Re: [ISN] NASA centers fail to report cyberattacks

From: cult hero (jerichoat_private)
Date: Tue May 11 1999 - 19:56:02 PDT

  • Next message: cult hero: "[ISN] Anti-NATO Hackers Sabotage 3 Web Sites"

    Reply From: "Robert G. Ferrell" <rootat_private>
    > (Federal Computer Week) [5.3.99] NASA's inspector general told a Senate
    > subcommittee last week that parts of the agency are failing when it comes
    > to fending off and reporting hacker attacks, leaving the agency vulnerable
    > to people who would steal or alter sensitive data. 
    > But she said broader problems, such as failures by NASA centers to report
    > cyberattacks, remains an obstacle to better oversight of information
    > security. Moreover, she said an internal NASA organization -- NASA's
    > Automated Systems Incident Response Capability -- must improve its
    > performance. "That [organization] has not been performing adequately," she
    > said. Gross added that her office next month will issue a report on
    > NASIRC's performance.
    One of the reasons for NASA's poor performance is a hamstringing policy
    that affects not only NASA but the entire federal government.  The bulk of
    computer security investigations in the Executive Branch occur under the
    auspices of the Inspector General of the respective Department.  Many if
    not most of these positions are considered Federal Law Enforcement
    positions, and so the federal law that prohibits entry into these
    positions by anyone who has reached their 37th birthday applies.  This
    rule basically is in place to ensure that all such employees meet the
    minimum time-in requirements for retirement by the mandatory retirement
    age for federal law enforcement, which is 57. 
    This restriction, while understandable and probably not inappropriate for
    conventional law enforcement agents, utterly fails to meet the needs for
    computer security investigators for two reasons. 
    1) Oftentimes it takes 10, 15, or even 20 years of experience to make
    really good investigators who recognize all the tricks and who are
    sufficiently good hackers themselves to be able to play the game on the
    cracker's "home turf."  By declaring any person over 37 automatically
    ineligible, the federal government categorically excludes a large
    percentage of the most desirable investigators, most of whom have gotten
    their skills not at the expense of the taxpayer and in widely diverse
    environments, rather than under the constant tutelage of the government
    for their entire careers (and ass we've seen, the government doesn't have
    a sterling track record for training computer security personnel). 
    2) The retirement law seems to assume that the only federal position an
    employee will be able to hold during his/her career is law enforcement,
    and that all such employees must retire under the special law enforcement
    retirement plan, rather than the regular Federal Employee Retirement
    System (FERS).  Again, this logic fails when considering computer security
    investigators because the skills required as prerequisites for
    senior-level performance as a CSI would in almost all cases qualify the
    person at the very minimum for GS-0334 (Computer Specialist). 
    I've pointed this out to the Office of Personnel Management and to NASA
    itself in the past, but no one seems to be really listening.  I proposed,
    for example, that a person could put in however many years he/she had left
    before mandatory retirement age and then serve out the rest of their
    requirement in a non-law enforcement capacity (such as Computer
    Specialist).  The penalty would be that he/she would only be eligible for
    the standard FERS package upon retirement.
    It seems ironic to me that the organization which most desperately needs
    the help of more senior, more experienced investigators is the only one
    which as a matter of policy excludes them.  I'm sure the cracker community
    is pleased, however. 
    Robert G. Ferrell
    Internet Technologist
    National Business Center, US DoI
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network []

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:20 PDT