DigitalXeronThere is a lack of sanity
said by kvn864:It's not as much that they don't have the power, it is that implementing BCPs (Best Current Practices) on security is often deemed by management as "too expensive", "unneeded" or "too many resources", "too restrictive/cumbersome" among other excuses.
This quickly gets annoying. I just can’t believe the government agencies have no power to stop/prevent such an event.
For these agencies to implement BCPs, there would be a requirement to lose some of the convenience for both their employees and management themselves. For instance among the conveniences that would be lost: being able to carry unencrypted data or the like on storage devices, laptops and so forth (User excuse: "Encryption is too hard") or to be able to carry that data off site in the first place to work on it at home (Management Excuse: "Staff need to be able to finish their work to remain productive"), staff bringing personal devices onto the agency network (User excuse: "I need to be in constant contact with my contacts to be able to deal with issues quickly") or the like.
The problem is that at the end of the day, the government agencies themselves are not held accountable and make the illusion that every successful breach is by someone who was too good for their defences and the only recourse is to send law enforcement after them. Meanwhile internal operating procedures don't change (despite claims that they do) and the same sort of breaches happen again and again.
There is an underlying political issue to all of this that is outside of the scope of operational information security (and is more of a law/policy/governmental structure issue), but suffice it to say: US Government agencies are run much like corporations: There can never be fault with them, it's always someone else's fault that the attacks are successful, even if they can be guarded against.
[an error occurred while processing this signature]