Slashdot Mirror
Contractors Pose Cyber Risk To Government Agencies (betanews.com)
Ian Barker, writing for BetaNews: While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report. The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector. It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent. While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors. The study also shows many contractors are not following best practices for network encryption and email security.
The Feds Office of Personnel Management 2015 data breach wins (or loses) hands down. Not only an employee's personal info but family members and others included in "security" background checks. So, yeah, about those negligent contractors...
In light of trying to dodge obligations and shortchanging the people doing the work, perhaps they might want to actually hire directly or have contract firms provide better conditions/terms.
"Forget the engineers." -Carly Fiorina, briber of MIT Technology Review.
Manning, Snowden, and Winters were not H1B.
It little behooves the best of us to comment on the rest of us.
Just tie the security clearances of the company's executives to the company's security. If the company's security is compromised, the executives lose their security clearances, leaving the corporation with two options, replace all the executives or forfeit it's government contracts.
Anons need not reply. Questions end with a question mark.
Stop forcing them to install backdoors and you solve half of all internet security problems.
Can you cite even a single breach that was enabled by a government mandated backdoor?
AIA, a trade group, said 700,000 jobs were in the clearance process. This hurts national security, not helping. Robert Oppenheimer losing his clearance was obviously politically motivated. Junk it.
The clearance system sounds logical. It is not. It is completely arbitrary. -- John Bolton
And that is exactly the problem. The "proper" employees are not a risk, because they cannot get even get the work done. The second problem is that the process to get a clearance is based on a completely broken perception of the world. You can not evaluate whether somebody has honor, loyalty and integrity and their history, friends, family, etc. do not indicate so either. At the same time, even somebody deeply loyal may suddenly find they are more loyal to their species than to some scummy government agency trying to screw everybody over.
The only way prevent loyalty-problems with contractors is to a) pay them well b) treat them well and c) do not do evil crap that they may rightfully object to. Of course, all three are beyond what a dysfunctional government agency can do, so leaks (and sabotage) will continue to happen.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It would also help to require that they not have been proven to have been doing unethical work during the past, say, five years. (I didn't say illegal, I said unethical. Unfortunately, that makes the term "proven" a bit difficult to define. Also the term unethical. So you'd need to set down certain minimum requirements that would substitute.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Point?
It little behooves the best of us to comment on the rest of us.
The reason the gov relies on contractors so much is that it's self-imposed bureacracy inhibits adding manpower any other way. To add a military member or federal civilian into the manpower pool can require years worth of paperwork, whereas contracting can be done in weeks or months. On the flip side, to remove a federal civilian takes an act of God if they have tenure, but a contractor can be removed near instantly. In general, most of the problems the government faces are due to it's own self-imposed red tape and backroom deals done by entrenched officials that face no such hurdles.
The reason behind this is that public servants are meant to be able to provide honest advice to the mucky mucks upstairs - ministers, lords, congress, whatever works for your country - without the fear of being fired for providing that advice.
Without the bureaucracy requiring performance management, 3 strikes, whatever it is you have - if you don't have it, you end up with Yes People following whatever direction is presented without question.
Now, whether it works in practice...it does, up to a certain level. Then you see the boards being stacked with Yes People (as at this level everyone is on a contract, not a public servant), and realise it doesn't really matter :/
Re "government mandated backdoor?"
SISMI-Telecom scandal https://en.wikipedia.org/wiki/...
Greek wiretapping case 2004–05 https://en.wikipedia.org/wiki/...–05
Domestic spying is now "Benign Information Gathering"
The idea is to walk the persons history. Their teachers, college, friends, family, extended family. Who they grew up with. What they read. Their politics, faith, role in a wider community. Bank account, cost of rent, home loan, other spending, hobbies, a criminal deviant lifestyle.
The experts at the FBI have some idea if a person is going to go full split loyalty at work and support another nation, cult, faith, political system over the USA.
Can a person be open to black mail? Need to seek funds from another nation to cover their hobby, addiction, need for luxury beyond their gov/mil wage?
Was the person political at university? Spend time with friends who are all criminals? Know lots of journalists who write about whistleblowing? Know a lot of activist human rights lawyers? Show an interest in faiths and cults that are incompatible with US mil/gov security?
Spend time been an activist online?
Most of that can be discovered when looking to work for the US gov/mil with a few interviews and by looking back over a person education, their friends, their spending patterns, internet usage, family and teachers.
The US gov kept all real time use of early social media and web sites, later social media.
Every face, party picture, holiday, political slogan, direct support for the actions of a faith and cult.
The security service do not have a "completely broken perception of the world". They know exactly who they want and who can keep all secrets for decades.
Contractors break that security the US once had in place by demanding to bring over their now staff who "once" had a clearance, who just need a clearance "updated". Failed staff keep getting gov/mil work by using their contractor as cover.
All kinds of people can then get let in, who never faced better security investigations.
The ability of a contractor to demand they get to bid on work with their self cleared workforce is the problem.
The party political demands that the US gov and mil start to accept criminals and other very bad people of faith due to political correctness.
Domestic spying is now "Benign Information Gathering"
The US interest in contractors goes back for generations.
They work on a task and can change a task on demand.
The gov thinks its getting the worlds best new tech due to "competition".
Gets the best price to a lot of "competition".
That the gov workers won't fall under the spell of a union and walk out on a mil production line during a secret mission that takes years.
That some the private sector are ahead of all tech as understood by gov, educators and most other contractors.
That the gov and mil will go conservative with systems and new tech, wanting gov systems they understand over new private sector tech thats perfect for an unexpected mission.
