with clearances whining about opsec if I don't. Heck, they'll probably whine anyway...)

So it's not the TOP SECRET clearances that bring the intense scrutiny, but the special access programs? The SCI? Or are there clearances that exist beyond TOP SECRET which require the polygraph, drug testing, and this
http://en.wikipedia.org/wiki/Single_Scope_Background_Investigation [wikipedia.org]

My questions are if TOP SECRET clearance isn't a hassle to get, why do so few people receive it?

And does the cost/benefit of a clearance depend more on the job/role of the work rather than the process/paperwork?

Re:Thats a bit confusing. (0)

Anonymous Coward | more than 4 years ago | (#32165028)

Me again...

So what you are saying is the drug testing is determined by the agency or contractor and not by government mandate?

I'm not sure the exact circumstances. While there is a requirement to be "drug free" when you have a clearance, there apparently is no across the board requirement to do testing to back it up, only in that I haven't had one for many years prior to getting a clearance.

So it's not the TOP SECRET clearances that bring the intense scrutiny, but the special access programs? The SCI? Or are there clearances that exist beyond TOP SECRET which require the polygraph, drug testing, and this (SSBI)

This is always where it gets a little weird. There is no clearance above Top Secret. SCI works more like a certification on top of TS (and there are several different ones). To get a TS you have to have a SSBI, but no poly. Generally, to get an SCI added to your TS, the polys come in to play. No clue where drug testing may fit in.

My questions are if TOP SECRET clearance isn't a hassle to get, why do so few people receive it? And does the cost/benefit of a clearance depend more on the job/role of the work rather than the process/paperwork?

While a role may dictate a certain level of clearance, the process is pretty much the same for anyone getting that particular level; the role doesn't (inherently) dictate additional scrutiny. I would say the main reason there aren't a ton of TS cleared people comes back to what was said way above here: To get a clearance, you have to have a job that requires it, and many companies are really lazy about it since if you can find someone to do the job that already has the clearance you don't have to fool with sponsoring someone. So there's a sort of artificial limit in place. Beyond that, the government doesn't view a clearance as a job qualification, but in practice it tends to work that way, so there's a disconnect that makes it harder to "break in" to the cleared market.

Re:How does one apply for a clearance? (1)

gmhowell (26755) | more than 4 years ago | (#32152854)

Assuming you don't have clearance from prior military experience, you will apply for a job that is 'clearance conditional'. You get the job. Your agency submits you for approval. You may or may not get it. I'm pretty sure the success rate is much, much higher than the 10% cited elsewhere. For a TS/Poly, maybe. For a Secret? No way.

Re:How does one apply for a clearance? (1)

elucido (870205) | more than 4 years ago | (#32153384)

Assuming you don't have clearance from prior military experience, you will apply for a job that is 'clearance conditional'. You get the job. Your agency submits you for approval. You may or may not get it. I'm pretty sure the success rate is much, much higher than the 10% cited elsewhere. For a TS/Poly, maybe. For a Secret? No way.

What prevents 90% of people from receiving a clearance?

Re:How does one apply for a clearance? (1)

jeff4747 (256583) | more than 4 years ago | (#32159302)

You'd be surprised just how much dumb stuff is done by smart people. For example, a friend's company regularly loses cleared employees for surfing porn at work.

Apparently they all went to work at the SEC next.

Re:How does one apply for a clearance? (0)

Anonymous Coward | more than 4 years ago | (#32162812)

No clue. The broad areas you are asked about are drug/alcohol use, finances, and foreign dealings.

Re:Bubbles are not as nasty in labor-intensive sec (1, Informative)

Anonymous Coward | more than 4 years ago | (#32150888)

The reason it's hard to get security clearance for most is that private companies don't want to pay the thousands of dollars for the investigation, more people than you think could get a clearance, but it's just too expensive. If you want a piece of pie, do what I did and join the military for a few years, they're more than happy to give you a clearance if you choose the right job. The only people that really have trouble have financial issues, criminal records, or aren't citizens. I'm sure most of you on /. are good, well behaved nerds like me, so there you have it. IMO a lot of people just don't like the idea of the military, like war, or getting exercise. So here they are complaining about how hard it is to get a clearance, when the easiest opportunity for most to earn one is right under their noses.

