Seattle Newspaper Goes After Boeing For Cybersecurity FlawsBy Deborah Gage | Posted Thursday, July 26, 2007 19:07 PM
The newspaper said last week that Boeing has spent millions of dollars bringing in consultants to test its financial systems for fraud--in part because of its "inability to patch database and software development security holes," which were found to be a "significant deficiency" for three years in a row.
The P-I's reporters say they spent six months investigating Boeing and looked at 5,000 internal documents. They don't question that Boeing complies with Sarbox, short for the last names of Sen. Paul Sarbanes and Rep. Michael Oxley, who sponsored the law in 2002 to try to prevent more Enron-style frauds.
But the reporters have produced a fascinating look at the pain of trying to comply--the conflict between Boeing's business and IT staffs, the bickering among the consultants, the fight for resources between Boeing's junior and senior staff.
Equally fascinating are the comments from readers, which turn into a debate about whether the reporters really understand Sarbox and whether Boeing really has a problem complying.
Boeing's denials aside (their answers to reporters' questions are posted here and here), I bet the story is a pretty typical look at what goes in inside large organizations. If you doubt that, take a look at this 154-page report on the Department of Homeland Security, published in June. The DHS has problems complying with FISMA, the Federal Information Security Management Act, which is Sarbox for the federal government.
"During the 2006 IT testing, we identified over 200 separate findings, covering each DHS component," the report says. "DHS closed approximately 44% of our prior year IT findings; however, we identified over 150 new IT findings through our test work this year. A significant number of findings were repeated in fiscal year 2006."
The DHS doesn't need to have two reporters going through its business for six months. As a federal agency, its dirty laundry is hung out routinely by its Inspector General, whose job is to ensure the agency's integrity and efficiency.
Boeing should consider itself lucky.