Stupid is as Stupid does Again

The title is, of course, from Forrest Gump and summarizes a basic tenent of computer security.  You cannot engineer out stupid. I don't know how many of you read the November FISMA report from OPM, but when I looked at it, I had to check the date.  I thought it was the report from a couple of years before the Chinese took all of our security clearance records.  Too bad it wasn't.  Really?  Two factor authentication is still not being used?  Multiple systems still haven't been approved?  They still haven't identified deficiencies and set dates for correcting all the problems.  Maybe they are still too busy sending out those notices that your records have been stolen and offering some Credit monitoring, which is absolutely worthless.  Then too, they know it is only a year until they are going to be gone, and someone new will be taking over.  Maybe this kind of thing will escape the public notice until then.  Give the security clearance data back to DoD and get these idiots out of the business.  

These are a few of the other things that we tend to forget:

• In June 2015, the Office of Personnel Management reported that an intrusion into its systems affected the personnel records of about 4.2 million current and former federal employees. The Director stated that a separate but related incident involved the agency’s background investigation systems and compromised background investigation files for 21.5 million individuals.
  
• In June 2015, the Commissioner of the Internal Revenue Service testified that unauthorized third parties had gained access to taxpayer information from its “Get Transcript” application. According to officials, criminals used taxpayer-specific data acquired from non-department sources to gain unauthorized access to information on approximately 100,000 tax accounts. This data included Social Security information, dates of birth, and street addresses. In an August 2015 update, the agency reported this number to be about 114,000 and that an additional 220,000 accounts had been inappropriately accessed, which brings the total to about 330,000 accounts.
  
• In April 2015, the Department of Veterans Affairs’ Office of Inspector General reported that two contractors had improperly accessed the agency’s network from foreign countries using personally owned equipment.5
  
• In February 2015, the Director of National Intelligence stated that unauthorized computer intrusions were detected in 2014 on the networks of the Office of Personnel Management and two of its contractors. The two contractors were involved in processing sensitive PII related to national security clearances for federal employees.6
  
• In September 2014, a cyber intrusion into the United States Postal Service’s information systems may have compromised PII for more than 800,000 of its employees.
  
  • In October 2013, a wide-scale cybersecurity breach involving a U.S. Food and Drug Administration system occurred that exposed the PII of 14,000 user accounts.8
  
  
  

  We could say this was indicative of a poor management situation, but it is more than that.  This stream of data thefts is just the current ones and clearly indicates we have no oversight of computer security in any of the Federal agencies.   
  
  The report goes on to document the basic things every computer security program should have, but cites them as identified deficiencies of our Federal agencies.  Policy is not the issue here.  We have federal CIOs and CISOs who clearly don't have the initiative to fix what has been identified as deficient conditions.  They give excuses, lay blame on everyone else, and talk a good deal but never get the job done. Why do we pay people to do these jobs and then ignore them if they don't?  This is our data these people are losing.  Can't we find a way to get their attention.  GAO's reporting is an insight into the borader problem of getting managers to follow even basic policies that require that data to be secured.