Contractors Pose Cyber Risk To Government Agencies (betanews.com) 78
Ian Barker, writing for BetaNews: While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report. The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector. It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent. While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors. The study also shows many contractors are not following best practices for network encryption and email security.
Re: (Score:2)
Manning, Snowden, and Winters were not H1B.
Re: (Score:2)
Point?
The OPM data breaches wins though (Score:3)
Re: (Score:3)
Stop forcing them to install backdoors and you solve half of all internet security problems.
Can you cite even a single breach that was enabled by a government mandated backdoor?
Re: (Score:2)
SISMI-Telecom scandal https://en.wikipedia.org/wiki/... [wikipedia.org]
Greek wiretapping case 2004–05 https://en.wikipedia.org/wiki/... [wikipedia.org]–05
Re: (Score:2)
Yeah. Things were a lot better before the OPM got into the security clearance business. Who would have thought that the issues with and threats against defense, healthcare, law enforcement and other employees and contractors would differ?
Re: (Score:2)
Re: (Score:2)
Now let's guess who created that system, perhaps contractors. How many failed contractor projects have there been, not just in data management but in every single facet of the function of government. Why contractors because that is the one and only way to achieve high level theft (billions even trillions stolen) in government projects, even to the insane level of no-bid contracts, just charge what you like.
So perhaps you are right, not negligent contracts but criminally fucking corrupt contractors of which
Perhaps benefit-dodging isn't worth it. (Score:1)
Re: (Score:2)
I guess it's time for companies / government to make a choice:
Cost vs Security.
Real security is expensive and not something you can cut corners on if you're serious about it.
Simple solution (Score:3, Interesting)
Just tie the security clearances of the company's executives to the company's security. If the company's security is compromised, the executives lose their security clearances, leaving the corporation with two options, replace all the executives or forfeit it's government contracts.
Re: (Score:2)
The gov cannot take the tools of their trade away from the contractors.
The person gets to walk away with their security clearance and start up a new company.
Re: (Score:2)
Then they lose the tools of their trade.
Executives are replaceable. They would be quickly replaced and company would move on without them.
The gov cannot take the tools of their trade away from the contractors.
The person gets to walk away with their security clearance and start up a new company.
Why should an executive that failed to ensure security be allowed to keep their security clearance? The fish rots from the head down.
Re: (Score:2)
The reason the gov relies on contractors so much is that it's self-imposed bureacracy inhibits adding manpower any other way. To add a military member or federal civilian into the manpower pool can require years worth of paperwork, whereas contracting can be done in weeks or months. On the flip side, to remove a federal civilian takes an act of God if they have tenure, but a contractor can be removed near instantly. In general, most of the problems the government faces are due to it's own self-imposed red tape and backroom deals done by entrenched officials that face no such hurdles.
The reason behind this is that public servants are meant to be able to provide honest advice to the mucky mucks upstairs - ministers, lords, congress, whatever works for your country - without the fear of being fired for providing that advice.
Without the bureaucracy requiring performance management, 3 strikes, whatever it is you have - if you don't have it, you end up with Yes People following whatever direction is presented without question.
Now, whether it works in practice...it does, up to a certain l
Re: (Score:2)
They work on a task and can change a task on demand.
The gov thinks its getting the worlds best new tech due to "competition".
Gets the best price to a lot of "competition".
That the gov workers won't fall under the spell of a union and walk out on a mil production line during a secret mission that takes years.
That some the private sector are ahead of all tech as understood by gov, educators and most other contractors.
That the gov and mil will go c
Abolosh cleaance (Score:1)
Re: (Score:2, Troll)
And that is exactly the problem. The "proper" employees are not a risk, because they cannot get even get the work done. The second problem is that the process to get a clearance is based on a completely broken perception of the world. You can not evaluate whether somebody has honor, loyalty and integrity and their history, friends, family, etc. do not indicate so either. At the same time, even somebody deeply loyal may suddenly find they are more loyal to their species than to some scummy government agency
Re: (Score:2)
It would also help to require that they not have been proven to have been doing unethical work during the past, say, five years. (I didn't say illegal, I said unethical. Unfortunately, that makes the term "proven" a bit difficult to define. Also the term unethical. So you'd need to set down certain minimum requirements that would substitute.)
Re: (Score:2)
Since they apply for classified government work, "unethical" is pretty much part of the job description.
Re: (Score:2)
The experts at the FBI have some idea if a person is going to go full split loyalty at work and support another nation, cult, faith, political system over the USA.
Can a person be open to black mail? Need to seek funds from
Re: (Score:2)
Complete bullshit. The idea is to intimidate the candidates and identify those openly not intimidated. These then fail. With all others, they hope they stay intimidated.
You are just regurgitating propaganda. Look at what screenings high-level defectors and leakers went through to get an idea about how well that screening actually works.
Re: (Score:2)
The absolutely most loyal network admin will have a difficult time stopping end users from clicking on phishing emails. Stupidity doesn't stop because of "patriotism".
Re: (Score:2)
And fail. (Not your fault, it is easy to fall for this.) Compliance does not create security. In actual reality, it _decreases_ it, because it reduces mental capabilities available to understanding.
The only thing that creates security in people that must have "access" is understanding of what they do. Hence a) make sure all people with access to sensitive data really have a clue how things work and b) make sure they have personal integrity. No, a regular "screening" will not accomplish this. Also c) don't d
Re: (Score:2)
I'm assuming your not intimately familiar with these NIST publications, the related ST