Disclaimer: Spent 6 years as a USAF 2E2X1: A specialty pretty much cookie cut for the huge cybersecurity craze, now known as 3D1X2.

Re:Bubbles are not as nasty in labor-intensive sec (1)

jeff4747 (256583) | more than 4 years ago | (#32151462)

You've got no idea what you're talking about when it comes to clearances, the job market for those with clearances, and the spending levels of the current Congress.

Re:Bubbles are not as nasty in labor-intensive sec (1)

Chibi (232518) | more than 4 years ago | (#32157740)

Many people apply, few (with the exception to political appointees) are accepted.

Actually, there are some similarities with security background checks and the H1B issue. I believe for security clearance, you need to be sponsored by a company. While you are getting your clearance, you technically can't do clearance-required work. So, a company who wants to sponsor someone might have them on a project that doesn't require clearance, while they are in the process. The problem with most DC companies is that they don't want to pay for that. They'd rather try to find someone else that has gone through the process already on someone else's dime. That way, they can start billing more quickly.

My guess is that some of this motivation is to not lose money from having someone you sponsored for their clearance to just leave when they are finally cleared.

In some situations, a employee will get hired by a subcontractor while their security clearance is being processed, and once it is cleared, be hired by the company with the contract.

The job market for cleared people is nearly always good (but has gotten pretty tight under the anti-military/intelligence Democratic congress/white house), so this will only make life better for them.

This is definitely true. There are plenty of jobs that require clearance, and only so many people that actually have it. It's kind of sad, as the clearance probably takes priority of skill/ability. I worked with a woman who had a clearance, left her previous job to a non-clearance position, and within three weeks quit to go another position that required clearance, because she didn't want to lose it. I believe if your clearance is inactive, meaning you weren't in a clearance-required position, for a certain period of time (6 months?), it's no longer valid. Of course, some of this is anecdotal, and I could be wrong. :)

Anyway, IT work in DC is a real joke. Plenty of money to be made there, but there's very little work being done. Lots of people just sitting around, waiting for their retirements. To an extent, I didn't really care who won any elections, because the civil service layer and the layer of contractors are such a drain on the system, that until something is done about it, you'll never really make much progress.

Re:Bubbles are not as nasty in labor-intensive sec (1)

jeff4747 (256583) | more than 4 years ago | (#32159216)

I believe if your clearance is inactive, meaning you weren't in a clearance-required position, for a certain period of time (6 months?), it's no longer valid. Of course, some of this is anecdotal, and I could be wrong

Your clearance technically goes "poof" as soon as you stop working at a job that requires a clearance.

However, if you held a clearance in the past, that's an extremely good indication you'll be able to get a clearance again (assuming the clearance wasn't revoked). That makes you a significantly lower risk to your employer.

Consolidating (0)

antirelic (1030688) | more than 4 years ago | (#32147794)

Consolidation is the only word to describe what has been going on in Federal IT for the past 3 years. If there is money being "funneled" to the problem, than that money isnt reaching the folks in the positions who are actually doing the job to fix the problem. Perhaps this 6-7bn dollars is being sent to shovel ready projects or some other non sense that has nothing to do with cyber security.

Re:Consolidating (1)

ColdWetDog (752185) | more than 4 years ago | (#32147854)

Perhaps this 6-7bn dollars is being sent to shovel ready projects or some other non sense that has nothing to do with cyber security.

But of course that's what is happening. Although the turn 'shovel ready' might not be so appropriate in the literal sense, figuratively, it's spot on.

Progress as promised!

Re:Consolidating (1)

sjames (1099) | more than 4 years ago | (#32149130)

But of course that's what is happening. Although the turn 'shovel ready' might not be so appropriate in the literal sense, figuratively, it's spot on.

I must be behind on the trade news again. What is now the preferred tool for moving horse and cow excrement around?

Re:Consolidating (0)

Anonymous Coward | more than 4 years ago | (#32153174)

I must be behind on the trade news again. What is now the preferred tool for moving horse and cow excrement around?

I believe it has been changed to a spoon.

