Some cynics keep an ordered list of the "top" oxymorons. Long-term members of the list include "business ethics," "military intelligence," "northern hospitality" and "southern efficiency." While "government efficiency" has a permanent hold in the top ten, "government cyber-security" has leaped to the top.
Cyber-security is a huge problem for large organizations in general, for deep systemic reasons, as I explain here. The US federal government is making a big effort to get ahead of the problem. By doing so, it is embarrassing itself and making things worse.
The government is engaged in a giant effort to systematize cyber-security and train professionals in how to do it. Various claims are made about salaries over $100,000 and a need for over a million qualified people. I first encountered this effort in an article about a local community college that had received certification for their program:
This sounds prestigious: both the NSA and DHS are jointly behind it! This must represent the best training there is!
So I looked into it a bit. Here is what the NSA has to say:
Here is what the DHS has to say:
I noticed a couple things:
- Each organization has its own page to describe the joint program. Of course.
- Each organization lists itself first in the description. At the NSA, the program was created by the NSA and DHS, while at the DHS, DHS is listed first. Of course.
- Each describes the programs and its goals differently. Of course.
This is bureaucracy as usual.
Then I decided to find out about the program itself, so I clicked on the link at the bottom of the NSA site. Here's what I got:
No kidding! That's why in the image above, I clipped to the top of my browser, so you could see the URL and see that I wasn't fooling around. This is exactly what I got by clicking on the NSA site shown above! Maybe it's just the NSA that's screwed up. DHS probably has a better link, since their website was updated less than two months ago. Nope! Same result!
Makes perfect sense. The NSA can't keep itself secure. We already knew this from the Edward Snowden problems, and more recently from their role in the world-wide Wannacrypt virus attack. The DHS? Even government investigators have concluded that its cybersecurity efforts are worthless. So why shouldn't their joint website fail the most elementary security test?
I dug and dug, trying to find what was actually taught, and what the cybersecurity standards and practices actually were. In particular, I was curious to find if there was any mention of the NSA's role in supplying the weaponry for the Wannacry attack by means of gross deficient internal cybersecurity. I was also curious to see what level of acknowledgement there might be of their problems.
Result: a couple hours of digging resulted in amazingly little of substance. I'll just end with an interesting comparison.
Remember the world-wide outcry about the guy being dragged off a United airplane? The CEO stepped up quickly and defended his employees. Then he took it back and abjectly apologized, and there followed a stream of discussions about how other airlines did it and specifically how United was going to change to prevent a repetition of the drag event.
Compare this to Wannacry. Not just one guy, but tens of thousands of organizations, including most of the UK's NHS -- resulting in massive patient issues, many of which were far worse than United's dragging event. Who was put on the carpet? Who apologized? Any word from the NSA about their security breach that greatly magnified the problem? Of course not! Don't be silly! This is an august government organization: no one apologizes, no one loses their job, and nothing changes. Got that?