Is UK government data secure?

How secure is the
Data on government databases? Does the government have any recognised testing
that is carried out on a regular basis?

Do we need a
grading system in the
UK as they do in the US.?
 

The reason I ask,
is that the
US federal departments have just failed to
show that any data they have is beyond the hackers.

 

Calling federal
information security “embarrassing” and “dangerous“, Rep.
James R. Langevin (D-RI) lashed out at federal departments including State,
Commerce and Homeland security for lax practices and serious breaches.  

The comments came
at a hearing of the Committee on Homeland Security's subcommittee on emerging
threats, cybersecurity and science and technology, to discuss recent high-level
security breaches in government, at which representatives of State, Commerce
and the Government Accountability Office testified.

Langevin cited
failing grades by both Departments of Commerce and State under the FISMA assessment. FISMA stands for the federal information
security management act of 2002. See background information via the National Institute
of Standards and Technology here

Langevin also
cited a hack into Commerce systems using a rootkit last October, and a June
2006 penetration of State Department systems which used social engineering and
a zero-day exploit of Microsoft Word to gain access.

Both departments,
Langevin said, tried to downplay the incidents saying no classified systems
were compromised. Langevin said that because the departments failed their FISMA
assessments and have failed to inventory all of their systems, “they can't
know for certain that these incidents don't involved classified systems.” 

About DHS, which
received a D on its FISMA assessment–the first time since 2003 DHS did not
receive an F–Langevin said he was “disappointed and troubled” with
the departments progress in securing cyberspace. “I don't know how the
department thinks it's going to lead this nation in securing cyberspace when it
can't even secure its own networks.”

SANS Institute
director of research Alan Paller, who attended the hearing, said that
government officials are finally saying publicly what many have known all
along: Their systems are insecure and put the nation at risk. “The State
and Commerce Department penetrations are the tiniest tip of the iceberg,”
said Paller. 

Paller also noted
that participants at the hearing said the FISMA was a bad assessment system
that measured the wrong things, and that receiving a grade of A wouldn't make
any of the participants at the hearing believe they were necessarily secure.

The hearing
demonstrated the remarkable consistency between corporate and government
problems with information security. The zero-day exploits and rootkits are the
biggest issues private companies are dealing with right now. Two zero-day
exploits have been discovered in the past month, and some speculate that
rootkits may have been used in the breach of
TJX, the biggest data leakage case in history
to date. Indeed, the Commerce department's failure to pinpoint the time when
hackers first gained access mirrors
TJX's confusion over origins of access, which is usually
a sign the hackers were able to conceal their activity through the use of a
rootkit, a basic tool for economic hackers.

In their fiscal
year 2006 financial statement audit reports, 21 of 24 agencies indicated that
they had significant weaknesses in information security controls. As shown by
reports by GAO and agency inspectors general (IG), the weaknesses persist in
major categories of controls—including, for example, access controls, which
ensure that only authorized individuals can read, alter, or delete data, and
configuration management controls, which provide assurance that only authorized
software programs are implemented.

An underlying cause for these weaknesses is
that agencies have not yet fully implemented agency wide information security
programs, which provide the framework for ensuring that risks are understood
and that effective controls are selected and properly implemented. Until
agencies effectively and fully implement agency wide information security
programs, federal data and systems will not be adequately safeguarded to
prevent unauthorized use, disclosure, and modification.

Langevin also
cited issues with intelligence sharing between departments over vulnerabilities
and exploits.

Langevin
concluded his opening statement with words that are becoming more common both
in government and business when it comes to information security: “We don't know the scope of our
networks. We don't know who's inside our networks. We don't know what
information has been stolen.”
(source).

 

So before we
embark on giving the
UK government our most personal of details
with the ID card scheme and ePassports, perhaps a very public health check
might be in order.

 

 

NuLab –
Destroying
Britain
from the inside out.

 

 

Advertisements

About IanPJ

Ian Parker-Joseph, former Leader of the Libertarian Party UK, who currently heads PDPS Internet Hosting and the Personal Deed Poll Services company, has been an IT industry professional for over 20 years, providing Business Consulting, Programme and Project Management, specialising in the recovery of Projects that have failed in a process driven world. Ian’s experience is not limited to the UK, and he has successfully delivered projects in the Middle East, Africa, US, Russia, Poland, France and Germany. Working within different cultures, Ian has occupied high profile roles within multi-nationals such as Nortel and Cable & Wireless. These experiences have given Ian an excellent insight into world events, and the way that they can shape our own national future. His extensive overseas experiences have made him all too aware of how the UK interacts with its near neighbours, its place in the Commonwealth, and how our nation fits into the wider world. He is determined to rebuild many of the friendships and commercial relationships with other nations that have been sadly neglected over the years, and would like to see greater energy and food security in these countries, for the benefit of all. Ian is a vocal advocate of small government, individual freedom, low taxation and a minimum of regulation. Ian believes deeply and passionately in freedom and independence in all areas of life, and is now bringing his professional experiences to bear in the world of politics.
This entry was posted in Main Page. Bookmark the permalink.