Feds Own Cybersecurity Efforts Are A Joke: Employees Have 'Gone Rogue' To Avoid 'Ineptitude' Of IT Staff

from the get-your-house-in-order dept

One of the key parts of the various cybersecurity bills that have been pushed over the past few years is the idea that the federal government would help the private sector better protect against attacks. Of course, for that to makes sense, you'd think that the federal government would have its own "cybersecurity" house in order. However, a report from the Senate shows what even it describes as "ineptitude" by various government agencies. Pick your agency and you'll find problems. Let's take a look at Homeland Security, one of the agencies that has been vying for control of the federal cybersecurity budget. Turns out that DHS's own cybersecurity team repeatedly failed to install basic security updates for easy targets of hackers like Microsoft applications and Java (tip: if you're using Java, you're probably not secure). As the report notes, this is "the sort of basic security measure just about any American with a computer has performed." But not DHS cybersecurity employees!

What else? Well, just in DHS, there were the following problems:
Sensitive databases protected by weak or default passwords. At NPPD, which oversees DHS’s cybersecurity programs, the IG found multiple accounts protected by weak passwords. For FEMA’s Enterprise Data Warehouse, which handles reports on FEMA’s disaster deployment readiness and generates other reports accessing Personally Identifying Information (PII), the IG found accounts protected by “default” passwords, and improperly configured password controls.

Computers controlling physical access to DHS facilities whose antivirus software was out of date. Twelve of the 14 computer servers the IG checked in 2012 had anti-virus definitions most recently updated in August 2011. Several of the servers also lacked patches to critical software components.
Oh, and then there's the following concerning our good friends at ICE, Immigrations and Customs Enforcement, the group that styles themselves as Hollywood's personal police force:
To take just one example, weaknesses found in the office of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops-- even two credit cards left out.
Moving on to the Nuclear Regulatory Commission. Here things are so bad that the report notes that NRC employees believe their own IT staff is "inept" and they've "gone rogue."
Perceived ineptitude of NRC technology experts. There is such “a general lack of confidence” in the NRC’s information technology division that NRC offices have effectively gone rogue–by buying and deploying their own computers and networks without the knowledge or involvement of the department’s so-called IT experts. Such “shadow IT” systems “can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies,” the NRC Inspector General reported in December 2013.
And this has resulted in a bunch of problems, such as storing sensitive data on unsecured shared drives, including the details of the NRC's cybersecurity programs. Also on an unsecured shared drive? A commissioner's passport photo, credit card image, home address and phone number. The NRC also failed to report security breaches:
How often does the NRC lose track of or accidentally expose sensitive information to possible release? The NRC can't say, because it has no official process for reporting such breaches.
Moving on to everyone's favorite government agency: the IRS. The report notes that every year the GAO finds 100 cybersecurity weaknesses in IRS systems, and the IRS fixes half of them. Then the GAO does another audit... and finds another 100 problems with the IRS's cybersecurity. Among the problems? Failure to encrypt sensitive data. Failure to fix known vulnerabilities. And, the ever popular weak passwords:
Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the agency’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards and Technology. In some cases, IRS users had not changed their passwords in nearly two years. As a result someone might gain unauthorized access to taxpayers’ personal information and it “would be virtually undetectable,” potentially for years. GAO has cited IRS for allowing old, weak passwords in every one of its reports on IRS’ information security for the past six years.
How about an organization like the SEC, who deals with tons of sensitive information? Apparently, they're so careless and cavalier about this stuff they used personal email accounts, unencrypted information and often used unsecured open WiFi connections -- including once at "a convention of computer hackers."
Team members transmitted sensitive non-public information about major financial institutions using their personal e-mail accounts. They used unencrypted laptops to store sensitive information, in violation of SEC policy--and contravening their own advice to the stock exchanges. Their laptops also lacked antivirus software. The laptops contained “vulnerability assessments and maps and networking diagrams of how to hack into the exchanges,” according to one SEC official.

The investigation also found that members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits. They also appeared to have connected laptops containing sensitive information to unprotected wi-fi networks at public locations like hotels--in at least one reported case, at a convention of computer hackers.
And yet these folks claim they can help secure everyone else's computers?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    silverscarcat (profile), Feb 4th, 2014 @ 1:17pm

    Of course they can!

    We just do the opposite of what they're doing.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Lawrence D'Oliveiro, Feb 4th, 2014 @ 1:18pm

    Seems I have to correct yet another instance of a common conflation of entirely different uses of Java.

