First of all, how is it that a highly sensitive system such as US-VISIT is even tied to the internet? The ideal, most paranoid solution is to use a separate network to tie everything together. Considering all the dark fiber that still exists after the dot-com crash, the feds should have pulled together a government network on which they could have placed US-VISIT and any other critical system. If they needed access to the rest of the next, they could have either provided gateways between the government net and the rest of the world, or else put a second dirty system next to the clean ones for email and surfing the web. I've worked enough time on government contracts to know that if the computer information is sensitive or higher then the computers go on a separate net with highly restricted access to the outside world.
Second is the choice of operating systems. It wasn't just Windows, it was Windows 2000. This was how the worm was able to effect US-VISIT. Zotob targets the flaw that was found in Windows 2000's plug-and-play 'feature'. Having the government use Win2K is not all the unbelievable. I'm on a program right now where the PC sitting on my desk is still running Win2K, and they're just now getting around to upgrading to WinXP (yes, right before the delayed launch of Vista). And I did work for a company that refused to roll out service pack 2 for Windows XP because it interfered with certain corporate applications. But in both cases the IT group maintained and deployed critical fixes. This particular government screwup was amplified because the Zotob patch wasn't applied to systems until a week after it had been released by Microsoft.
Operating somewhat more slowly, it took CBP officials until Aug. 16 -- a full week after Microsoft released a patch for the hole -- to start pushing the fix to CBP's Windows 2000 computers. But because of the array of peripherals hanging off of the US-VISIT workstations -- fingerprint readers, digital cameras and passport scanners -- they held off longer on fixing those machines, for fear that the patch itself might cause a disruption.The biggest question I have is whether or not the US-VISIT systems were sitting behind a firewall. I remember August 2005, and I remember the Zotob worm. I also recall that none of the major contractors in the Orlando area with which I was familiar had a problem. Why? Because the people running IT in their various shops maintain an iron grip on the various corporate nets with firewalls, anti-virus software, and corporate policies and procedures that prevent this from happening. If something does get through the corporate net, then the vector is a notebook (from someone in management) that was connected directly to the internet, became infected, and then was allowed to be reconnected to the controlled network after the infection. Even then it's rapidly quashed.
Yes, you can blame part of this on Windows' security problems. But the greatest share of blame is rightfully heaped on the government IT group that failed to properly design and maintain an iron-clad network for US-VISIT. On the internet, only the paranoid survive.