Persistence of data is a hot topic in computer science but did you know government contractors exhibit persistence as well?
Remember the 22,000,000+ record leak from the US Office of Personnel Management?
Leaks don’t happen on their own and it turns out that Keypoint Government Solutions was weak link in the chain that resulted in that loss.
Cory Doctorow reports in Company suspected of blame in Office of Personnel Management breach will help run new clearance agency:
…
It’s still not clear how OPM got hacked, but signs point to a failure at one of its contractors, Keypoint Government Solutions, who appear to have lost control of their logins/passwords for sensitive OPM services.In the wake of the hacks, the job of giving out security clearances has been given to a new government agency, the National Background Investigations Bureau.
NBIB is about to get started, and they’ve announced that they’re contracting out significant operations to Keypoint. Neither Keypoint nor the NBIB would comment on this arrangement.
…
The loss of 22,000,000 records?, well, that could happen to anybody.
WRONG!
Initiatives, sprints, proclamations, collaborations with industry, academia, etc., are unlikely to change the practice of cybersecurity in the U.S. government.
Changing cybersecurity practices in government requires:
- Elimination of contractor persistence. One failure is enough.
- Immediate and permanent separation of management and staff who fail to implement and follow standard security practices.
- Separated staff and management barred from employment with any contractor with the government, permanently.
- Staff of prior failed contractors barred from employment at present contractors. (An incentive for contractor staff to report shortfalls in current contracts.)
- Multi-year funded contracts that include funding for independent red team testing of security.
A no consequences for failure of security policy defeats all known security policies.