Thursday, March 16, 2006

Depressing: DHS Gets Another F in Computer Security

DHS Gets Another F in Computer Security:
"...Paller argues that the yearly FISMA grades force agencies to apply scarce funding and employee time toward the wrong priorities.

'It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks,' Paller said. 'Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified.'"

Beyond the fact that data is at risk, the documentation process is just depressing, although not surprising at all. This is a phenomenon that repeats itself throughout government in areas far beyond security. Just think about what kind of people you need to hire to prepare all of this documentation versus the kind of people that you need to hire to actually create and operate reasonably secure systems.

Think about the same approach that is now being applied to things like Enterprise Architecture, where you have whole staffs creating OMB-300 docs and defending next years budget with paperwork so that 3 poor coders in a basement somewhere can try to hack out some code in between the mountain of documentation that they have to be compliant with and the bureaucrats they have to appease, having never met the even poorer users who are working on mainframe apps disguised in web browsers.