Report: Federal Workers, Contractors Behind Half of Government Cyber Breaches

schwit1 writes Federal employees and contractors are unwittingly undermining a $10 billion-per-year effort to protect sensitive government data from cyberattacks, according to a published report. The AP says that workers in more than a dozen agencies, from the Defense and Education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an analysis of records.

It's a problem, but not just the feds:

[Radical+Moderate]

From TFA: "Since 2006, there have been more than 87 million sensitive or private records exposed by breaches of federal networks, ..... By comparison, retail businesses lost 255 million records during that time, financial and insurance services lost 212 million and educational institutions lost 13 million."

My bank is constantly sending out new credit cards because businesses (hey there Home Depot!) won't implement basic security measures to prevent data theft. Data security is a serious issue that needs to be addressed, but "Blame the incompetent gubmint!!!" isn't where we should start.

If education could have worked ...

[khasim]

If education could have worked, it would have worked by now.

So much for AI in doing anything useful in protecting systems, and it's not the overall workforce that needs educating ... it's the fucking gate keepers -- IT and software/hardware manufacturers.

The problem is that even if the IT people are competent they have to be MORE competent than everyone who can attack them. Why does everything have to be connected to the Internet?

And they have to that competent with the software/hardware that they're using. How many times has the purchasing decision been made before you've even been aware of the issue?

Which leads to the issues that the software/hardware vendors have within their own companies. Ship today and we'll patch tomorrow. Got to get to market before the competition.

And that isn't considering the problems that "management" at the company you work for keeps introducing. I cannot tell you how many times some executive simply had to have admin access on his laptop which resulted in massive infections being brought onto the network.

Security is easy --- in theory.
But it depends upon hundreds or thousands of decisions being made correctly. By people who have no incentive to protect the security of the systems you support.

CyberThis, CyberThat, CyberCommand

[Cid+Highwind]

Dear US military and federal contracting wanker-sphere,
I know you were 30 years late discovering this whole internet thing, so imagery and phrases from 1980s cyberpunk still sound super-duper-cutting-edge to you, but can you please stop using "cyber" as a catch-all for everything connected to computers? Thanks.

PS: When you leave a laptop full of citizen's private information on the bus, and a million people's social security numbers turn up on pastebin the next day, that's called "negligence" not "a cyberattack".

Which is why corporate security is a joke.

[gestalt_n_pepper]

All of it can be overcome by a janitor with a USB drive with penetration software.

Security culture is worse. Elaborate passwords. Two or three factor identification. Putting the security burden on the user in general. All you do is:

1) Inconvenience users and make productivity next to impossible.

2) Create an entire culture of employees who must, in order to get any work done, know how to hack their way into corporate systems from outside (I know of two ways. My IT guy knows about 6 entirely different ways), and frequently, inside.

The problem is that security guys get bonuses for reducing intrusions (as they count them). Everyone else gets bonuses for getting their work done and being productive, which frequently isn't something that ever gets on a spreadsheet.

And upper management, as usual, is too stupid, distracted with power politics and just plain pig-ignorant to understand this.