    The insecurities in Java stem from its use to run applets in a Web browser. This usage dated from long before Dynamic HTML became as powerful as it is today. Java applets are obsolete and nobody should be using them any more.

    Howver, other uses of Java (e.g. for desktop apps) are no more insecure than any other programming language. Consider the trouble you can get into with C and C++, yet nobody claims those languages are “insecure”.

    (Dis)claimer: I use Java for Android programming, but only because I have to. I freely admit that it is a verbose and repetitive language. When normal people say that programming is a tedious and boring activity, they clearly have languages like Java and PHP in mind.

    Want a language that offers great power and flexibility and is fun to use? Try Python.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    ChurchHatesTucker (profile), Feb 4th, 2014 @ 1:18pm

    Say what?

    Such “shadow IT” systems “can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies,”

    Isn't the fact that they're "not subject to the same security measures that are applied to supported technologies" rather the point?

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Feb 4th, 2014 @ 1:19pm

    No cloud sharing?

    I half expected to read that people were sharing internal documents via dropbox...

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Feb 4th, 2014 @ 1:26pm

    Remember folks the nsa has all of our data ,leaves you wondering how many more breaches would be added to the list if they were to be audited. and how much personal info about all of us is out there.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Rich, Feb 4th, 2014 @ 1:27pm

    Re:

    Phyton, sure, let's throw out everything we've learned in the past 60 yrs. about the ills of significant white space.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    weneedhelp (profile), Feb 4th, 2014 @ 1:29pm

    Wow

    One of the easiest things to do is enforce a strong password policy... and enforce a timeout period to force password changes. This is beyond inept.

     

    reply to this | link to this | view in thread ]

  8. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Feb 4th, 2014 @ 1:33pm

    But... "Data wants to be free!" -- Why worry about this?

    Geez, on the one hand you celebrate "hackers" who try to break in and "liberate" data, but when people help that, you complain!

    [You kids are welcome to censor this too, only shows why no one reasonable should post here. Seems to be a deal of resistance to the clear fact that every one of the tactics available to you has a drawback, but you keep on doing it! I name it "out_of_the_blue effect".]

    If you like yapping ankle-biters, you'll love Techdirt! (25 of 195)

    09:32:48[k-025-3]

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Geno0wl (profile), Feb 4th, 2014 @ 1:41pm

    How Secure are the Armed Forces?

    I worked for the Air Force for a while, and I never once saw anything remotely this bad at the base I worked at. They actually did a good job of security.
    We had card keys that MUST be plugged into the machine to work, and when you unplugged them the computers auto-locked. Not to mention to open basically any door you also needed said key card, so very very few computers were ever left unlocked.
    I just wonder how the Armed Forces fared for said IT audit.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Feb 4th, 2014 @ 1:44pm

    Such “shadow IT” systems “can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies,”

    I don't know about you, but if my IT dept were inept, I wouldn't want my hardware or software subject to the same standards they're using.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    sehlat (profile), Feb 4th, 2014 @ 1:47pm

    Matthew 7:3

    And why beholdest thou the mote that is in thy brother's eye,
    but considerest not the beam that is in thine own eye? (KJV)

    "Why do you look at the speck of sawdust in your brother's eye
    and pay no attention to the plank in your own eye? (NIV)

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Christopher Best (profile), Feb 4th, 2014 @ 2:12pm

    Re: Say what?

    Yes, it is the point, but the problem is that home-grown solutions are rarely better, and often worse, from a security standpoint than the IT department they're trying to work around.

    Honestly I've been on both sides of this argument... As an IT support person who's had to go in and take over a rogue operation after it self destructed spectacularly, and a "rogue operator" who had to deal with an IT department that grew up around our existing infrastructure and slowly tried to whittle away our autonomy. In both cases I felt my group was in the right, and I could spend hours telling you why, but I'm obviously a bit biased.

    Funnily enough, the second case was a Federal agency (the FAA), and I did think some particularly unkind things at our IT...

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Feb 4th, 2014 @ 2:20pm

    by-passing everyone else, these are the 'security agencies' that the MPAA,RIAA etc use to track and prosecute alleged file sharers! not only are they not doing the job they have been employed to do, they are doing the same things as those they accuse in order to prosecute! that's showing a real lack of bias, i dont think!!

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    krolork (profile), Feb 4th, 2014 @ 2:32pm

    We need a revolution.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    any moose cow word, Feb 4th, 2014 @ 2:34pm

    Re: But... "Data wants to be free!" -- Why worry about this?