You heard of Friedman's story right?
“In observing hundreds of Chinese workers clearing land for a new building using shovels, Friedman asked his hosts "Why are they using shovels? Why not use heavy equipment like an earth-mover?" The Chinese official said "If we did that, we'd lose all of those jobs!" Supposedly Friedman said "Oh, you're trying to create jobs! I thought you were trying to build a building. If you want to create jobs, why not take away their shovels and give them spoons?"”

Re:Consolidating (1)

jhoegl (638955) | more than 4 years ago | (#32147858)

Welcome to the political System, the "Virtual Fence" down here in Arizona, which only put up two actual towers cost Billions of dollars... What?

Fund expertise and results (0)

Anonymous Coward | more than 4 years ago | (#32147924)

Not political hacks and 30,000' studies. CYBER PEARL HARBOR - sow FUD

It's not a bubble ... (-1)

Anonymous Coward | more than 4 years ago | (#32147956)

it the sound of the US economy gurgling down the plughole.

Official notice (3, Funny)

NicknamesAreStupid (1040118) | more than 4 years ago | (#32148036)

Great post! Your idea has been patented, and you are now prohibited from implementing it.

lawyerspeak for dummies (5, Insightful)

Hognoxious (631665) | more than 4 years ago | (#32148052)

'I think it is a real growth opportunity in coming years,' says David Z. Bodenheimer, a partner at law firm Crowell & Moring in Washington, who leads the firm's homeland security practice and specializes in government contracts. 'The market is still rather fragmented and in flux, but is developing with a speed that it is attracting both the major defense and homeland security contractors who are establishing independent business units to pursue these opportunities, and it is also a real opportunity for the smaller players who have niche products

Translation follows:
"Nobody has the faintest fuck of a clue what they're doing, but they desperately want to be seen to be doing something and so they're throwing money at anything. Get in right now and make out like a bandit while you can!"

Re:lawyerspeak for dummies (1)

Luke has no name (1423139) | more than 4 years ago | (#32148106)

You're good.

Re:lawyerspeak for dummies (3, Insightful)

_Sprocket_ (42527) | more than 4 years ago | (#32148390)

The pity to all this is that Government has needed to better fund this area for the last 10+ years. Infosec activities have been historically undermanned. This increased funding would seem like welcomed news. But, of course, it's not that simple.

Infosec in the Fed has become a Frankenstein's Monster over the past years. Cluelessness has spawned regulation. NIST requirements have some solid technical basis. But mixed in to compliance is layer upon layer of bureaucracy that requires considerable funding in it's own right. Compliance requires additional management and auditing which requires additional manpower - none of which actually does the technical work or has to have any understanding of the technical issues. In fact, NIST compliance doesn't particularly require any understanding beyond the workings of the regulations themselves. And even achieving compliance with various NIST requirements can still leave one completely open to known security issues (which isn't entirely bad in itself but can set up a false sense of security).

It is possible that some of this funding will trickle down to the layer that should have been funded all along. But it is much more likely that the lions' share of these funds will go to fueling compliance. And investing on questionable new technologies / products while ignoring fundamental architectural and cultural issues that are the real source of many Government infosec issues.

Better they spend it on this than on fighter jets. (1)

elucido (870205) | more than 4 years ago | (#32150398)

They might have to spend 4-6 billion on cyber security but it would be better to spend it on that than to spend it on fighter jets which will probably never be used anyway. The new kind of war involves cyberspace, information, and almost never involves fighter jets.

So how would the enemy attack? Probably by exploiting weaknesses in systems and networks. So those systems and networks must be secured and securing them wont be free.

Re:Better they spend it on this than on fighter je (3, Insightful)

_Sprocket_ (42527) | more than 4 years ago | (#32150466)

So how would the enemy attack? Probably by exploiting weaknesses in systems and networks. So those systems and networks must be secured and securing them wont be free.

You missed my point. Infosec in the Government has needed funding for a long time now. Funding it is a good thing. However, I would prefer to see funding go towards programs and activities that are effective rather than powering additional levels of bureaucracy.

Having said that - don't get too wrapped up in your "new" war. When it comes down to it, physical control is still important. Those fighter jets will still have a use. AFter all, we've fought this war before - we just called it "espionage".