The main reason in the USA is the home state of the contractor. That the contractor always remembers who supported that bid "politically" and who has a re election to support.
That the private sector is loyal to the USA, that gov workers are loyal to the politics of a charming union leader.
Domestic spying is now "Benign Information Gathering"
Complete bullshit. The idea is to intimidate the candidates and identify those openly not intimidated. These then fail. With all others, they hope they stay intimidated.
You are just regurgitating propaganda. Look at what screenings high-level defectors and leakers went through to get an idea about how well that screening actually works.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Since they apply for classified government work, "unethical" is pretty much part of the job description.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
And yet nothing you listed has anything to do with the issues listed in the summary: "botnet infections", "network security", and "email security". The current problems have very little to do with your list, unless your claiming that very "unethical contractors" are the ones running the botnets and purposely compromising network security.
The absolutely most loyal network admin will have a difficult time stopping end users from clicking on phishing emails. Stupidity doesn't stop because of "patriotism".
The REAL problem is the contractors are not forced to follow already existing security publications. My current position deals directly with this; I'm working on finishing up NIST 800-171 compliance for a DoD contractor. My ability to hist the various requirements, implement the STIGs, has ZERO to do with my extended family, faith, or feelings on human rights. The correct "separations of powers" in our IT means that even if I wanted to somehow compromise our network, other people working there would notice pretty quickly. I may implement a GPO, but my boss gets a report on what GPOs have been modified and by whom, for example. I'm not the only person running STIG audits, I'm not the only person at our company doing "security related stuff".
What REALLY needs to happen is the feds need to step up on their compliance audits; first going over EVERY department on a 800-171 or 800-53 (for the actual DoD) level...and work their way out down the contractor tree. IMHO, our "election system" should be at least 171 compliant but "STATES RIGHTS!" get in the way.
And fail. (Not your fault, it is easy to fall for this.) Compliance does not create security. In actual reality, it _decreases_ it, because it reduces mental capabilities available to understanding.
The only thing that creates security in people that must have "access" is understanding of what they do. Hence a) make sure all people with access to sensitive data really have a clue how things work and b) make sure they have personal integrity. No, a regular "screening" will not accomplish this. Also c) don't do evil things that will rub people with personal integrity the wrong way. Especially c) is often infeasible for government agencies, because they often are evil by design, not only by policy. Item a) makes people expensive and item b) very often makes them not want to work for the government in the first place.
So, no, I do not think this can be fixed. Just the same as "laws" do not fix "crime". In many cases they create it and without good reason.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, this article isn't about working "for the government" really; most contractors (especially the mentioned health care and aerospace) have multiple clients. My workplace has a 30% DoD involvement level. We don't deal in CUI (Controlled Unclassified Information), but Transactional Information. Both of these are several steps below anything like what Snowden revealed. Thus why we fall under 800-171 instead of 800-53.
I'm assuming your not intimately familiar with these NIST publications, the related STIGs, and so forth. I can guarantee the contractors who have had breeches did not implement items such as "Microsoft Windows 10 STIG - Ver 1, Rel 12", "Database SRG - Ver 2, Rel 8", etc. The Win10 STIG itself has almost 300 very precise requirements; to the point of "if Registry Key XYZ is not found this is a finding".
Compliance with these does create one part of the security model. There is no real way of testing for "personal integrity" outside of a clinical setting; intelligent people with no "personal integrity" can fake it for a long time even hiding it from close friends and family. Low-order sociopaths are quite common in the business world, especially as one moves up the management ladder. They would claim to have "personal integrity"...BUT their definition would be more along the lines of "keeping my person ahead of everyone else and my social standing integrity intact".
Compliance to the publications like 800-171 and 800-53 _increases_ "mental capabilities available to understanding" because to implement them properly you have to have a deep holistic understanding of various underlying technologies, people's psychological reactions (to make effective training), foreign relations (to know which APT are out there and just what vector they might be using), etc.
Case in point, stopping "email phishing" requires both a technical AND personnel approach. You need to implement various safeguards to stop the bulk of the attacks, AND need proper training for end-users to correctly deal with anything that gets past those safeguards. Neither one by itself will be effective due to the constantly evolving nature of threats. Technologies like Mimecast can stop 90%-95% of attacks getting through, properly configured GPOs can help stop other issues that slip past that; but attackers will craft some way that will eventually slip past. That's the whole reason for "risk management"; you have to accept that something bad will eventually happen and have procedures in place to quickly return to a stable operational state. Off-site encrypted backups, disaster recover contracts, keeping up vendor warranties...
This whole conversation (not yours in particular, but TFA in general) seems to have taken a pear-shaped turn into the "evils of TLA agencies". While that is a worthwhile (and VERY critical) conversation to have for a functioning democracy, the original summary was about the failings of contractors to follow basic security guidelines. Not some "hard to define" ideals like "personal integrity", but very specific guidelines that have existed for years and are (mostly) freely available to the public at large. If every government agency would just "do their job" in regards to ITSec and follow the REQUIRED published guidelines, many of these breaches would have been stopped.
I don't have technical knowledge on things like the OPM hack, but I am willing to bet that that breech (in the way it actually happened) could have been avoided if they had bothered to properly implement 800-171. Personally, I feel that ALL companies that deal with any financial data (looking at you EQUIFAX), health information, or other "personal sensitive data" should be required to follow NIST guidelines. It should be part of regulatory requirements; unfortunately our current administration is moving towards "less burdensome regulations" rather than towards compliance so we should expect to see breeches like this happening far more often in the future.