    Public data, things that are supposed to be open to the public, shouldn't be locked up in bureaucracy or behind paywalls. Private data, things that are not supposed to be open to the public, shouldn't be so weakly protected. It's simply enough for even you to understand, blue.

    And no one said that it should be easy to get private data, especially with all of the info the government insist on keeping on everyone.

    BTW blue, you keep getting reported for ranting and raving about things that are usually completely off topic, like google. BTW, I do NOT like them. Their search is not that great, still better than most, and their ad service is beyond intrusive, but any competent person can install an app to cull unwanted ads and scripts. I primarily use an ad/script blocker as a matter of security. Getting rid of the cruft is an added bonus.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Christenson, Feb 4th, 2014 @ 2:35pm

    Re: Re: Say what?

    Yup! The average engineer I work with is incompetent to secure his machine and just not interested. However, we have this job to do, involving CUSTOMERs, and I promise you that IT can very much get in the way of that, especially with its delays and lax and often high-handed attitude, and, for some strange reason, my organisation doesn't ask for basic security measures like not running Internet Explorer.

    Effective IT security has to be very much a two-way street. IT has to be competent enough and responsive enough that users don't NEED to set up their own systems to get their work done. Otherwise, the two go their separate ways, and both of Mr Best's stories are, unfortunately, very predictable!

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    any moose cow word, Feb 4th, 2014 @ 2:44pm

    Re: Re: Say what?

    The problem is balancing security and usability. Having been on both sides, it's usually the IT department's blind focus on security and/or budget with little regard to usability that creates the adversarial relationship. Then add public regulations written by clueless bureaucrat that constricts any form of commonsense and makes everyone miserable.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Feb 4th, 2014 @ 2:50pm

    As a former contractor that worked for the US Forest Service for 6 years, I could tell all kinds of tales.

    User passwords had to change every 90 days, has to contain x number of characters, etc, but any user could self promote to admin on any machine to reduce the call load to the help desk.

    Users where instructed to not install unauthorized software, but never saw anyone disciplined for doing so. About twice a year Firefox would be remotely uninstalled from my machine and the next day I would self promote myself and reinstall it again.

    Their security basically boiled down to telling users what they should and shouldn't do without really enforcing any of it.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    DerekCurrie (profile), Feb 4th, 2014 @ 3:00pm

    Leaving the PWN Gates Open

    #MyStupidGovernment is infamous for allowing China to bot every federal computer exposed on the Internet from 1998 through 2007. That's 9 years of China blatantly owning government computers before the feds were willing to admit it in public. That is pure incompetence.

    I don't expect much better IT competence today. Instead, the federal response has been to go off the rails PWNing the PWNers as well is unconstitutionally surveilling US citizen on US soil without 'probably cause', therefore without a legal warrant. #MyStupidGovernment at work.

    How about a new revolution folks!

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    ltlw0lf (profile), Feb 4th, 2014 @ 3:02pm

    They finally figured out what DEFCON and the other hacker conventions have known for a number of years?

    Hell, wall of sheep is all they need to prove that the "good guys" aren't good at computer security. Most of wall of sheep is folks trolling, but there still are an awful lot of unencrypted SMTP/POP3 traffic at any of those conferences going to .mil and .gov servers.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    DerekCurrie (profile), Feb 4th, 2014 @ 3:07pm

    Re: Java, the most dangerous software on the Internet

    @Laurence D'Oliviero:

    "The insecurities in Java stem from" Oracle degrading the quality of Java applet programming such that the original default sandboxing was DESTROYED. Don't expect Oracle to fix it. Obviously, they'd rather keep cleaning up after their puppy suffering PWN-The-User diarrhea.

    My advice: Just say 'NO' to the Java Internet plug-in. If any website dares require it, tell them to get rid of it. Java is the single most dangerous software you can run on the Internet.

    Oh and Oracle: I Hate You.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Feb 4th, 2014 @ 3:35pm

    Thats because, when they talk about "cyber security" their "secret" interpretation is their ability to survey the shit out of you......and not the common sense NORMAL person, self defence aspect of "cyber security"

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Feb 4th, 2014 @ 3:43pm

    That's why the government hires top-dollar security EXPERTS like HBgary Federal. ;)

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Feb 4th, 2014 @ 5:07pm

    Re: Re: Java, the most dangerous software on the Internet

    So that's what happened. I was wondering what happened to Java that caused everyone to suddenly start talking about how unsecure it is.