Re:Better they spend it on this than on fighter je (1)

r7 (409657) | more than 4 years ago | (#32159208)

Infosec in the Government has needed funding for a long time now

Funding alone won't have an effect on the organizational dynamics.

The only way .gov security is going to improve is if qualified people have the authority to enforce effective policies.

To get qualified people you have to require regular training and testing. You also have to go where the qualified people are (by not requiring them to move to DC, Baltimore, ...). To get effective policies you have to allow them to be written per business (not government) best practices without undue influence from special interests. Such policies would have to be created outside of the traditional groups such as the IETF, IANA/ARIN et al as those have all become as stifled by special interests (directly and through astroturfing/lobbyists) over the past decade. Lastly and most importantly such policies would have to be enforceable. That means an authority (like DHS should have been, could have been) that can cancel contracts and fire people.

Problem is the leadership needed to hire and empower qualified people and create enforceable policies does not exist at any level of the US Federal government.

Re:lawyerspeak for dummies (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32148648)

Absolutely!!!

"After 9/11, we had to show how committed we were by spending hugely greater amounts of money than ever before, as rapidly as possible." - Rep. Christopher Cox, R-Calif., chairman of the Homeland Security Committee on why the TSA squandered $4.5 billion on malfunctioning equipment; he also inadvertently admitted that the agency is merely window-dressing for the Feds

Re:lawyerspeak for dummies (2, Interesting)

slick7 (1703596) | more than 4 years ago | (#32150148)

Government contractors don't have to prove anything, they already have the contract. The trick is in the bidding. With enough lies and barely enough money, you can get past that hurdle too.
The real trick is getting the contract renewal. For most contractors the first is usually their only. The really good contractors or the really corrupt ones (is there really a difference) not only get the renewals, they get them without bidding as is the prerogative of the government.

Re:lawyerspeak for dummies (0)

Anonymous Coward | more than 4 years ago | (#32151870)

Government contractors don't have to prove anything, they already have the contract.

What does that have to do with the post you're replying to? It didn't mention anyone proving anything.

Re:lawyerspeak for dummies (0)

Anonymous Coward | more than 4 years ago | (#32154244)

Goddamn right.

Roland Piquepaille (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32148096)

Hugh Pickens is the new Roland Piquepaille...

Re:Roland Piquepaille (1)

Hognoxious (631665) | more than 4 years ago | (#32148228)

I thought that dubious honor fell to theodp.

Something seems fundamentally off.... (0)

3seas (184403) | more than 4 years ago | (#32148134)

...about this.

I'm really not sure what but it seems to me that's an awful lot of money to be spending on something that can be addressed as simply as turning computers off.
On the flip side, quantum computing pretty much can make encryption pointless.

Realizing the direction of technology advancements its clear this cyber security thing is a bubble that will burst.

Considering spam is the number one cyber problem and that it is generally dealt with in addressing the symptom of people generating it, dealing with filtering the spam at the destinations rather than identifying the human generators and stopping them.....is after the fact.

It seems clear what is needed is the development of a different and disconnected (from the current network) network to handle secure communications. Where the use of it requires very clear identification of who. Like a drivers license.... dealing with security from the get go, not after the fact.

   

Re:Something seems fundamentally off.... (3, Insightful)

antirelic (1030688) | more than 4 years ago | (#32148436)

Your missing the bigger problem. Communications in the commercial world has dramatically advanced due to e-commerce and electronic digital communication. Government is very, very far behind the commercial world, but is looking to catch up. This cannot be done with an isolated and secure network. The need for e-government is becoming ever more evident. With the slow increase in population coupled with the dramatic increases in regulation and bureaucracy, the US government will simply grind to a halt if it does not provide more access to government services via the internet.

This is where the big need for security comes from. How do you provide more access to more services and information while restricting that information to the appropriate parties. Also, once these services become integrated and relied upon, they will become targets for hostile foreign elements. This is a "good" problem to have, but it is one that needs to be addressed now, before massive electronic outreach programs become part of our daily lives (even more than they are now).

Whether your a conservative, or a liberal, government cyber security needs to be addressed. If we go more big central government, then there will be more eggs in one basket. If we go the federalist route, then more information will need to passed between states (in a safe and accountable fashion). Either way the old "paper" way isnt sufficient and will not work forever (unless we have a massive population decrease).

