It seems that, all too often, government agencies excel at telling regular citizens how to live their lives, while at the same time being unable to keep their own houses in order. There is no greater example of this type of abuse than in the area of computer security.
For the past 18 months, federal agencies have been required to comply with the Federal Desktop Core Configuration mandate (FDCC) issued by the National Institute of Standards and Technology (NIST). FDCC dictates how government computers should be configured and secured to protect valuable information and government services, and provides easy-to-use checklists to make sure that computers are as safe as they can be. Additional regulations have been issued by the Office of Management and Budget (OMB).
Unfortunately, it seems that in the case of FDCC and OMB, having regulations in place doesn’t do much good, because the penalties for non-compliance are incredibly lame. A recent report from the Government Accountability Office found that only two government agencies had implemented all of the required security measures. Has anyone been fired because they aren’t following the rules? Why, of course not. Have any non-compliant agencies been fined or penalized? What do you think?
It should have come as no surprise, then, when the nation’s oldest law enforcement agency, the U.S. Marshalls Service, was knocked offline because of mysterious virus infections. FBI computers were also affected. It seems that the agencies woes were the result of an Internet worm called Neeris, a version of the Conficker virus.
What makes the situation so inexcusable is that Microsoft issued patches almost nine months ago that would have stopped Neeris in its tracks. Computer “professionals” at the agencies simply never got around to installing the patches. To make matters worse, even though the U.S. Marshalls Service was running an antivirus program from Trend Micro that could have detected and removed Neeris, it had not been updated in over three years. A Trend Micro spokesman confirmed that the U.S. Marshalls Service had an up-to-date contract, and had paid for and received updates for the past three years, but it seems that the agencies incompetent computer nerds had never bothered to install them. Heads should roll.
One computer that I fixed last week, which would not boot up properly, was infected with over 400 viruses, including three malicious “keylogging” programs. As you may recall, keyloggers are designed to record every key that is pressed on a computer’s keyboard and send that information back to the bad guys. This computer was also used to prepare tax returns and accounting reports for a number of local businesses. It was not running a firewall program and had no antivirus software installed. When asked about the situation, the owner replied that he “used to have” antivirus software installed, but it made the computer slow, so he uninstalled it. Doh! With that attitude, he could get a computer security job with the U.S. Marshalls Service.
I’ve been applying NIST security checklists to computers for almost eight years, starting with Windows 2000. It’s work, to be sure, but it’s not brainiac rocket science. Maybe I should just chuck it all, get myself a cushy government job and get paid big bucks to do lousy work.