    Oracle happened. Makes perfect sense. The OpenOffice shenanigans weren't bad enough; they had to rip holes in Java's security. Super.
    Sign me up for the "I Hate Oracle" club.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    That Anonymous Coward (profile), Feb 4th, 2014 @ 5:50pm

    billions of dollars and they are as inept as a grandmother working a computer.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    ChurchHatesTucker (profile), Feb 4th, 2014 @ 9:16pm

    Re: Re: Say what?

    the problem is that home-grown solutions are rarely better, and often worse, from a security standpoint than the IT department they're trying to work around.

    I used to collect the PC viruses that came over the wire to my department's Macs. IT's solution was to isolate the Macs as a potential vector for viruses.

    Typical Hammer thinking.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Bergman (profile), Feb 5th, 2014 @ 2:22am

    Re: Re: Say what?

    Whether homegrown solutions are better or not tends to depend on how bad the official IT is and who is doing the growing.

    If the official IT guys are going around setting everybody's password to 'password' then almost any homegrown scheme will be superior -- even if it's just adding a number to the password against the IT department's orders.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Feb 5th, 2014 @ 5:29am

    Guess what will happen when someone really wants to attack the US

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Pragmatic, Feb 5th, 2014 @ 5:34am

    Re: Matthew 7:3

    Methinks they've got a whole barn in there, Sehlat. No wonder they're inept!

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Ralph, Feb 5th, 2014 @ 7:01am

    Isn't it about time to stop demonizing personal email accounts? The NSA has already compromised every private email service and email encryption scheme - email addresses issued by employers are no more safe than Yahoo! mail these days.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    SOS, Feb 5th, 2014 @ 7:18am

    Re: How Secure are the Armed Forces?

    As a consultant for both the Navy and Army over the years, my experience has been the opposite. I had responsibility for maintaining many highly sensitive databases that were configured with default passwords for privileged accounts, on networks open to the web, listening on default ports.

    Usually, I could convince them to change default passwords. A few times I had to threaten to quit to get my point across. One facility absolutely refused and I did leave, but they didn't work with anything important, just aircraft carriers and fast attack submarines.

    Prior to Y2K, a facility I was working at was warned of a possible cyber-terrorism event. Their solution was to unplug everything. Literally. We worked for three days labeling every cable (power, network, SCSI, keyboards, monitors, mice) that went in and out of every machine in our facility. Then we powered them down and unplugged everything. EVERYTHING. At both ends.

    There was actually a procedure developed for how to place floor tiles in the server room so Naval Intelligence could verify machines were disconnected from their power supply.

    Because cyber terrorism apparently figured out a way to defeat the insulating properties of air gaps.

    We took everything down for multiple mission critical national defense systems that directly supported (hmm, best way to say this?) "capabilities" two days before Y2K, and left them that way for almost a week. We even disconnected the UPS. Because, terrorism.

    We still had to come in to work. No phones. No network. No building security because the card scanners were powered off, just Marines checking your ID at the doors that (no joke) had been taped open. No computers. The only thing that had power were the lights and the coffee makers in the break rooms.

    When I pointed out that we were essentially doing, on our own, what the terrorists reportedly intended to do, I was told that this was "on our terms."

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    SOS, Feb 5th, 2014 @ 7:34am

    NRC was a joke

    I worked at a nuclear plant and my experience with the NRC (and security at nuclear facilities in general) is consistent with the report.

    We had a team of developers that thought it would be funny to code a joke into one of their applications to mess with specific "troublesome" operators by generating random, meaningless error messages for those individuals and force them to restart the application.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    John Fenderson (profile), Feb 5th, 2014 @ 8:21am

    Re:

    About 2/3rd of my work nowadays is in Java, too. Java is easily the language I despise the most.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Geno0wl (profile), Feb 5th, 2014 @ 8:40am

    After some more thinking, exactly how did these "rouge" IT groups ever exist?
    If you go to any of our network ports you can't just plug in a computer and have it connect to the network. You MUST be on the domain with all the right proxy settings and other items.

    They IT staff really must have been incompetent for the shadow IT groups to even have a capability to get off the ground.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    John Fenderson (profile), Feb 5th, 2014 @ 9:49am

    Re:

    Well, first, let's not exaggerate what the NSA has done. They have not "every private email service and email encryption scheme" by a longshot.

    Even if they had, there are still very, very good reasons that private email accounts should never be used for company (and especially government) business:

    1) Accountability. in many cases, particularly with the government, there is a requirement to keep emails archived for accountability purposes. Using a private account bypasses those systems and enables corrupt practices.