What is e-government? does it include e-cops? (0, Troll)

elucido (870205) | more than 4 years ago | (#32150350)

"This is where the big need for security comes from. How do you provide more access to more services and information while restricting that information to the appropriate parties. "

What type of services exactly? What services do you expect the government to provide? Do you mean a setup so we can instant message the FBI to report a crime in progress? Do you mean giving twitter accounts out? What services does the government provide that is so important that we will need e-government to provide it?

With the slow increase in population coupled with the dramatic increases in regulation and bureaucracy, the US government will simply grind to a halt if it does not provide more access to government services via the internet.

This is where the big need for security comes from. How do you provide more access to more services and information while restricting that information to the appropriate parties. Also, once these services become integrated and relied upon, they will become targets for hostile foreign elements. This is a "good" problem to have, but it is one that needs to be addressed now, before massive electronic outreach programs become part of our daily lives (even more than they are now).

WTF? What services? What exactly do you imagine we will be relying on the government for and since when did the government provide anything for free? The government expects you to serve it in exchange for whatever you get, nothing is ever free. If wifi is offered it will come with censorship. If healthcare is offered it will come with a draft and government control over human behavior down to the microscopic level.

How exactly is giving the government more control over us worth the services?

Re:What is e-government? does it include e-cops? (2, Insightful)

antirelic (1030688) | more than 4 years ago | (#32150832)

I'm not arguing the politics of it (I agree with you from that point). I'm simply telling you how much the brontosaurus needs to eat... I'm not telling you why, how, or where you are going to get the food from.

The "services" is giving people a means to more readily comply with regulation, fill out required form, and easily pay it more money.

Re:What is e-government? does it include e-cops? (1)

elucido (870205) | more than 4 years ago | (#32150862)

I'm not arguing the politics of it (I agree with you from that point). I'm simply telling you how much the brontosaurus needs to eat... I'm not telling you why, how, or where you are going to get the food from.

The "services" is giving people a means to more readily comply with regulation, fill out required form, and easily pay it more money.

Okay now your point makes sense.

Re:Something seems fundamentally off.... (0)

Anonymous Coward | more than 4 years ago | (#32156492)

Either way the old "paper" way isnt sufficient and will not work forever (unless we have a massive population decrease).

I am intrigued, and wish to subscribe to your newsletter.

"Bubble of sorts" !? (1, Funny)

Anonymous Coward | more than 4 years ago | (#32148330)

What kind of weird geek-humour is that, please tell!?

government security vs government management (3, Insightful)

r7 (409657) | more than 4 years ago | (#32148472)

Good luck to the security professionals who think they can make a difference in the Federal government. I subcontracted at the GAO many years ago and saw some of the same issues. Mentioned them to higher-ups, and higher-higher-ups. No repsponse, no improved security, not even a formal recognition of the problem. The primary contractors themselves were just as much to blame. Their main goal seemed to be maintaining the contract at any expense, including bad security, including shooting the messenger.

Bottom line is that .gov security issues are not really security issues as such, they are organizational issues. As long as you don't address the fundamental problem of entrenched, mid-level, non-technical management all the money in the world won't fix it.

Re:government security vs government management (1)

Paracelcus (151056) | more than 4 years ago | (#32148624)

"mid-level, non-technical management", non-technical, non-interested, non-present and counting the days to retirement!

Use too many polysyllabic words in a complicated sentence and their eyes glaze over and they begin to snore.

Re:government security vs government management (2, Interesting)

gtall (79522) | more than 4 years ago | (#32149748)

Industry has the same problems. Try to change out IE 6.0 because of security issues in any large organization with investment in its sclerotic infrastructure and you will be met with, "Yes, well, security is your problem, now fix the problem and let us continue using IE 6.0".

Government IT "professionals" come from industry IT "professionals", government managerial "professionals" come from industry "professionals". PHBness seems to come with the territory.

Or I should say, PHBness comes from Business School Product. They are clueless, pointless, pitiless and their sole goal in life is make money and retire early. There is no love of science, technology, math or education in them. They understand little about technical issues and they resent you because you do. Not only that, you can make their lives difficult by bringing up issues that will screw up their reports. You, as an educated IT professional, must be sandboxed or worse, eliminated.

