Shaun Waterman, of the Washington Times, reports that government auditors have found that systems at the U.S. Computer Emergency Readiness Team (US-CERT) "were not maintained with updates and security patches in a timely fashion and as a result were riddled with vulnerabilities that hackers could exploit." According to the article, dated September 9, 2010, the auditor's report "said the issues of inadequate and untimely patching had been raised by [an older] review of the systems."
Although security officials have said that since the audit, the vulnerabilities have been fixed, with "new procedures and equipment . . . to ensure the systems will be kept up to date," the article quotes a former Homeland Security official who says "'[p]atch management doesn't work.'" The official, who asked not to be named, is quoted as saying "'[t]here is no network that is 100 percent patched. Eighty-five percent . . . is a good number.'" The most recent report does not quantify the percentage of machines patched on the US-CERT network. According to the Times, the unnamed official blames the vulnerabilities on the wall between IT and mission-owners.
"'It is a classic pothole of IT being segregated away from the mission-owner. IT management issues often fall towards the bottom of the to-do list. It is not sexy work.'"
Another specialist, also speaking anonymously, painted the issue as a "'management/leadership issue.'" Additionally, making the issue public, according to this specialist, only serves to "undermine the agency's reputation among security professionals." "'It's a credibility issue, and you have to be on your 'A' game when it comes to setting the example.'"
The complete Washington Times article can be found at the link above, or here.
Possible question for class:
Given the oft-repeated statement that cyberspace is the next key battlefield, and is in need of the same U.S. presence as land, air, sea, and space, what should we make of the results of the government's audit?
Leave a Reply