Disclosure = No action/change/consequences

What would you do if you discovered:


A cache of more than 60,000 files were discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.

?

Dell Cameron reports in: Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password this result:


UpGuard cyber risk analyst Chris Vickery discovered the Booz Allen server last week while at his Santa Rosa home running a scan for publicly accessible s3 buckets (what Amazon calls its cloud storage devices).

The mission of UpGuard’s Cyber Risk Team is to locate and secure leaked sensitive records, so Vickery’s first email on Wednesday was to Joe Mahaffee, Booz Allen’s chief information security officer. But after received no immediate response, he went directly the agency. “I emailed the NGA at 10:33am on Thursday. Public access to the leak was cut off nine minutes later,” he said.

What an unfortunate outcome.

Not faulting Chris Vickery, who was doing his job.

But responsible disclosure to Booz Allen Hamilton and then NGA, will result in no change to Booz Allen Hamilton’s position as a government IT supplier.

Public distribution of these files might not result in significant changes at government agencies and their IT contractors.

On the other hand, no consequences for agencies and their IT contractors hasn’t improved security.

Shouldn’t we give real world consequences a chance?

Comments are closed.