Re:government security vs government management (0)

Anonymous Coward | more than 4 years ago | (#32156206)

Who seriously thinks that "making a difference" means jack sh*t anymore, if it ever did? After the last ten years who could possible believe in that when it comes to federal employment and federal contracting?

This is business. And business is always business, even when it's wrapped in a flag and spouting moronic platitudes so the sheep keep allowing themselves to get sheared.

All I see is an opportunity to make some serious money and I am going to take advantage regardless of the long-term consequences. If that's the mentality and level of ethics suitable for the defense business, the federal contracting business, and "American" business in general, I'd have to be a wannabe martyr to think or do otherwise.

And I'm not about to nail myself to a cross for a country that does what the US has done over the last thirty years (at least). Mass murder, torture, environmental destruction, the systematic destruction of the middle class, etc. etc. etc.

So for God's sake, open the spigot and let the money flow! It's time for me to get mine.

OK (0)

Anonymous Coward | more than 4 years ago | (#32148564)

Sounds great, except for the part about living in the D.C. area ...

Re:OK (2, Funny)

r7 (409657) | more than 4 years ago | (#32148670)

Sounds great, except for the part about living in the D.C. area ...

Good point. This is a _large_ part of the problem. The best IT people are simply not going to move for a government job that pays less, has double the bureaucracy. and requires them to live in someplace like DC (which has some pretty nice neighborhoods actually, just not when compared to the West Coast in general and Silicon Valley in particular).

Re:OK (1)

rwa2 (4391) | more than 4 years ago | (#32149242)

Don't forget the people... Northern Charm combined with Southern Efficiency!

I actually think the parks and weather in DC are actually quite nice; but I grew up in Bangkok so I have a different threshold for hot and humid than most. It's also great to have 4 seasons, where it gets hot enough to kill people, cold enough to kill people, and occasionally windy enough to kill people with the freak tornado. I'd go nuts living in a desert, like arid SoCal.

But back to the people... if I had to pick any place to live, it'd be as far from here as practical; maybe the Pacific Northwest. Even with all the relatively high paying work here and the "job security clearances", I feel like any money spent here goes directly to political / administrative overhead. The fact that this has been the fastest/only-growing sector of the US economy for the past few years speaks pretty poorly of our long term R&D / manufacturing / production capability :/

Don't understimate a desert! (0)

Anonymous Coward | more than 4 years ago | (#32150178)

In a good desert, it can get hot enough to kill people and cold enough to kill people every single day/night cycle! But thanks for confirming an observation I made: we tend to seek the visceral conditions of our youth.

After growing up in the inland San Francisco Bay Area, I found living in Bangkok insufferable not only because it was stifling like summer in D.C. or Chicago but also the days never changed length and the nights never got cold. I need the cycle of long summer evenings and long winter shadows to feel like time is passing. I find coastal Los Angeles frustrating because it is "humid" all summer and dry all winter, backwards from my youth. Southern Italy feels extremely familiar to me, not only in climate but in the rolling hills covered in dry grass and sparse oak trees.

Re:OK (1)

jeff4747 (256583) | more than 4 years ago | (#32159242)

A ton of this work isn't being done in DC. DC is just where the HQ is, so it gets all the attention from the media.

What most of this "IT security work" really is... (4, Insightful)

brennz (715237) | more than 4 years ago | (#32148584)

Most of work involves commodity certification & accreditation (C&A) that involves the following:

Phase 1
a "system owner" (Govt IT manager) has staff prepare documentation of the security controls implemented on a "system" (Logical grouping of computers). The security controls are in NIST 800-53, this is FISMA in action.
C&A process http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf [nist.gov]
NIST Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf [nist.gov]
NIST Audit process http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-A%20Rev.%201 [nist.gov]

Phase 2
A certification agent comes in, assesses the system using tools and configuration analysis. This is heavily slanted towards audit, instead of true security analysis.

Phase 3
A senior executive (Authorizing official) makes a decision about the risk acceptability of the system to operate, and may make the system owner do corrective action. The system then moves into continuous monitoring (phase 4).

