Contractors Pose Cyber Risk To Government Agencies

Ian Barker, writing for BetaNews: While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report. The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector. It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent. While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors. The study also shows many contractors are not following best practices for network encryption and email security.

Re:

[CaptainDork]

Manning, Snowden, and Winters were not H1B.

Re:

[CaptainDork]

Point?

The OPM data breaches wins though

[OffTheLip]

The Feds Office of Personnel Management 2015 data breach wins (or loses) hands down. Not only an employee's personal info but family members and others included in "security" background checks. So, yeah, about those negligent contractors...

Re:

[ShanghaiBill]

Stop forcing them to install backdoors and you solve half of all internet security problems.

Can you cite even a single breach that was enabled by a government mandated backdoor?

Re:

[AHuxley]

Re "government mandated backdoor?"
SISMI-Telecom scandal https://en.wikipedia.org/wiki/... [wikipedia.org]
Greek wiretapping case 2004–05 https://en.wikipedia.org/wiki/... [wikipedia.org]–05

Re:

[PPH]

Yeah. Things were a lot better before the OPM got into the security clearance business. Who would have thought that the issues with and threats against defense, healthcare, law enforcement and other employees and contractors would differ?

Re:

[AHuxley]

The CIA knew to hold its data sets back :)

Re:

[rtb61]

Now let's guess who created that system, perhaps contractors. How many failed contractor projects have there been, not just in data management but in every single facet of the function of government. Why contractors because that is the one and only way to achieve high level theft (billions even trillions stolen) in government projects, even to the insane level of no-bid contracts, just charge what you like.

So perhaps you are right, not negligent contracts but criminally fucking corrupt contractors of which

Perhaps benefit-dodging isn't worth it.

[edgedmurasame]

In light of trying to dodge obligations and shortchanging the people doing the work, perhaps they might want to actually hire directly or have contract firms provide better conditions/terms.

Re:

[nehumanuscrede]

I guess it's time for companies / government to make a choice:

Cost vs Security.

Real security is expensive and not something you can cut corners on if you're serious about it.

Simple solution

[Gravis Zero]

Just tie the security clearances of the company's executives to the company's security. If the company's security is compromised, the executives lose their security clearances, leaving the corporation with two options, replace all the executives or forfeit it's government contracts.

Re:

[AHuxley]

Then they lose the tools of their trade.
The gov cannot take the tools of their trade away from the contractors.
The person gets to walk away with their security clearance and start up a new company.

Re:

[Gravis Zero]

Then they lose the tools of their trade.

Executives are replaceable. They would be quickly replaced and company would move on without them.

The gov cannot take the tools of their trade away from the contractors.

The person gets to walk away with their security clearance and start up a new company.

Why should an executive that failed to ensure security be allowed to keep their security clearance? The fish rots from the head down.

Re:

[jezwel]

The reason the gov relies on contractors so much is that it's self-imposed bureacracy inhibits adding manpower any other way. To add a military member or federal civilian into the manpower pool can require years worth of paperwork, whereas contracting can be done in weeks or months. On the flip side, to remove a federal civilian takes an act of God if they have tenure, but a contractor can be removed near instantly. In general, most of the problems the government faces are due to it's own self-imposed red tape and backroom deals done by entrenched officials that face no such hurdles.

The reason behind this is that public servants are meant to be able to provide honest advice to the mucky mucks upstairs - ministers, lords, congress, whatever works for your country - without the fear of being fired for providing that advice.
Without the bureaucracy requiring performance management, 3 strikes, whatever it is you have - if you don't have it, you end up with Yes People following whatever direction is presented without question.

Now, whether it works in practice...it does, up to a certain l

Re:

[AHuxley]

The US interest in contractors goes back for generations.
They work on a task and can change a task on demand.
The gov thinks its getting the worlds best new tech due to "competition".
Gets the best price to a lot of "competition".
That the gov workers won't fall under the spell of a union and walk out on a mil production line during a secret mission that takes years.
That some the private sector are ahead of all tech as understood by gov, educators and most other contractors.
That the gov and mil will go c

Abolosh cleaance

[Mark of THE CITY]

AIA, a trade group, said 700,000 jobs were in the clearance process. This hurts national security, not helping. Robert Oppenheimer losing his clearance was obviously politically motivated. Junk it.

Re:

[gweihir]

And that is exactly the problem. The "proper" employees are not a risk, because they cannot get even get the work done. The second problem is that the process to get a clearance is based on a completely broken perception of the world. You can not evaluate whether somebody has honor, loyalty and integrity and their history, friends, family, etc. do not indicate so either. At the same time, even somebody deeply loyal may suddenly find they are more loyal to their species than to some scummy government agency

Re:

[HiThere]

It would also help to require that they not have been proven to have been doing unethical work during the past, say, five years. (I didn't say illegal, I said unethical. Unfortunately, that makes the term "proven" a bit difficult to define. Also the term unethical. So you'd need to set down certain minimum requirements that would substitute.)

Re:

[gweihir]

Since they apply for classified government work, "unethical" is pretty much part of the job description.

Re:

[AHuxley]

The idea is to walk the persons history. Their teachers, college, friends, family, extended family. Who they grew up with. What they read. Their politics, faith, role in a wider community. Bank account, cost of rent, home loan, other spending, hobbies, a criminal deviant lifestyle.
The experts at the FBI have some idea if a person is going to go full split loyalty at work and support another nation, cult, faith, political system over the USA.
Can a person be open to black mail? Need to seek funds from

Re:

[gweihir]

Complete bullshit. The idea is to intimidate the candidates and identify those openly not intimidated. These then fail. With all others, they hope they stay intimidated.

You are just regurgitating propaganda. Look at what screenings high-level defectors and leakers went through to get an idea about how well that screening actually works.

Re:

[l0n3s0m3phr34k]

And yet nothing you listed has anything to do with the issues listed in the summary: "botnet infections", "network security", and "email security". The current problems have very little to do with your list, unless your claiming that very "unethical contractors" are the ones running the botnets and purposely compromising network security.

The absolutely most loyal network admin will have a difficult time stopping end users from clicking on phishing emails. Stupidity doesn't stop because of "patriotism".

Re:

[gweihir]

And fail. (Not your fault, it is easy to fall for this.) Compliance does not create security. In actual reality, it _decreases_ it, because it reduces mental capabilities available to understanding.

The only thing that creates security in people that must have "access" is understanding of what they do. Hence a) make sure all people with access to sensitive data really have a clue how things work and b) make sure they have personal integrity. No, a regular "screening" will not accomplish this. Also c) don't d

Re:

[l0n3s0m3phr34k]

Well, this article isn't about working "for the government" really; most contractors (especially the mentioned health care and aerospace) have multiple clients. My workplace has a 30% DoD involvement level. We don't deal in CUI (Controlled Unclassified Information), but Transactional Information. Both of these are several steps below anything like what Snowden revealed. Thus why we fall under 800-171 instead of 800-53.

I'm assuming your not intimately familiar with these NIST publications, the related ST