    2) Companies can harden email systems in ways that you'd never tolerate for your personal email. Good security always comes at the cost of convenience.

    3) Security that you are in control of is better than security you're relying on other parties to provide. Relying on Yahoo, Google, or whatever to give make you secure is a compromise you might be willing to accept (see point #2), but it isn't something that a company should be willing to do.

    4) More limited attack surface. If you're using a major email provider, the attack surface is also much larger. A proper company email system can have a really small attack surface. Small attack surface means it's harder for an attacker to find a way to compromise the system.

    5) Liability. If you have sensitive company data sitting in emails in your personal account, and that account is compromised, the fault is yours and you can be held liable. If you keep it on company servers, you have no such exposure.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    John Fenderson (profile), Feb 5th, 2014 @ 9:50am

    Re: Re:

    "They have not "every private email service and email encryption scheme" by a longshot."

    The word "compromised" should be right after "not".

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    fdavison (profile), Feb 6th, 2014 @ 11:11am

    RE: RE

    Those of us in the private sector spend mega-dollars and hours to implement FISMA if we want government grants. Why don't they have to follow their own regs? FISMA was written by NIST as mandatory practices for ALL government agencies.

    It's also a joke to hear Target talk about chips in credit cards as a security cure when employees use default passwords. Ask RSA if the biggest problems are hackers or users.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    Ellie (profile), Feb 7th, 2014 @ 7:45am

    Re: Say what Christopher Best?

    Hello CBimerrow formerly of IT support! I didn't know any other way to reply to you, about what I read on the TechDirt insider chat thingy. That's where y'all talk to each other and we get read access. You mentioned something that I noticed and winced at (just like you did, when you said, "it burns!") but no one talks about. Same as the reaction on TechDirt Insider chat; no one replied to you, re this
    hxxp://gizmodo.com/sochi-official-our-shower-surveillance-footage-says-ho-1517435247?utm_campaign=so cialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
    I agree, it is unsightly! The UTM's are for Google, or other web analytics "campaign metrics". I strip them away whenever I post or send a URL. They look cheezy. Even if I'm using a URL shortener, I want that crud gone. I was curious why the person you were IM chatting with didn't post this instead,
    hxxp://gizmodo.com/sochi-official-our-shower-surveillance-footage-says-ho-1517435247
    Is it considered immoral or rude to excise the crud, because the URL creator can't surveil (track?) as well? That URL was so lengthy that it forced the sidebar chat widget to scroll out to 4 times width!

    For etiquette's sake, I'll return to the current topic. Why don't these comments have any respect for IT? IT departments are NOT always clueless bureaucrats who don't know how to set a password other than to "password". Someone else described how their IT department isolated Macs because of PC viruses (I didn't say that quite right, it's down below). Just maybe, the IT guys know something that the users don't know, about security. The user's job, in this case, is to be a developer. IT doesn't sit around all day doing nothing. Their job, among other things, is to be real-time up to date about viruses. Macs are not immune, regardless of OS used. Even computers running Linux can be vulnerable.

    As for getting in the way of business and customers, I learned the hard way that IT needs to be consulted. I worked on a project using PHI (protected health information). At the beginning, before we bid on the contract, one of our IT guys warned us that there would be problems with using VolP as part oF the dEliverable, that HIPAA didn't allow it, in that context. Client said it would be okay, but didn't check with their own IT guy, nor anyone else. So we did months of work and sure enough, our IT guy was right. We should have spent some time to see if he were correct, before proceeding further. We were still paid, nothing terrible happened. Client had to spend more though, for us to do (lots of tedious) changes.

    IT security can be a huge pain to deal with, like a law enforcement bureaucracy in your midst, e.g. a visit from Tyler in Data Security was much worse than having the Assistant District Attorney stop by to "ask you a few questions"! It is management's job to reign in overzealous IT, or replace any who are incompetent.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    Ellie (profile), Feb 7th, 2014 @ 8:44am

    SEC OMG!

    Thank you, thank you, thank you, TechDirt and Mike Masnick for sharing this with us! And thank you for so kindly posting the full text of the document.

    I knew about the NRC having no reporting procedure to track breaches pertaining to accidental release of sensitive information, because I noticed an entry in the Federal Register (or somewhere similar) saying that they needed to draft and instate one, in October or November last year. I wasn't aware of the pervasive carelessness in so many other U.S. government departments though.

    The SEC is my primary interest. Lax security increases exchange infrastructure vulnerability. There is another concern, namely, the always-tempting opportunity to exploit and profit from unauthorized access to material non-public information.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This