There was a Wall Street Journal article describing the concerns about software made in Russia’s Kaspersky Labs in 2004 by the Defense Intelligence Agency. The warning said they thought it could be used by Russian Intelligences Services to get into US systems.
I have some sympathy for those that ignored the internal discussions about this, if they did not see the classified intelligence reports the article cites. Many civil agencies do not have enough people cleared to see those kinds of reports, so they don’t see them. But other do have them, and still ignore any warning that is “not specific enough to say that it is a threat”. In other words, unless the threat of being hacked using that software was not found on one of our computers, we are not going to change what we see as a good product. Usually, this is the height of arrogance.
In either case, too many government agencies do not take action on this kind of threat because there is no central management of the threats to agencies. That is left to each agency to decide. That includes the morons at the Office of Personel Management who allowed the Chinese to steal the most sensitive records we had over years of ignoring the signs, the Internal Revenue Service which got hacked twice in the same year using the same methods, and an NSA contractor who took hacking tools home with him.
Now, there is a known hacking tool out there running on government systems for over 10 years. The damage that was done is done, but doesn’t go away because we stop using Kapersky software. Too many things have been undone by long-term hacks of government systems that got patched and covered over with new paint. The hackers are still in there, as the State Department found out when for three years they tried to get rid of them. The same is true of the Intel chip vulnerability in my last post. It goes on much longer than the chip itself because, even if you try - and most agencies don’t - you still won’t be able to get those guys out of the systems without a lot of work.
Get NIST our of the policy business and put an agency that can do something in charge. Start going through these systems and closing them off or rebuilding whole parts of them to be secure against the insiders that we now have. Close down the Operations centers that are supposed to be doing security for all of these agencies but just employ friends of the Directors and CIOs. Put the money into making these systems safe again.
No comments:
Post a Comment