From: cult hero (jerichodimensional.com)
Date: Tue May 11 1999 - 21:56:02 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Reply From: "Robert G. Ferrell" <rootrgfsparc.cr.usgs.gov>

> (Federal Computer Week) [5.3.99] NASA's inspector general told a Senate
> subcommittee last week that parts of the agency are failing when it comes
> to fending off and reporting hacker attacks, leaving the agency vulnerable
> to people who would steal or alter sensitive data.
>
> But she said broader problems, such as failures by NASA centers to report
> cyberattacks, remains an obstacle to better oversight of information
> security. Moreover, she said an internal NASA organization -- NASA's
> Automated Systems Incident Response Capability -- must improve its
> performance. "That [organization] has not been performing adequately," she
> said. Gross added that her office next month will issue a report on
> NASIRC's performance.

One of the reasons for NASA's poor performance is a hamstringing policy
that affects not only NASA but the entire federal government. The bulk of
computer security investigations in the Executive Branch occur under the
auspices of the Inspector General of the respective Department. Many if
not most of these positions are considered Federal Law Enforcement
positions, and so the federal law that prohibits entry into these
positions by anyone who has reached their 37th birthday applies. This
rule basically is in place to ensure that all such employees meet the
minimum time-in requirements for retirement by the mandatory retirement
age for federal law enforcement, which is 57.

This restriction, while understandable and probably not inappropriate for
conventional law enforcement agents, utterly fails to meet the needs for
computer security investigators for two reasons.

1) Oftentimes it takes 10, 15, or even 20 years of experience to make
really good investigators who recognize all the tricks and who are
sufficiently good hackers themselves to be able to play the game on the
cracker's "home turf." By declaring any person over 37 automatically
ineligible, the federal government categorically excludes a large
percentage of the most desirable investigators, most of whom have gotten
their skills not at the expense of the taxpayer and in widely diverse
environments, rather than under the constant tutelage of the government
for their entire careers (and ass we've seen, the government doesn't have
a sterling track record for training computer security personnel).

2) The retirement law seems to assume that the only federal position an
employee will be able to hold during his/her career is law enforcement,
and that all such employees must retire under the special law enforcement
retirement plan, rather than the regular Federal Employee Retirement
System (FERS). Again, this logic fails when considering computer security
investigators because the skills required as prerequisites for
senior-level performance as a CSI would in almost all cases qualify the
person at the very minimum for GS-0334 (Computer Specialist).

I've pointed this out to the Office of Personnel Management and to NASA
itself in the past, but no one seems to be really listening. I proposed,
for example, that a person could put in however many years he/she had left
before mandatory retirement age and then serve out the rest of their
requirement in a non-law enforcement capacity (such as Computer
Specialist). The penalty would be that he/she would only be eligible for
the standard FERS package upon retirement.

It seems ironic to me that the organization which most desperately needs
the help of more senior, more experienced investigators is the only one
which as a matter of policy excludes them. I'm sure the cracker community
is pleased, however.

Robert G. Ferrell
Internet Technologist
National Business Center, US DoI
rferrellusgs.gov

-o-
Subscribe: mail majordomorepsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]