That is how certification and accreditation operates in theory. Now I am going to tell you how the system is gamed.

During Phase 1, it implies you actually have competent IT security professionals on hand, performing work for the system owner. This is a false assumption. Most system owners don't know security, nor do their staff.

Phase 2 - First of all, have the certification agent companies don't understand security. They can talk the talk (CISSP) but have no solid IT / IT security expertise (not security testers). Many certification agents will not even test systems. They play a game of bringing in cheap staff or running vulnerability scanners then passing them off as "penetration tests". The amount of utter garbage in the field is amazing. Even more so are the reports they write up are audit garbage. If you asked most certification agents about a security methodology, they haven't heard of the OSSTMM or similar. They use NIST 800-53A (heavily audit driven) then they write up meaningless reports, equating technical weaknesses as just as relevant as a gap in a policy.

Phase 3 - The vast majority of government executives are clueless when it comes to IT. They know a little bit, like the name of an operating system (Linux - buzzword - yay!) but not much else. So, they are easily led astray. Most will allow a system to operate regardless of how bad it is, based on a horrible security review performed by incompetent certification agents, on a package made by the almost as clueless system owner and his staff.

After a system gets an authorization to operate, many staffs stop doing all security for 3 years, til the next C&A comes around.

It is not uncommon for a federal cabinet level agency to have 300+ systems, with 300+ system owners, with 300+ completely separate, unique and underfunded security implementations that have more holes than swiss cheese.

If you notice, what is missing from above is actually rigorous security analysis. Code is rarely audited. Configurations are rarely checked 100%. Policy is viewed as important as technical controls. Most testing is a wash. Penetration tests are vulnerability scans by nitwits.

And you wonder why the Chinese are plundering the US govt on a daily basis?

Re:What most of this "IT security work" really is. (1)

rwa2 (4391) | more than 4 years ago | (#32149268)

Sounds like a great way to pass the buck to me :P

Also sounds exactly like a lot of what's going on in education.

Seems like there should be a way to give the professionals who administer systems the tools and resources to ply their trade. But all the money is tied up in political / administrative overhead so they can shuffle the accountability and blame around. Awesome that.

Me Too (1, Insightful)

firetoflames (999369) | more than 4 years ago | (#32148714)

Could anyone here list some of "the major defense and homeland security contractors who are establishing independent business units to pursue these opportunities"? Buying some of these stocks could make for some nice returns if this news isn't already built into the stock price. Plus the market really isn't doing too hot right now. There might be a lot of opportunities for buying in the near future.

Re:Me Too (1)

firetoflames (999369) | more than 4 years ago | (#32148752)

Never mind. What does RTFA stand for by the way? From the article. "Lockheed Martin, Boeing, General Dynamics, ManTech International, Northrop Grumman and SAIC".

Re:Me Too (0)

Anonymous Coward | more than 4 years ago | (#32150740)

Symantec does a lot of Gov't work. But they're so massive and bloated a billion dollar contract either way doesn't make much of a difference to their stock price anymore. The same could be said of most of the big gov't contractors like LockMart, Boeing, GenDy, etc...

They're huge, bureaucratic companies who's primary engineering skill is social engineering. They know who to talk to, and what forms to fill out to get the government contracts.

Also, people (as in voters) get really annoyed when they see private companies making large profits from Government contracts. As a result, companies intentionally don't make profits from these contracts. They bloat out their managerial ranks to suck away any excess cash created from a government contract, then moan about how much money they "lost" on a given contract until some paper pusher in Washington creates a nice fee increase waiver to cover the budgetary "shortfall."

Investing in companies that depend on government contracts is a muggins game. The investors don't get to see the cash. It all gets eaten up by the pinstripe suits.

One snake-oil bubble, coming right up! (4, Insightful)

King_TJ (85913) | more than 4 years ago | (#32148838)

This cyber-security stuff is largely nonsense, IMO.

