Reply From: "Robert G. Ferrell" <rootat_private> > (Federal Computer Week) [5.3.99] NASA's inspector general told a Senate > subcommittee last week that parts of the agency are failing when it comes > to fending off and reporting hacker attacks, leaving the agency vulnerable > to people who would steal or alter sensitive data. > > But she said broader problems, such as failures by NASA centers to report > cyberattacks, remains an obstacle to better oversight of information > security. Moreover, she said an internal NASA organization -- NASA's > Automated Systems Incident Response Capability -- must improve its > performance. "That [organization] has not been performing adequately," she > said. Gross added that her office next month will issue a report on > NASIRC's performance. One of the reasons for NASA's poor performance is a hamstringing policy that affects not only NASA but the entire federal government. The bulk of computer security investigations in the Executive Branch occur under the auspices of the Inspector General of the respective Department. Many if not most of these positions are considered Federal Law Enforcement positions, and so the federal law that prohibits entry into these positions by anyone who has reached their 37th birthday applies. This rule basically is in place to ensure that all such employees meet the minimum time-in requirements for retirement by the mandatory retirement age for federal law enforcement, which is 57. This restriction, while understandable and probably not inappropriate for conventional law enforcement agents, utterly fails to meet the needs for computer security investigators for two reasons. 1) Oftentimes it takes 10, 15, or even 20 years of experience to make really good investigators who recognize all the tricks and who are sufficiently good hackers themselves to be able to play the game on the cracker's "home turf." By declaring any person over 37 automatically ineligible, the federal government categorically excludes a large percentage of the most desirable investigators, most of whom have gotten their skills not at the expense of the taxpayer and in widely diverse environments, rather than under the constant tutelage of the government for their entire careers (and ass we've seen, the government doesn't have a sterling track record for training computer security personnel). 2) The retirement law seems to assume that the only federal position an employee will be able to hold during his/her career is law enforcement, and that all such employees must retire under the special law enforcement retirement plan, rather than the regular Federal Employee Retirement System (FERS). Again, this logic fails when considering computer security investigators because the skills required as prerequisites for senior-level performance as a CSI would in almost all cases qualify the person at the very minimum for GS-0334 (Computer Specialist). I've pointed this out to the Office of Personnel Management and to NASA itself in the past, but no one seems to be really listening. I proposed, for example, that a person could put in however many years he/she had left before mandatory retirement age and then serve out the rest of their requirement in a non-law enforcement capacity (such as Computer Specialist). The penalty would be that he/she would only be eligible for the standard FERS package upon retirement. It seems ironic to me that the organization which most desperately needs the help of more senior, more experienced investigators is the only one which as a matter of policy excludes them. I'm sure the cracker community is pleased, however. Robert G. Ferrell Internet Technologist National Business Center, US DoI rferrellat_private -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:20 PDT