Based on prior work in this space, the problems are as follows: 0. Political appointees don't stick around for long, therefore they can always point to the last guy as the problem. They are also gone, before impact of lack of security focus impact their jobs. 1. Executives and middle managers are not compensated or recognized for have secure systems, there for operations and missions take priority. This includes disabling all security if the operation requires it, and the PM justifies it. 2. Architecture of systems seldom includes a security architect from the beginning, with security added later at a substantial expense. 3. Test plans are inadequate and at times the wrong test plan for the technology being audited. 4. Third party contractor performing audits and assessments, are paid by the IT department to provide a favorable report, as quick as possible. To accomplish this, the testing is minimal, the qualifications of the staff are low, and the contractors PM has the ability to change findings to ensure the customer looks good. 5. System and network admins - they too are not compensated for secure system, only that the system are operating. This forces prioritizing operations over security. 6. Developers are not held accountable for secure code, and their contractors ignore the issues, even in the few instances where a security clause is included in the contract. 7. Many architectures are build around a security product, and not the risk profile. 8. Stovepipes - Many organization have competing political goals, and spend time CYA instead of making this secure by default. 9. Contractor staff training – contractors promises training to customer facing staff, but instead never budget for that training. Instead the contract companies see this as OJT on the taxpayer dime.
From a game theory standpoint, it turns security always loses.
Joe Klein "Inveniam viam aut faciam" On Thu, Jun 18, 2015 at 1:35 PM, William Herrin <bill@herrin.us> wrote:
On Wed, Jun 17, 2015 at 8:54 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I've just started a new Whitehouse Petition, asking that the director of OPM, Ms. Archueta, be fired for gross incompetence.
Hi Ronald,
The core problem here is that the Authority To Operate (ATO) process consumes essentially the entire activity of a USG computing project's security staff. The non-sensical compliance requirements, which if taken literally just about prevent you from ever connecting any computer to any other, get in the way of architecting systems around pragmatic and effective security.
There's no use blaming the director for a broken system she's compelled to employ, one far out of her control. The next warmer of that seat is constrained to do no better.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>