The fact is, the Internet was designed from the ground up to support flexible and open standards, and it makes certain assumptions about the credibility and honesty of those put in charge of its routing. (I was just reading an article complaining about the lack of "action" taken after the Bush administration did a security review of the Internet back in the 2003 time-frame and determined it was, indeed, quite possible to take down the entire Internet in a matter of hours or less, thanks to weaknesses in how traffic is routed. The fact is though, all the major ISPs expressed NO interest in changing the current system -- because they realize that would still require a "central authority" someplace to determine the "correct" routes traffic should follow to get from point A to B. The current system is rather like trying to drive on a road trip from, say, Dallas to San Francisco, except you have no road map in advance. You simply start out on your journey and follow the road signs as you go, until you arrive. Except in the case of the Internet, even those "road signs" aren't controlled by any central authority. If someone accidentally or purposely changes one, traffic gets shunted in the wrong direction (possibly to a destination router that just black-holes all of it, since it wasn't expecting it).

As we can see though, it generally works quite well, because the people doing most of the heavy-duty routing are ISPs with a vested interest in making sure it keeps performing well. If and when something goes wrong, they tend to pick up the telephone and start making phone calls, getting people to intervene and make manual routing changes to eliminate the problem.

As you look past this supposed "security weakness" and get more detailed about security of individual destination points on the Internet, you see a similar situation. People bitch and moan about security issues (PCI compliance, for example), and spend thousands of dollars trying to address it. Yet in the end, you still HAVE to place trust in your employees. If they're willing to let outsiders in to get information you're trying to protect? All bets are off, no matter how much you spend on the latest "next generation firewall solution" or what-not. (Remember the huge credit card breach AOL had a while back? Turned out to be an inside job.)

Right now, as an I.T. manager, I'm seeing a large number of start-up and obscure "computer security" businesses trying to get my attention. I was just invited to listen to a presentation given by Palo Alto Networks, for example, followed by a free pre-screening of Iron Man 2. (Yep, I went.... not a bad way to get our attention, actually!) But the presentation honestly didn't tell me anything new. It was full of a bunch of well-heeled customers of theirs talking about liking the device, and their founder making a few rather arrogant comments - suggesting they were going to be huge in the future, because unlike most companies doing firewalls, they were focused on "innovation". He commented that "Checkpoint hasn't innovated in at least a decade." and "Cisco has NEVER innovated at all. They just bought a bunch of start-ups."

I can't speak for the quality (or lack thereof) of their product, but I CAN say that it was exactly what I was expecting them to try to sell.... another "next gen firewall/traffic flow controller" device that tries to "wow" middle and upper management types by acting like they've unlocked a huge revelation, by realizing that port and IP based firewall rules aren't the complete answer for companies today.

Funny, but I think Rapid7 was just calling, trying to get me to attend a seminar about THEIR product that was essentially the same idea, and to hear them talk, THEY thought of it all first, too.

A lot of people see a chance to grab some money thanks to fear of the unknown out there, and they may have products that really DO address specific scenarios really well. But I'm convinced most companies would be better served by saving their money and using it to hire better, more knowledgeable staff who could embrace free (like Linux) open-source solutions for some of these problems, and could address other issues with some actual manpower watching over things once in a while. You can't help that the software you need to use has security holes, unless you write it all yourself... but you CAN have staff checking log files regularly and looking out for odd behavior on the servers. Trying to spend a bunch of "feel good" money on security appliances to put in your rack and pretend that they'll protect things on "auto pilot" seems like a pretty poor idea to me.

WOO HOO! BILLIONS FOR SNAKE OIL! (1)

Chas (5144) | more than 4 years ago | (#32149604)

I can see it now.

Our [Crappy Product We're Selling] will lock you up so tight that if you take a crap, we'll be able to tell exactly what you had to eat a month and a half ago from the leavings! You will be secure, SECURE, SEH-CURE BABY!

Just fork over that phat gub-a-mint dole! MONEY MONEY MONEY MO-NEY! MO-NEY!

Truly the finest in buzzword-laden insecure security!

Broken the first time a government worker (or mabye A. Random Janitor) find out that their porn is blocked and get around it all.

Security through bullshittery.

Re:WOO HOO! BILLIONS FOR SNAKE OIL! (0)

Anonymous Coward | more than 4 years ago | (#32153106)

Too much morning coffee? Wired aren't we?

Cybersecurity not a problem here (0)

Anonymous Coward | more than 4 years ago | (#32153216)

We use portable Ubuntu [ubuntu.com] running off a read-only device.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?