Haste makes waste, goes the familiar proverb. And the experience of the Federal Communications Commission (FCC) in 2011-2012 bears out this wisdom all too well. Faced with security gaps in its computer systems, the FCC launched a rush effort to plug the security holes.
But the rush – and rushed – security patch-up at the FCC failed to provide much security. In the end, "back door" security gaps remained. System password implementations were weak, and security tools were left improperly configured. The lesson: When it comes to security, doing it hastily can be worse than useless. You need to do it right.
The FCC security enhancement fiasco began in August of 2011, when the agency discovered that it had been hacked. Agency IT staff and contractors investigated, and found that an unspecified number of agency PCs had been infected with "back door" malware.
In response the agency launched a $10 million project, called Enhanced Secured Network (ESN) to clean out the malware and protect against further attacks. A top-dollar consulting team staffed with former Gartner research analysts was brought onto the job. But when a Government Accountability Office (GAO) audit of the ESN security project was released in early 2013, the audit revealed that very little security was provided.
Indeed, as Sean Gallagher reports at Ars Technica, the GAO report exposed such severe security deficiencies that release of the findings was restricted. (This is not just bureaucrats protecting themselves – the full findings in the report would provide a road map for hackers.)
According to the released version of the GAO report, the fixes that the ESN project developed were not fully or properly implemented. Software was misconfigured, so that the selected malware protections were left not set up. Passwords for access to network monitoring systems were "not strongly encrypted."
As the released GAO report concludes, "as a result of these and other deficiencies, FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information." Needless to say, much of the security work will need to be redone, meaning further expense (and time).
Meanwhile, individuals and firms that deal with the FCC are left with their own security concerns. For example, the FCC was proposing a rule that individuals involved with broadcasting stations should provide their Social Security numbers to the FCC – triggering some tart public comments by a communications industry lawyer.
In its defense, the FCC argues that it was working under severe time pressure. But that was exactly the problem. The agency, alarmed by the newly discovered security breaches, rushed to implement the ESN security project without taking time to design it carefully, or effectively supervise its implementation.
For any organization, discovery of cyber-security breaches is likely to trigger a panic response – which is all too likely to be costly and ineffective. The way to avoid panic is to take security measures before a crisis develops.
